hxxps://cdn[.]discordapp[.]com/attachments/1127207411753685022/1257376956639481856/polar[.]zip?ex=66842f0b&is=6682dd8b&hm=822b4010926afa819d40197115f2ac596dc9b83e31e147608ea35d085088475a&

Analysis

max time kernel
1266s
max time network
1261s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1127207411753685022/1257376956639481856/polar.zip?ex=66842f0b&is=6682dd8b&hm=822b4010926afa819d40197115f2ac596dc9b83e31e147608ea35d085088475a&

Score

8^/10

discovery execution

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	VSCodeUserSetup-x64-1.90.2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Code.exe

Executes dropped EXE 24 IoCs

pid	Process
2516	VSCodeUserSetup-x64-1.90.2.exe
3760	VSCodeUserSetup-x64-1.90.2.tmp
4444	Code.exe
1716	Code.exe
4344	Code.exe
1600	Code.exe
5556	Code.exe
5564	Code.exe
5600	Code.exe
6104	Code.exe
5308	code-tunnel.exe
4484	Code.exe
708	Code.exe
5624	Code.exe
5784	Code.exe
5836	Code.exe
1088	Code.exe
2100	Code.exe
1444	Code.exe
4964	rg.exe
2032	rg.exe
6112	rg.exe
1400	rg.exe
4512	rg.exe

Loads dropped DLL 34 IoCs

pid	Process
4444	Code.exe
1716	Code.exe
4344	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
1716	Code.exe
1716	Code.exe
1716	Code.exe
1716	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
1600	Code.exe
5556	Code.exe
5564	Code.exe
5600	Code.exe
5564	Code.exe
6104	Code.exe
5600	Code.exe
4444	Code.exe
4484	Code.exe
708	Code.exe
4484	Code.exe
5624	Code.exe
708	Code.exe
5784	Code.exe
5836	Code.exe
1088	Code.exe
2100	Code.exe
2100	Code.exe
1444	Code.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3296	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Code.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Code.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Code.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Code.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Code.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Code.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Code.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.cshtml\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" \"%1\""	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\directory\background\shell\VSCode	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.csproj\ = "C# Project Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.fs\shell	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.ctp	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.gitignore\OpenWithProgids	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.t\ = "Perl Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.php\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" \"%1\""	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.shtml\shell\open\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\""	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.cfg\shell\open\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\""	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.csproj\OpenWithProgids	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.hbs\shell\open\command	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.hh\shell\open\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\""	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.mkdn\ = "Markdown Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.gitignore\shell\open\command	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.jscsrc\OpenWithProgids\VSCode.jscsrc	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.mdtxt\ = "Markdown Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.toml\shell\open\command	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.makefile\OpenWithProgids\VSCode.makefile	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.shtml\shell	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.h\shell	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.php\OpenWithProgids\VSCode.php	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.gitignore\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.npmignore\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.edn\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" \"%1\""	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.gitconfig\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.mdoc\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.jav\AppUserModelID = "Microsoft.VisualStudioCode"	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.coffee\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\resources\\win32\\default.ico"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.config\OpenWithProgids	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.cs\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.fsscript	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.gitignore\OpenWithProgids\VSCode.gitignore	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.rhistory\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.cc\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.jscsrc\shell\open\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\""	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.hxx	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.mkd\shell\open\command	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.properties	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.mdtext\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" \"%1\""	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.svg\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.svgz\ = "SVGZ Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.aspx\shell	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.c	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.fsi	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.ps1\DefaultIcon	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.cpp	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.psm1	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.svg\shell	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.pm6\OpenWithProgids\VSCode.pm6	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.rb\OpenWithProgids	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.ascx\ = "ASCX Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.cxx\shell\open\command	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.editorconfig\OpenWithProgids	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.erb\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.ipynb\ = "Jupyter Source File"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.markdown	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.rhistory\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.sh	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.sh\shell\open\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\""	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.css\AppUserModelID = "Microsoft.VisualStudioCode"	VSCodeUserSetup-x64-1.90.2.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.csx\shell\open	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.htm\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" \"%1\""	VSCodeUserSetup-x64-1.90.2.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\VSCode.jshintrc\ = "JSHint RC Source File"	VSCodeUserSetup-x64-1.90.2.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 333848.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
932	msedge.exe
932	msedge.exe
1816	identity_helper.exe
1816	identity_helper.exe
3544	msedge.exe
3544	msedge.exe
1756	msedge.exe
1756	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
5056	msedge.exe
5056	msedge.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
3760	VSCodeUserSetup-x64-1.90.2.tmp
3760	VSCodeUserSetup-x64-1.90.2.tmp
2100	Code.exe
2100	Code.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe
Token: SeCreatePagefilePrivilege	4444	Code.exe
Token: SeShutdownPrivilege	4444	Code.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe
4444	Code.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 2632	932	msedge.exe	86
PID 932 wrote to memory of 2632	932	msedge.exe	86
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 2940	932	msedge.exe	87
PID 932 wrote to memory of 4168	932	msedge.exe	88
PID 932 wrote to memory of 4168	932	msedge.exe	88
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89
PID 932 wrote to memory of 3688	932	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1127207411753685022/1257376956639481856/polar.zip?ex=66842f0b&is=6682dd8b&hm=822b4010926afa819d40197115f2ac596dc9b83e31e147608ea35d085088475a&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3e5846f8,0x7ffe3e584708,0x7ffe3e584718
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7008 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,12555767414056877434,530525277638261794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Users\Admin\Downloads\VSCodeUserSetup-x64-1.90.2.exe
  "C:\Users\Admin\Downloads\VSCodeUserSetup-x64-1.90.2.exe"
  2⤵
  - Executes dropped EXE
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\is-FDBFH.tmp\VSCodeUserSetup-x64-1.90.2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FDBFH.tmp\VSCodeUserSetup-x64-1.90.2.tmp" /SL5="$C0048,99565310,828416,C:\Users\Admin\Downloads\VSCodeUserSetup-x64-1.90.2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-WmiObject Win32_Process | Where-Object { $_.ExecutablePath -eq 'C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\bin\code-tunnel.exe' } | Select @{Name='Id'; Expression={$_.ProcessId}} | Stop-Process -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code" /inheritancelevel:r /grant:r "*S-1-5-18:(OI)(CI)F" /grant:r "*S-1-5-32-544:(OI)(CI)F" /grant:r "*S-1-5-11:(OI)(CI)RX" /grant:r "*S-1-5-32-545:(OI)(CI)RX" /grant:r "*S-1-3-0:(OI)(CI)F" /grant:r "Admin:(OI)(CI)F"
      4⤵
      Modifies file permissions
      PID:3296
  - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
      "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:4444
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=1820 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --app-user-model-id=Microsoft.VisualStudioCode --app-path="C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app" --enable-sandbox --enable-blink-features=HighlightAPI --disable-blink-features=FontMatchingCTMigration, --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3048 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --vscode-window-config=vscode:8b4f2f9e-8e23-4466-a0c7-ec27e63eb861 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3864 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5556
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\bin\code-tunnel.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\bin\code-tunnel.exe" tunnel status
        6⤵
        Executes dropped EXE
        
        PID:5308
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3824 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5564
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --dns-result-order=ipv4first --inspect-port=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3968 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wsl.exe -l -q"
        5⤵
        
        PID:5764
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --app-user-model-id=Microsoft.VisualStudioCode --app-path="C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app" --enable-sandbox --enable-blink-features=HighlightAPI --disable-blink-features=FontMatchingCTMigration, --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4264 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --vscode-window-config=vscode:8b4f2f9e-8e23-4466-a0c7-ec27e63eb861 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3924 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --dns-result-order=ipv4first --inspect-port=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=4200 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:708
      - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --max-old-space-size=3072 "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\node_modules\typescript\lib\tsserver.js" --serverMode partialSemantic --useInferredProjectPerProjectRoot --disableAutomaticTypingAcquisition --cancellationPipeName C:\Users\Admin\AppData\Local\Temp\vscode-typescript\b7f14fb385e1da675cf7\tscancellation-e9fbce81fd0c1448c6c0.tmp* --locale en --noGetErrOnBackgroundUpdate --canUseWatchEvents --validateDefaultNpmLocation --useNodeIpc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5784
      - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --max-old-space-size=3072 "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\node_modules\typescript\lib\tsserver.js" --useInferredProjectPerProjectRoot --enableTelemetry --cancellationPipeName C:\Users\Admin\AppData\Local\Temp\vscode-typescript\b7f14fb385e1da675cf7\tscancellation-b8bc1e95fb467696020c.tmp* --locale en --noGetErrOnBackgroundUpdate --canUseWatchEvents --validateDefaultNpmLocation --useNodeIpc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" "c:/Users/Admin/AppData/Local/Programs/Microsoft VS Code/resources/app/extensions/node_modules/typescript/lib/typingsInstaller.js" --globalTypingsCacheLocation C:/Users/Admin/AppData/Local/Microsoft/TypeScript/5.4 --enableTelemetry --typesMapLocation "c:/Users/Admin/AppData/Local/Programs/Microsoft VS Code/resources/app/extensions/node_modules/typescript/lib/typesMap.json" --validateDefaultNpmLocation
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "npm install --ignore-scripts types-registry@latest"
        8⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\json-language-features\server\dist\node\jsonServerMain" --node-ipc --clientProcessId=708
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1444
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe" --files --hidden --case-sensitive --no-require-git -g **/package.json -g !**/.git -g !**/.svn -g !**/.hg -g !**/CVS -g !**/.DS_Store -g !**/Thumbs.db --no-ignore --follow --no-config --no-ignore-global
        6⤵
        Executes dropped EXE
        
        PID:4964
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe" --hidden --no-require-git --ignore-case -g !**/.git -g !**/.svn -g !**/.hg -g !**/CVS -g !**/.DS_Store -g !**/Thumbs.db -g !**/node_modules -g !**/bower_components -g !**/*.code-search --no-ignore-parent --follow --crlf --fixed-strings --no-config --no-ignore-global --json -- discord .
        6⤵
        Executes dropped EXE
        
        PID:2032
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe" --hidden --no-require-git --ignore-case -g !**/.git -g !**/.svn -g !**/.hg -g !**/CVS -g !**/.DS_Store -g !**/Thumbs.db -g !**/node_modules -g !**/bower_components -g !**/*.code-search --no-ignore-parent --follow --crlf --fixed-strings --no-config --no-ignore-global --json -- webhook .
        6⤵
        Executes dropped EXE
        
        PID:6112
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe" --hidden --no-require-git --ignore-case -g !**/.git -g !**/.svn -g !**/.hg -g !**/CVS -g !**/.DS_Store -g !**/Thumbs.db -g !**/node_modules -g !**/bower_components -g !**/*.code-search --no-ignore-parent --follow --crlf --fixed-strings --no-config --no-ignore-global --json -- webhoo .
        6⤵
        Executes dropped EXE
        
        PID:1400
      - \??\c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe
        
        "c:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\ripgrep\bin\rg.exe" --hidden --no-require-git --ignore-case -g !**/.git -g !**/.svn -g !**/.hg -g !**/CVS -g !**/.DS_Store -g !**/Thumbs.db -g !**/node_modules -g !**/bower_components -g !**/*.code-search --no-ignore-parent --follow --crlf --fixed-strings --no-config --no-ignore-global --json -- discord.com .
        6⤵
        Executes dropped EXE
        
        PID:4512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wsl.exe -l -q"
        5⤵
        
        PID:5292
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --app-user-model-id=Microsoft.VisualStudioCode --app-path="C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app" --enable-sandbox --enable-blink-features=HighlightAPI --disable-blink-features=FontMatchingCTMigration, --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4156 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --vscode-window-config=vscode:8b4f2f9e-8e23-4466-a0c7-ec27e63eb861 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wsl.exe -l -q"
        5⤵
        
        PID:1176
      - C:\Windows\system32\wsl.exe
        
        wsl.exe -l -q
        6⤵
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Code" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4172 --field-trial-handle=1700,i,17665408935013548872,5598356015431089627,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.vscode\argv.json

Filesize
798B

MD5
97286f07436f12b9a5f3db6ffb25b79a

SHA1
1018ab32eeaa435e04b42f6b3254cc9879a0c52a

SHA256
b0781582ff5957707253fb42af4f52e332846fd1dcbd1ad93893a3bbe316a067

SHA512
9d58c2903d17cb1ff56b7fc39b4cc283db886a1c47120844f2a0765bd631152ad4b40ca170b0f76c2b622d9911f65fbe5d4e7fb327c6bca6f29dcf7d7891523f

Download Submit
C:\Users\Admin\.vscode\extensions\extensions.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8462a46db8fa55cf9d95bc8e61183a60

SHA1
e1e34938795b960b3a520f0296d7173c7dcf6994

SHA256
78178a8e22c96e26f6121a3eeeaa38068d603b9a917f2628111d927bb4b8e2d2

SHA512
f87baac44d7266ea1ca007750ccbd5e480d233e779e625151499c0268eaaed961a151d8a5b9ca64f7a8eb3f9104148081e472fa9e700e70f37de2c1c0f2545ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f700e61a95313115c679d15ed072b969

SHA1
869b516a14dc4aeeb79ab7416e9c417378300af7

SHA256
5c0525040b9d52f4c2d10bb5219bd75df7eb55598d88a75151dc63b89292195d

SHA512
f694fc5c5aa5dacaf88317561ae866005afb0200d724f7a8c7d0230c23c36822aba57fd9388db5b2598100636dd6c30b23c921a71fc21733e6917261c70a3ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e516c0be24ebb58a3ce1b08df138994

SHA1
2530b5b75d5af664ae29e82093cdf88abfc3bb5b

SHA256
479b6888909405f5af4b79b6852a50aa7c2aed3d5f262de992dc0dc04ea3e3f5

SHA512
9fcc17f290a3062bf02638e7c6abf53d8629b9e36078add4046172c333fbe842ff7ff590a3255a6f96a698c9b0078a174f4e2c8c7a715d80d77db064dbc317fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
361fc53a0f7375df5b68ae4352691627

SHA1
7f3696b077f72fee41321d68446de30aa12d8fa0

SHA256
8c26701c1a00b6bcf7861bba8930edd70d712213437d9bb8b4e378910503d651

SHA512
70eacc63546e6fd4f0c1ae49f367b2f4d73a1a8ee1aece25ce27bef2ca6bc55d9dde1747bd9052338090f2cc3788e12972908224097a45795ca0eb5e0d85f99b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a98d577cb70c3fcf370f2efb7314645

SHA1
8560a8fa89a9e91f6b8446e4caa6afed360fdba9

SHA256
4b76cc2f459cb81974c463c5085d74ba86cd50bf8cb773e8a965bb599421f162

SHA512
e5ed9960b3a068eca492011f2c4636259ed0526bc0dcc02b3b05e368fc1289f95dc0059ef3a2ef05ef73be6c9620c6f0923587ecd9f17ff53845e2d990fa1335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
157730bbd28fb4167ebf575e72f4afc7

SHA1
d74bc99b21c42bdeefb3620223acda3200b74503

SHA256
e565af6ee4f832923202df4f41dffd42bc7c4a9ab9ad66fc8dcf959795d41a8f

SHA512
0b8e10c8c0d73cb417a64c0a0a1837bd3553c0da0c22a981469da9adde8dacd324655a7aff7b3db6eddcc131f67057222c2e59215fc386382431615cca18e4c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b938dca3edbe8819536b176904098cd

SHA1
a9a8955c5be12feae2d2cf4a6e14811b21318806

SHA256
034235e422655fd3523fb22d8bd28c7759f8e6964c4303ccc8e8164c5aa3d849

SHA512
decb2b98ea3a47f06ae6681bc6ec7288b9e2eaa04a8c6bb39c133f6d28572d07feeddeb95461e369fd3c31cda1ed1d5479c08f6ee761a817450d290933819da4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0dcdda1fbd140ac09acfab70089145ea

SHA1
335bfd00c009e6f83390418742de5ed018084a99

SHA256
adb576d49fe8c073a0b9950c530bcc1ccc78e0af2d446616d87defab529c051f

SHA512
c6274a0e861459a44c9e5b414feff2986b4be643de384b5842ebf472d790a7df0dc438261583e43a1c40e71576e41e43ee15b1102bdf3ea419c7ad2744d63c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41cfe81b4c30a33da08abe03b8a56ab0

SHA1
3b97bb3133eb11fbffaed888d832eb154d9aeecd

SHA256
b8d5be14f82495d7a3b0e7a9d52e78f3c8e9549da1c05ea5359e929d37546db8

SHA512
b2b44ff5962aac8e4c615cc6f9018083d3ab70b2bf5a452c67ed4a47bbaa7ea6d8baf1a0d2e280cc771314852d8349c7e88f5d0d40b14bf3a7abb407f13be46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591812.TMP

Filesize
1KB

MD5
b63ed5f91f68b6618345c16099cb2fab

SHA1
0005514997dc77f670405a85db3bbf790cc8a8fa

SHA256
58d76b121b2cbfd9f4ff68fca58346b8497f277ee0a651ec364ce893800211a7

SHA512
29a76a00e9391d104259f1b4d01f446e88aa147dc07f6721480d5bd6cea142e2fa1255f9216ff5ff40d5f7c83a37e3615cd1800ef4c33245648bce914f222d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
168e312551950028ea5ce73f5124dcb3

SHA1
55a6493b71ba1e26c616c3854d7ea00d4084568d

SHA256
732b763b22682a81d870e67e17abeaba93cbd5872980b6e03d10e33994eec1b2

SHA512
0998b46806f7355ec029dfdd8f34ea4eaf5b643dd8f837cd549878779b07601a4130b4b596353f0e6197b9706753aa99f1db50873b2d93b01033737acb63afe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87748e68bd7a5b6e38876537d5e0f7de

SHA1
18922ed6d334adc0755ab1e0f36f2292b0750a37

SHA256
7826aa6cf055bc8085982615b57c0dfd1ffbc41ccf95396740901310b81ea922

SHA512
1a02aec2eab07a58abfbe23c25c856e096442346dd74a4272a1e938aebf319a6df2bef1392e96e23316bb7f61d027afedb64a3453cba8fd43059d2f66584e533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e4d59d886a62efa3abaef7212bacd7ec

SHA1
0e8bea50d972de72d40172be2fc76b4a432affb9

SHA256
d789aa1d2229bcd4af29bed40877a96e607e96ed35ffdcdb17c0499734857fb0

SHA512
7b70658f61a67fada0ca2e5eda86f6a241ed0dad3e546595cc8e353333cd50502efa9ae13b06929fd67d6ee08fe6871e8b9abe2c5bed289b1f0f3d6f30719df7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\d3dcompiler_47.dll

Filesize
4.7MB

MD5
5c3316b6749b3238ad60b0732359dcaa

SHA1
2ecc67170d161485965508f95b3f9da2c8dd3ac6

SHA256
784b56351e5aca93326002ff62430fa1687da2b27f00f1edbb2385c93cbd46f2

SHA512
61f7f96b3ffb6a1393ca9f9d6d170c526af932ba59f29e23f0261c79b2364bf3f35fefb40026dd13746a5f59f46d1475defb90f06ad4611e12653bfd8dfb97c9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\ffmpeg.dll

Filesize
2.4MB

MD5
4628a4ac1127080eaa5488a8a6f2f322

SHA1
13bed4f50743160df84e551dd5bb96ab8c6a2d93

SHA256
d45894ca67ba06deb55697909ffb4f669e6b8715a3205d37c0e7f96a010ab2b4

SHA512
7bb6a75ab3f3b398ad5e34fc030c80579b8b9bc3a2d64228ccd80b59ac0f488e2f9ad7f2bec2a122f0100f41d89c214041954afb1f43e0e132ae2f24b6354e2e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\libEGL.dll

Filesize
477KB

MD5
461ed44da1c643686be7234fd97dfd89

SHA1
358286e71830863f3cb626c45ae001cf44cd8e38

SHA256
d10dcd527477adc135d4fcd8535753dc2b07dd66788b1943ddf2cc36dac8b188

SHA512
9cde46989e6a90ae036e8f8ff407accab887305e397f103c797acb0720580f15cd028b36a70b897990ec19b37be27f3e3ccd40327a9c4db3f1bde078384597ec

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\libGLESv2.dll

Filesize
7.3MB

MD5
0881fe04f97f4a8e6224bc49c8f2ea3a

SHA1
08d0a3800745d16661d9ece7d01de2467030e5fc

SHA256
602f8e4159842b3a25fb82de1c318c2ecf0715414297fb708279adb7b458ba27

SHA512
71452b7781cfe6ec21eee4d47d1dbe2d79ddee22aff6db7bf899728e9acf640aa787dc9136c6649b4772072dfe19421d02f282cc6cb01b01a17adfa5f396e713

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\locales\en-US.pak

Filesize
433KB

MD5
6e8a153304acbd57aa430fedab373679

SHA1
3a2e43a3dab567983435f58d20ef17def93ee30d

SHA256
b72bc56b564ae09913047ae8048d505e461a468384a95ecc247e46aaf8f1eebe

SHA512
9db899dd854744b88bbca421dacb55cf7f654cfa613833517eefa0434c8ee5514f59995854f6c1aa3af8424015f312e8c6dcf9c373010e78547685e92b317bd5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources.pak

Filesize
4.9MB

MD5
03da07673fd4a330cb7a1a94ce85ab80

SHA1
83194fe30b11a3631e8a53c37d85a8c937826462

SHA256
486689de4ca1eddc42e2190bca10801fe91453d1e0410a8467096608b9850291

SHA512
55919994edef595bccf3317d9d7b6e4118b120f2c0e92b1baa78da5f68a85cc94bdd6f5c9c0fe38dbf19cd95ed462cce131d877027add931c8c9a5365bb9a67d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\licenses\is-H8JE9.tmp

Filesize
179KB

MD5
575506a8774d119bc036fc34a0a3b08a

SHA1
87864ccab15ab97a8698c1bdaa7db88d7a8dbcdf

SHA256
a8e9fd8d817925e0457587f9252dfd977bf17a4155a7ea67bf230d3283036a79

SHA512
39f515f5f7da39fd6e026cc3f7bbb269a60c635a51338073cf752352635936834280a68c1deb46fdfb263293716bafdc31ef569663175b0bea6385acbc36e24c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar

Filesize
12.4MB

MD5
6cfddb7aa6bc272d3265d8f64df03fe7

SHA1
1721fd40c3e4efc60c66c3796342980c33e3c97d

SHA256
888d36b3822d306254b991a571512cbf92ce204466a1b302f7420c807497d14f

SHA512
fcbe13bd7244cb1efac515870afe3cc566c381667b83d27e63fcbb5441d419605216e627c05382b56a69a5b8385bcb8b55ef9577e05b0c63a56462043c314cee

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\policy-watcher\build\Release\vscode-policy-watcher.node

Filesize
164KB

MD5
94c54b8b517590823294c2e666b12a49

SHA1
431bad5eb89c4c4757e3be747e1d158c05ffb415

SHA256
445e082fd7d268410f50f599ac76962e81ac36678399b45d3fd3d479e8780d14

SHA512
5630174fa94386c8f8b8d3983b7471d92613da64c9509ad5732677ec566612cca0dc134974e66d7c6a8d9d4c87d5b6ae3e140bb54a4603e0c95735bd0560e9e3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\spdlog\build\Release\spdlog.node

Filesize
569KB

MD5
87a2ca088ae95f18e6f84d1deb1fc589

SHA1
99b07a264d3aeb98c2632df0b44e151bf40317fc

SHA256
56d27a550801b4bab68ae78903898b01512392e8ed58ee471fa94a54915e8356

SHA512
df3717fc21ec3ad3d4e376eee30245684bfced8539342815e0aed2939110d9e3c63b0b4c9cad352a11b7f9467330764ee20f111eefa2127c2fc7a36e5252b343

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules.asar.unpacked\@vscode\windows-registry\build\Release\winregistry.node

Filesize
124KB

MD5
840afa7faf8e0d45395f7d4335188446

SHA1
2ba9d2d69f1e5efa66491cdbadc3b2c0ce30dbef

SHA256
4a38818fb2b4d83f9dd908a2fefbbf6eff2622d527b28132828249799a874349

SHA512
3ed6b99c1fdcece09870864e0369340129d7273fe106af7d75159d49684c5e7709330510cd2b387845aa94e53ccdec2ea352e02b5d213b2ce5e6c304492df0bd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\out\main.js

Filesize
54KB

MD5
f8083ef236563279cd17b71a9a8bf428

SHA1
ad74cf57e5beffdc60c208c5bc149b289e21bf15

SHA256
48b6c0755861959d6215f31408604f0c2f9f263327ecf952e948f39e4c5be1ba

SHA512
165557521c257b0c7fefa9de9ac2b468bb9d8eee632f3f90a487e8304d4bf4e81d271c61200aec550fda0652a9b235ebf38b47fb5d22bb8a8bcb8f8ece9f6344

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\code\electron-main\main.js

Filesize
939KB

MD5
b0f75d42fae13ff3d65960d83249e5c5

SHA1
2e85bffa264d1ccb4d72b972516af4f478389a4a

SHA256
000dab6e72cfc55d12bc2dc9b427f50251edf2185739f6eb9944b8017042c650

SHA512
a6f8ce78236ea9f5606c71ed3440daed6e65b3b037a84daaa70e356d1bee03b8afe74148a95c2e820fe34bacdce9e212d3ae243409ca0af205893311bb77369b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\code\electron-main\main.nls.js

Filesize
22KB

MD5
9e54cdfc411b2b706c57009738643463

SHA1
6ae52f013fe3a657313d73a083bb53adbd31796c

SHA256
c04b01634430e6ebc5e22488efb1f9162c7908710f85aa76936d2feed1a600b3

SHA512
dbaf06a4499d7b46b001a27b94e034a31fa650dfeb9574492533ecf0c2238fd05c5aee9b67743d9cb684ab01a8c0ea24fbc79ffd0109b20220a86d377efc5f04

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\package.json

Filesize
9KB

MD5
5eb00b2b2bbbb93a0a17efe90fd82afa

SHA1
e93e9ad9171f05dc7310cabf38696b63808703dc

SHA256
683d64046c7da2349308e66503924e9b9bab13c816246248e532f671c519f817

SHA512
7fde6784939599920ebe28ea12a7c44bc3fe58bab43b877d9feae12367a756af7897678692a10d504d1b41b32a2400714630b6cf65ecc88a893fd1d421530461

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\resources\app\product.json

Filesize
53KB

MD5
358e6c59e343e4d0752d21634b53bf61

SHA1
f642d5416331bedc8eed7606eb38d5fa3e2d1139

SHA256
502475a5c7e54c2b8dfe0200ee4ec21715a705842d61d201660cd712532e484e

SHA512
701bccf709424eeb54d4711c2ff1b4ccabe74035a06ee9399064cd61673872f1237e8af90a4347815755ed451ed8b2c978bdda386f20b96aa3d90fe48bde393d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Microsoft VS Code\v8_context_snapshot.bin

Filesize
663KB

MD5
71a50af311e53e55c80ce4d8637e78ea

SHA1
d573e40be76a2f9a3ee87fa03f90d5eb6ada6b51

SHA256
ed6f20ce343485562fe6464d1dec1cd9745311947af9f158545e084bde2f3773

SHA512
710debddfad874d4c53e9f895522f4b11b1c969f1e12cf49153081c4071afe82bf1b1a6b9287c76d8167c412157c8dad2d6ab4f8b2d134b9e54a3d189220b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyexfje3.i2k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FDBFH.tmp\VSCodeUserSetup-x64-1.90.2.tmp

Filesize
2.5MB

MD5
21ce9ac18f8f1de78163b1c528a058dd

SHA1
7c0214bff1fdd33eb6ebae80e4780cc1cb76139f

SHA256
c51b95607d66d6da12776580f26887d4643b3d1ced0ffeac2f8ee9607ee48cb0

SHA512
d494de8b05cf10928d402853b3f8b7807c80dec64b3e16795b359247405a9c6b500396d224e1d586cb8d8b4a00c5e59ecd1a453bda5b8eb1d180db1e7e1c58ee

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Cache\Cache_Data\f_000001

Filesize
36KB

MD5
299685c23a295812ed23df6e65b6fe99

SHA1
07b044310ff878443fde267122ab4a0f42a4929b

SHA256
dda298cbe44f7f2c3e2c8615b8e3af24ca4a3394d81dd52cc726ce05a3ff58c2

SHA512
6d9873337a7cda8d0dd09a8f991c5e093358dc21009bf2808fe40a106c564eb2411e45b9da3e17a0be24ff8ca322c38df75b7b1926326e3e2627e8ecf2289e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Code\CachedData\5437499feb04f7a586f677b155b039bc2b3669eb\chrome\js\index-dir\the-real-index

Filesize
48B

MD5
8cd55becd2d78d8674841738da57e969

SHA1
cbbb37a77f6cd710341acd03325815cabc88bdc8

SHA256
a610c150f754c6d39fc0e2ea99a12b4b75561eccb52d751b397e71a6653f7ae9

SHA512
502b6fa6574b0d00ea535cb3ca3028c2cc58946633bfee922b61c76cc69f405862e6b593c6b2b6cd28310961184b208ef0e2eb062189ec14ba74dff20f0d9d56

Download Submit
C:\Users\Admin\AppData\Roaming\Code\CachedData\5437499feb04f7a586f677b155b039bc2b3669eb\chrome\js\index-dir\the-real-index

Filesize
216B

MD5
5af1992a7a75fe5d65db9e1336bb2f9a

SHA1
2ec6979d8df060d16f61fa556f75fb70fb55e175

SHA256
abe98a830f04e06a359b2f88684d793f6fa1ba641b721761258101e41695e2a0

SHA512
306dd0b262430c74601f9b56680a5fc247d5f8ba51c126dc0f3543b8b5c8bcb8c94de108b8138a344152045b4011b7f8f50b6fa9e4306caa06356397653b5230

Download Submit
C:\Users\Admin\AppData\Roaming\Code\CachedData\5437499feb04f7a586f677b155b039bc2b3669eb\chrome\js\index-dir\the-real-index

Filesize
264B

MD5
dd004df05091a3e00576e34df4b2fc50

SHA1
c52a7e29d1f434bd0fc238309fee7699de40364c

SHA256
69158c297bd156be842bd0aa92ef1ee7f60bf5a2ff3e846a1731cfbf8250e450

SHA512
320ad0c9b47ab2be271bb002fe87936fbff2744e08e7d51b62fc8f5110cd11b8e92eaa114404dada9e07ccd21017cffbdc24195a2d71dac2ee4f186e892d1c00

Download Submit
C:\Users\Admin\AppData\Roaming\Code\CachedProfilesData\__default__profile__\extensions.builtin.cache

Filesize
765KB

MD5
4dad521aea30b8100e4ab3824dad8963

SHA1
99bd7d5b9b2a04e60464f0b693779e3e38506f03

SHA256
8d53e3183422cc53059ffe71f67ec432108ae6bff0406bcba42fd462ae60e691

SHA512
bea3acf373a07d4a659675ef5713d5269f90ec86294902a99f7a6bc3d0901159fe13b6172b79abe7a6f916a346198cc14d7e6fff091afaa5894f4ee851807946

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
37e1d85e9478808dc90aebc1f799a304

SHA1
5d534afcab37ed262d1160e78d6af8a0d0135a93

SHA256
87c3c311be6f229e901abcf2490a33f7bbac16dafa74a1fb7fb15ce10799567d

SHA512
305e62343655348a96b39678474fb72a767260966e5772e07a93043e4ce2623885dbd9cfa0d05482f3284819e5339f1b931e2d138e660e0b554e9519e837c5d1

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
4ad29dce3190e6a0d38c0a93ea250a4b

SHA1
033263d77778785485b98054668756354346b162

SHA256
2905d4993a6940bfcbaa1c9a63ad60f754b0fc1b8a26bfa07a7c128a43bbb3e0

SHA512
2c76736711712ba081e89b295de2c63e5b327e8d5a326afef11d6174ae06413c8746e319b10bae4990c7ad453d5ea49c21efcbb95890f925967c88e56ac01752

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
c2da2b9cc3ecbb4452093b425aa733c6

SHA1
a69cdac1980144c5d3e56955ce82cfab05bfee26

SHA256
11f842dad8e8f63668b14d02432bc117b6edfd4ef0f28c1c48d352539091f4ff

SHA512
a247bba8b6bc6f886dfe6459aec672ca237dd91f1ca8d3c240238d7328c3e369c86bfa442558a8ff241d4e855adcb060cbd4017c016f93366a6e80b9448c0e90

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
a663c3721f329982a76d68f741a6fdf8

SHA1
035fa8ce5d73aaac9942d2438035e6e1ee479926

SHA256
90bb56b6edc71845fadb568bddb1ebdccba77064d2a6069b75e75041d4b2b600

SHA512
6f7c4dd8842125068da12a419fd72bec5086f522105f865f83762271eacef2c2258818d4008a68166b2da71c21081a20763c8700a84e210b6ba438132abd1e90

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
c0dcf83125a83848c4f2bd205eb262d0

SHA1
653885877b00e1ec754e818d7c483bcd3af2561e

SHA256
6bd7dc0d46324da020e0d0aeb70af25d18bc03a488d9dcbf8da092f819c7c52d

SHA512
05699f7cea29b3d6dc9d4bd256fc4a2fc8311d28da53972dfd9ac942ff34f0badc4e18c4712df60d10227a9cc20bfb3f431abdfc28aa897845b1246616d9bd2c

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
e5a346c522a99242015f6484b470c2c5

SHA1
1a7af09b3ef534f1bd4496bae48a223e5ffa4c9a

SHA256
8fc46f04f7dd2d350a175fdec966b905514a1b58d941814602d4260138e195d6

SHA512
b3bfed47ca1b437dc3dd65572bedab3b47b12491865cfb5848abe06ad98e89927068f2436a32f7487c7f863f4141c699b1f01955b6850288501cc12fc335cdad

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
975c8fcbfbe74a9871eea05e9b998941

SHA1
0f16f59ed27721b85719107b0626e681b74d2c97

SHA256
1333483300540c792ad3c40673a80839042633a3ddd33b4124c3ba776785f6f9

SHA512
45e0b3afc7c86f075f897c21d8f6b1c6bed09fa573c9c99d2994ebfa8f1f051f5d25e1341f4c867ae09780bff88e5ca4c2daf75439561b58ef057000496ebc00

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
bfc6875bce33de8e9c4057ca503ba0a5

SHA1
af3f858e83dadb2695ad4da5fe974e2bb0a19f9c

SHA256
559657ecb963b09732e6960ed7472ee70f55574b8367eecd455c5d8a9162a492

SHA512
b0f7cb249410cd6fc2bd9cd8d0dbf6626e45642e5de2dfb49467bc46c6748ff87f1f1e9409d4d0078d9b69200c7feb2d097f4a17db71c05a90ab76bbb860ea08

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
a6c67171b56bf13e5f768de36aa5cbd0

SHA1
8406942a7804b1ebc1e5ec57e12bc49f1ac43db0

SHA256
462588b05e4353f0787758bbcfb4bb1f371dc6b132a6777f90566dcccf41b57f

SHA512
6b7bb1e7454e92caa66fcfbdb432f87716e4a88ece8ea15d51427d82ad45d285fe9451a30118c6019cdbf20236b3b26321684527bcfca00928a6e40758512052

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
3900bec3e56ca2f2920950061bebc747

SHA1
abcb31801628ae19b3b02bdc87e397477482fa53

SHA256
747b2db1dfcb2598504bdc955515ca1ab0464245f0181b5571261d001a6670eb

SHA512
471f0af9c76916920499fe5ecafadfd9cdd27f704a0297aae4397cb04b16543260d7ae3be0e9d2d95ab9ccaf5b5969f9db7b9b47edd0372a129b5f667067baa6

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State

Filesize
650B

MD5
27ce8c23b216eee6b4278204cfdb28f1

SHA1
9802b8aed582fd7d045e36dff606b4a0ee44d77d

SHA256
46c7530f5328c6216dc528c7558d64648c282e2da66e966cc6e9708dd3f87301

SHA512
c4dbed9882d4d4642329e48c4efe0899b2aa0d9509f9a2ac39be2dca68b6ddb7356c444577bfb82b5a87fd5c7e73c1cf6931f18e68d932efa74a256a3ee2de76

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\Network Persistent State~RFe5b4bbb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
e2e838d51da9b68f082ab40583a6790c

SHA1
08f425257e91e057dc496bd357af0be73b94de24

SHA256
a3ae1f324eb231110ea5be8b75aa1c30a405b023a01099e9366de16a14ab45d8

SHA512
5c3099995028473374ade3b929c595403b88f0d861633fbb6d1277b83a2a6c2889b8919b50fb6d63630209a9a063dea11ccfbb57086c38d917ed7a5ffb6bbb2a

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
9344c9fb5b4ee15389c4f4a482c5f86d

SHA1
cf725e21685917eedfa21e712a0c589844d16cef

SHA256
fdce83e56911917b56aaf3974813da69d20ff3e5cf06c5ca8ff4d36288e961af

SHA512
3b9611ce18d0a3df63eca41826b99b10e226e334e6fb800776997228b38a649f97a31ef58a1ff69fcc4a951554df0294ad8f84c4be40d9b1ad8fb3589797a419

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
1d054b36c488bf313f1e130522e7cf1f

SHA1
a6aecdbb99acd72efd847025d14ffd9ac184a2cb

SHA256
621e5a594724da97a46c90ebeed60190a0b595e9ce83dd0a790f3c13162239a0

SHA512
e92b2c003a95b61b5de41f57529b35dd99cc13e66dcdeb32dd00a6945c40aa2577b998b433da201ca6bd2288b2b02ad30f41c7067e3208c94f55ca1ae6935c50

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
e780496e4f0795ec63aba5acac80dd1d

SHA1
d8ec01c55b835d289e25f65f51787b42b5d4d2c9

SHA256
0bada8b88340b5ac30695cfaa41b9f2b78b84d20fdb6cb90b06d3c5e2b94a5b0

SHA512
7b3f6b178d8d23d4eecd7354634f160fe4fbd3c7ae2b5f585b0dd03e8b4f96104aaf1c48b3d7e8809f0bc0f33ccfc408ab45d7e27cb812688e20ee7be2fee13f

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
da0e6b4be3c56f1418691a211ac3f3c1

SHA1
9aff7a48a475db7bcf52c4a9ae9a6697b48ac061

SHA256
505a87d9db42b4f2f31bd2cfa31ea9320bfa51f83b33fe0939f942b24e3c2c2d

SHA512
a45e134655ad7453a6c15f9bbf81fac4bea0c840a11c1973b57156f3c9146e89832f7b2dcc222ce78d8f7e76d7d557ec516d797c085a0d9a4080391362e98899

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
ca9b37972527a1bc99aadfbb758c0f7a

SHA1
9ec115af7f2684e2ea62662088905fe0b7aaac72

SHA256
b10e288eeaba3d3bcdad3b718ec74151cd0142f7d4acbbc3db01f2a9fc95d112

SHA512
6403d85713f85aaff676b766dc1e9f3d5d52fd73c68694e4dfea56c99685e4a8fd8eaff12f32e159c7e6663f9ebf849717e217f7cb6345e1489bc1367650f46a

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
15b02b4b415727c17fb34005ff8ca725

SHA1
703b88f5d608b49c9628a925c21f5a4160eb08de

SHA256
712e9663edf8899760894df20d2918c699e430c33f55f3a4e022e60853df33d6

SHA512
aacb76805b8d4bfc93d01d500e9bec20e2c7b08b20f48656122be769ca874a167bd7f4160b02f62ad758296bd8b125a247dce4a08d03e163ce05db35ed170713

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
522B

MD5
b3a55d0e53ff4e04164798e0352ffa0d

SHA1
583f7c2d5e9be3fd6594ce54028f2937019ea1f7

SHA256
a46c1a1851d86421d604dc7a231fe0fd40c946cdf7b931f046b217b1fe2001ba

SHA512
48097521b19dc946430bb63aef8457f551f5e7d415dee592fb3b13ad0718584b523cd38ea2b07f02f0696b3e471881e111bbcebcbe1b4cfdaf8a79ed592c7b45

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
522B

MD5
46ea6d8ee063e36653167b42cf385e74

SHA1
327256d4b4773dcb05b0106b9eefb596eaf3ad3e

SHA256
f7dac948e8727264c6cf1cc10644611e5b78e33279be933c3da0d459af73d32a

SHA512
0187037ade77737bd2630071f0c515fcafd3ea85aad9185ac109532a8e2e03e9021618f219b3a034e0a465c491dbc9cb7ea582373897a1c98faa67c2ae746c73

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
5b317964ebf41bd2a88c78cb1178efa9

SHA1
793d3dd1990f9f3567cfb6f52d57e49f9aa2522f

SHA256
ef3e83cb2744756ddfc1c02719fbf81569e2cb8444d041fe2f0b8ae480b3fda4

SHA512
f19db6695470e21440f99eb3012cfd3a991671f893bc70003457f048ff74865372eea8d7093bf2a9eb71db524c8063f0081c00c68b49a3082285ccf47d9ff52b

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
40aed522485284a9e5d9b10d2bce6e50

SHA1
034ef765f59ac04243fe4ecda661f5a9c9597be9

SHA256
98f0a45e2ab70104d12b068e8624eabeac8ce9b61cf70940c52fdf2d6d763e91

SHA512
58bda687c32ba8effa6eb55226f52cd2996a5c5dc5dfabe37dd5a873b60f51884d4f17acfbc5e9e155a30a94e2cfaea6ce6c79277835b4f71a7c68e930a0c3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
6be5bfe06dd89a70216423971d12038a

SHA1
8fb656d161f13d567df662bfb5c52485faa7384f

SHA256
47abde169f7a3b403879b6230a3f91c0de79fa21cea850ed8d51e1a8976fd4ca

SHA512
510808ee567681368f7695cc4165c4d2ebf37cf2df4b46178e7a332f7dfff18086d3d9e585d73a709ee1354296d65c2a97317c7a51e3f868a261a8ba9042d05e

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
f3ff4d6ec2096bb4443f1f34247e1930

SHA1
a7d243be544958d1010ab8727853932bb3ec8ce2

SHA256
7c5d31baf3531fd7f3347d020f5dc07bf740e0dd584bb54a60eca32611232ec0

SHA512
8f413e4f0b12d0a7fda3b82cf503d96e5ce4f50e5cf165231bd9dbc44460ac19eb41f42bfe0adcaa65c957041cefe0dbb3ed97f8d95186f301619d401057f5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
ce36429da901121606022822e7945ca6

SHA1
41e9908cc50d9dc61bf2fbd67006263bcd94a1fe

SHA256
bb3ee989adb94528358f5501c015d1f1d779f33925c6b2691578934204d29b2a

SHA512
009904581c84845b1eedeaa9da791e4eb8895f03633c997863c4291e7c0fc530f2b638f729082866d20c213251626773409b8132d6cec91b261202630e978ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
e5a406d771435460cab88d0c8da27dd7

SHA1
e48e7dc6202bbeb608e206b5027076e57fcea9b8

SHA256
0e7c84f2b4a10563ccb8ad5973c3a032ed658624a3b5776e235929e7e4fd9658

SHA512
b4c75e045d3fe508f4b1f1d8fea781f6172c6f0f82c7035aa33c0f6746d14eb92b7651d082af1fa307f45650c9a5e5b04cdff4368bffb5f8fdc89bee8758a67a

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
f35bae2c20ec861b15001c4b9be7cee3

SHA1
35cde87d0579fa9c2e4d57608059dedd5cb59690

SHA256
96f184097715b94a36d92983b59b53c72498a61aecf2691bd190f6f3f7e4925c

SHA512
4d15e724c52f80efb4b524dfd2905ec933a06e9bc9388c37be1e0ad5250b99f1882c798222a8904ac0d4283870f1a7642024f6ab2b1396322e7b978af13fd767

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
0a54735f94036761f42f81a89ba5394e

SHA1
31a61eafd9ec145f88aa8bef18af97c4ddd0d28d

SHA256
99b4cea5ae943f736d90e165fc648113033ce0dbc98bf83ebc3c76544eec3aeb

SHA512
d4bf53f6b79427a79cf062ad38260173cdd91cbe76044063fd10c98c19f4569c699ba30eafa8e5165c2be4d68ab137c345a3b5dff715daad634b65b891fa2b66

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
63ff7e56ed1b91e09742593c79191ea4

SHA1
bf0611092953491cfb19da4d43c79f4819691f63

SHA256
fe5caf87b826de379c97b4589c6bbf47f690b311fb9a221e99f4a175aef0ba22

SHA512
f1e9d00aaed0880b8d3bcec0741bbc8867f92e1486d3b24ae02925ef23a6a538dd9ce27470b3024834f9ce51a10485cbc450ff2361254870de812826863692a9

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
3db4fed8c7d9c9d8f2ac46f1dd9ddd78

SHA1
10214d7043168dd9e6326b378fa173a74a7f017a

SHA256
5936a3290359f2ba0e80313ae04e0b7419356af1c4c87e28c440d64cd62396e4

SHA512
3a713605c77a971b084c050a45a626659ffc25509ee0d7e7079ad9089e4108a0f0c2136aee1675103ddedd98c57e61d2c1c265e3a7c88ff4ede3137a8be30d34

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
8b2c159e955b4b8e7b582596af361eb7

SHA1
9539fdfd28dd844302d21a277f236499fffc342f

SHA256
0668f0253f81fa33d1db5c9e44517f09dc1be63a0c4a3e31523a2918061ab04b

SHA512
ca28b1b67b55eddabf214b07d9bae19a71643d57382af7e873f6beb324498a87427ef6591a87af72efc6ee04fa981e192292f963849c6759f37fb18778426432

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity

Filesize
524B

MD5
9d5536fad9f8c314592454ff7ab46bcc

SHA1
9e01110f7c240213459e208ce3f53dd62941d388

SHA256
7f6a95f5862ce6348187c67bde04f167faad7a1c24e3acbe9c6b845ed679037f

SHA512
8e66a8d798576bf45f17b8862b2a2d3815738b499649f630a9ce56cd37a9786d3d06a9a345bb1faf5f54fa5857bc559d09e228791db487cfdcbf90e6277fd567

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Network\TransportSecurity~RFe5ad09f.TMP

Filesize
524B

MD5
fc297aa6839db01aaab781e9456cbd36

SHA1
6df792be570126039f3dcb936ac169be3356f8fa

SHA256
41e4143dff0cb65122b3c5586fa11a924594523174324f6da155ee923cd2993b

SHA512
6154ccf9c6655f69144ce228378e6ea07e435d182598058f7ae826ae77f8a7e760e47c0c14fcfc92284e60c76f2fded4bde64c22b7a4c95a0a14463aa957da70

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
6c25e47ffe3581d6010c7536c9a2d3f3

SHA1
7c26df96a1cd8b5828fdfbf8d4570b214334996a

SHA256
e32f1014a5dc5528931685868c2d269b5209f77f8fd24cbcb31fcac565204681

SHA512
aeab34d7729cf23d093a50fce94017aee7b5adfab1da27492cb55a360358ea4b237bd03e3cf9af3127e68895bbeacadb034b5c27796dcbc2ed64ba2f2064788c

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
252ee71b909f00f88d684b2bf9a38736

SHA1
649215fb7061c514cc2def2b12d443191a0f6140

SHA256
b0717de7506d33e3c8924dbc758ac9f73a5bb6719297940deeec5766c1578c57

SHA512
03917848fa0e6815fb6b1fed134ad6ec678bb1787f1604bf6d34d9c45e5a4a28a9f3be2d72e7d2bd23160449e96ffc437f805156584a315d2cb2288eebd11ed7

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a8cc0.TMP

Filesize
72B

MD5
96eac20752517149d1fd9c7ae16a3329

SHA1
2e74fa943691448611c2c1859abc7d36769a9ece

SHA256
6411e4326fdc83eced26c5d519d2e6a2b20fb6a5b4107b7f12523fcb1d2020b5

SHA512
65c8c72c48dafadc95396f9a9986c486b321eaa82c977620c0ff197d59281e432602605e3ec0ac0bd99eef35565bf7edf732c8cd5f6c159a5e8b20e55b29235b

Download Submit
C:\Users\Admin\AppData\Roaming\Code\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Code\User\globalStorage\storage.json

Filesize
687B

MD5
6aa1cf63da369869a4ebfc65310e42f4

SHA1
248a5b8af5f3bba17fd47b1d4927f80988bcdee9

SHA256
16f9c5fb1a97a75f6c64cbf71b6442ab6d78971d6af1a9cf67f948c23a5db0aa

SHA512
dcbde4f7c1cb70acadcaab29d5ac1d7893f3499c8f44bb033dddc7af48dea30732575118de39d04a2d3fd12d263a01d545583edd90672e0cbcddc0288aaeef7b

Download Submit
C:\Users\Admin\AppData\Roaming\Code\User\globalStorage\storage.json

Filesize
1KB

MD5
a8ef763ddf51caacf8ebada6536ede5b

SHA1
1a9af5002b69b748975f00bcd6254a4920730e9f

SHA256
f6e05db27f912495e3df45f377b1149e3d6aa07311d37ef1d88dfd3bb3e209ab

SHA512
1f9200302503684761f3d37805b043674edece28d6a2ab85cc9c60eeb9ec328b6e96809095c28eda1d291b3ca37ac253c68ca81e4044605c91a0deab51b963f7

Download Submit
C:\Users\Admin\AppData\Roaming\Code\User\globalStorage\storage.json

Filesize
1KB

MD5
b50efe76bbd107170b77c1cc5544d9fe

SHA1
8a8aec67320e21be5711a3eaab0ea6e973755661

SHA256
75e66e45e9f5be4e5f6765b3b854b92ba42f568018ca71a7349b03dbde0a2652

SHA512
a12da10de376b1fcbc3bb22326cb31981cddf29696ea5546f90e8e3329dddbf11f4671c742f2f73299ec2d06e992f9d1148d157091e6a86c523d549d778139dd

Download Submit
C:\Users\Admin\AppData\Roaming\Code\User\globalStorage\storage.json

Filesize
2KB

MD5
2232a21e92e02234970390efa180bb19

SHA1
ebeadef985e0746a7979730f6efb393121a727d7

SHA256
72183c17487c38ac86ac49a10a4aa983aa75b20227b3112acaccc658ec4af91a

SHA512
55e640318a72ea140cc22ab02bfe38d524b7d3170991d55de24273e26f6b36a28453e23998bcf6a38edd6169ae574e20691b2c88a93f66ac2d9a198aa170005b

Download Submit
C:\Users\Admin\AppData\Roaming\Code\User\globalStorage\storage.json.vsctmp

Filesize
1KB

MD5
33c2ae88b59732e35c331627a64263d4

SHA1
b18e199f5d7c458143cc7acd21da63657f7553a3

SHA256
8c362d90306be26d6bfe2c2935f26c8606c9f1f9b30b0bb9c77642bbc29b82b5

SHA512
67a4a14ae2ccaae93a6ae62990b05f7a91147f78053c8699dacdd837ce11312afc7a9fd49808b94bc8db224bc0f443e5cce46e4e2f7ef76294dc479598f6a313

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\1\CacheStorage\b45543cf-713d-481c-858f-3a78307a76f9\index-dir\the-real-index

Filesize
144B

MD5
e8860af47440d43818b278133f6e2009

SHA1
9515afcdc29e28cb513c365e56d2a213b46b348d

SHA256
cc7d3c932e19531b518a35c815d7206f231dc3b5a1f3745c6e95d76b9a283074

SHA512
3409d206232cfdf4ed33f842ecc4b8eb7d4430ce62f9cda02f53211d419db8a7b624fd8e30f293cf820bb8b9db88502200fe1a37fed231349dbab4b3474880e5

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\1\CacheStorage\b45543cf-713d-481c-858f-3a78307a76f9\index-dir\the-real-index~RFe5a8d0f.TMP

Filesize
48B

MD5
44a99895a9ad23dd9cfec30aa199ca0e

SHA1
f0f3c321b2f2a3879f2327e5380c0d176ea4b55a

SHA256
68e6f86de8844da244fd12ed285ae85c45defb0a901081df609d03ebe8ba8bd9

SHA512
9bb19280b13473896887ea921105378fa53495347cd85be832efab7322672c81b41529eb237662c28597fff063b8b93637101d30dc53088bbb828c3eb5df4521

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\1\CacheStorage\index.txt

Filesize
247B

MD5
afc26ba701403c1c6e57a06d05dcde5a

SHA1
91a73b5e60f684bdd450d55a3ee84c80cf345233

SHA256
ac789b351e9a7eb77627ca5b94b7d18e9b6bc7e6f75ba806ca8b4717ca35d6f5

SHA512
70c2824f462be9445f6aaf344b7d8b40d5eb4d4c33d03807dc31f31d39a6c81d856ba2e6d508dd16e517b7fefcb5df525e66fb784f7f5117e5a190ab933d035a

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\1\CacheStorage\index.txt~RFe5a8d4d.TMP

Filesize
252B

MD5
2827e073bc36568829188c6ba714bd34

SHA1
0ca9ba35f2f38c2f75ef2f11104262c790a79818

SHA256
60ad66b497f73eeaf06bbff7083234d300e0cd2d9f0910d634e8e768742b5d03

SHA512
a86e9f502c218b922d20ed7ac63b2b380d3033a1ad911f251a8a9248318586553c911c3b762c4e39d28be6f7974cd08cbabe87c29b8238a8be268b8f1cf13845

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\2\CacheStorage\ba660a18-53d4-4521-b9a6-d4cae2c937c7\index-dir\the-real-index

Filesize
144B

MD5
b94467d79549dc36183dafd66609b3a9

SHA1
a66fc93033b6463334b28e600a72ac879c9a9781

SHA256
3add6aca60b04330b27cf272a8598ba8ce52e5ba4ede085d7b3cce5707da0e6f

SHA512
c0eba49c792e9c8431155e7f43a2dce21d0a2b50985db95593870b1a885cb9b7f6ab6bde90067837df57ac3a8c6cfc11416d50e0de484c7397ac50d078c72997

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\2\CacheStorage\ba660a18-53d4-4521-b9a6-d4cae2c937c7\index-dir\the-real-index~RFe5af9f2.TMP

Filesize
48B

MD5
4ec42b44aefaf756fd29b16d13dbc13c

SHA1
d3c3eff82be1f35f0431a13bdd64e1ed350413c0

SHA256
1548b7fbf4c8c3ab5eabcd7760e1c92addad4d8fd5791bd241145ace852a5184

SHA512
32f041428a850067f7958f7b192a57c21ac27fef916c9303adfa14635305a2660804db89bceb29a750899a76537e67903ef07121ffca8f05156b161d0c6bbe91

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\2\CacheStorage\index.txt

Filesize
247B

MD5
11fee4d832a61e606a5d97b78067976b

SHA1
5d06f8b2932572bcc55ebbffa2ddecfe3b738913

SHA256
422551a2f88ce17c5c30e3b5bc73487e54521b91a2281f029f62b8473b04e78b

SHA512
9cb29bc6d24afb56d65da559bc960fe26612d523b107a0bfbca5afbee8bc41462569c52a41a33cdf3cb4959d53b1cd2a68286d0b25829f805baac1c6bf512369

Download Submit
C:\Users\Admin\AppData\Roaming\Code\WebStorage\2\CacheStorage\index.txt~RFe5afa20.TMP

Filesize
252B

MD5
ffd27e0df844c37ecbefd15d36dee455

SHA1
8934eb1a2615ad80ad1ba1ea3ffa275cf649a593

SHA256
a1e2f68bfab5daab0e88596f2163e04e56af1104ac1a2fe7448f7b8b36fe61f0

SHA512
84889cc194f9b31b07ce0506d92761381829194b48b0e1aaa7c2ddd8d4678422c601dc8bdf0eb72f8ef238375a675d6666ee2756c1c6a87ce161c7a59327069f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ced32d74a95c7bc.customDestinations-ms

Filesize
1KB

MD5
5a8fc34b49595e1000cea1fd14c80714

SHA1
9193c216119048cb9091b5ece6fa1535762c8421

SHA256
7dbdfdc30b5bef88d0cff55f28b6dc869035910792730f357912813c8467c515

SHA512
57c3be8950b01daa2f17a582335094cd55db23fe8753223d06b5ee33fb564b4dd1b4e8b4b1b4b4123b6ca0695a672df0bc172a82aed36bd353ca867dc29153fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ced32d74a95c7bc.customDestinations-ms

Filesize
3KB

MD5
2cbd95489d05c39b47682dac3c97b2a9

SHA1
4d43318994e8e232e133749ecf824b08f398d07a

SHA256
5755f65302a9fc275f7bf1af352c2a7fcb947685d862ebc88cb51062621c9b58

SHA512
be381df61303abf07db371c84c93723b559b4758482548a6a621baaa4e2917ec4beed979943849e65bf8cffb29f0ae9f8919eba75a24fa56255040b9c33d3358

Download Submit
C:\Users\Admin\Downloads\polar.zip

Filesize
964KB

MD5
02b1ff9eba702c77beb1e6d4af80ece8

SHA1
887979ad9251721a5d2082db58ed5d1f19819e3d

SHA256
142b97d92ba420f0a3e0412072058ec77f28e30c096ac075f3a0836b44971734

SHA512
1929789866ce9ea3324dd02afcbc9a0ec73db433690de4fc5f55f9f2cdf5df3bbc0cb24ad1e815fb45c65485a7de0fdabc7b6ed18b68780b175f25913beb9a54

Download Submit
memory/1600-2985-0x000001C7C36E0000-0x000001C7C3710000-memory.dmp

Filesize
192KB

Download
memory/1600-2726-0x00007FFE4D210000-0x00007FFE4D211000-memory.dmp

Filesize
4KB

Download
memory/1600-2725-0x00007FFE4C410000-0x00007FFE4C411000-memory.dmp

Filesize
4KB

Download
memory/1844-520-0x00000000064A0000-0x00000000064C2000-memory.dmp

Filesize
136KB

Download
memory/1844-504-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/1844-501-0x00000000049A0000-0x00000000049D6000-memory.dmp

Filesize
216KB

Download
memory/1844-502-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/1844-503-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/1844-505-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/1844-515-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-516-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/1844-517-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/1844-518-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/1844-519-0x0000000006450000-0x000000000646A000-memory.dmp

Filesize
104KB

Download
memory/1844-521-0x0000000007730000-0x0000000007CD4000-memory.dmp

Filesize
5.6MB

Download
memory/1844-522-0x0000000008360000-0x00000000089DA000-memory.dmp

Filesize
6.5MB

Download
memory/2100-3453-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3452-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3454-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3455-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3450-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3456-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3444-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3446-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3451-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2100-3445-0x000001F056930000-0x000001F056931000-memory.dmp

Filesize
4KB

Download
memory/2516-2727-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2516-479-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2516-445-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3760-532-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/3760-2623-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/3760-2649-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/3760-482-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/3760-480-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/5624-3360-0x000002046D2A0000-0x000002046D2D0000-memory.dmp

Filesize
192KB

Download
memory/6104-3086-0x0000027584FD0000-0x0000027585000000-memory.dmp

Filesize
192KB

Download