growtopia | 5e4fe16f13855e0c9cb6ffcf21ea0cc627536e2b0153cf6f2f8a8b1d85c0bfa1

Analysis

max time kernel
367s
max time network
366s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Radium/RadiumExecutor.exe
Size

12.6MB
MD5

7a17d34bac23e365863ea1da1e42e968
SHA1

b5ccab413899349d2821cc2798bce29f0118121f
SHA256

571a330dfb82f72878d9ede8bdfc332544446a0160117bf37399c3b9ca0775e2
SHA512

c021f26320c49c64831c676820d1bc7cb84ba3f49b798d4f858461eebc398a37d937de1d4cf214b973b8ac1cb693830894c4ae9b1bc7d62f2fd5d56b7d5ba4ac
SSDEEP

196608:MRvSjNRyzz9V4EAWzcNtYuZuT0ItZ/jBpOtwDc3rSlou2it3NaB+He+8:MRqjj+xV8acwWuNtZ/jetwc3SYihNqc

Score

10^/10

growtopia xenorat evasion execution persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe
1792	powershell.exe
2240	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	RadiumExecutor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WinErrorMgr.exe

Executes dropped EXE 8 IoCs

pid	Process
5024	Ilkdt.exe
2856	WinHostMgr.exe
2256	WinErrorMgr.exe
1776	KeyGeneratorI.exe
3400	Sahyui1337.exe
5436	KeyGeneratorI.exe
5448	WinErrorMgr.exe
1452	bauwrdgwodhv.exe

Loads dropped DLL 4 IoCs

pid	Process
5436	KeyGeneratorI.exe
5436	KeyGeneratorI.exe
5436	KeyGeneratorI.exe
5436	KeyGeneratorI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
116	pastebin.com
24	discord.com
25	discord.com
114	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
318	api.ipify.org
324	api.ipify.org
404	api.ipify.org
489	api.ipify.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1312	powercfg.exe
5792	powercfg.exe
5832	powercfg.exe
5972	powercfg.exe
5752	powercfg.exe
6060	powercfg.exe
5588	powercfg.exe
4772	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 6052	1452	bauwrdgwodhv.exe	171
PID 1452 set thread context of 5816	1452	bauwrdgwodhv.exe	176

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5276	sc.exe
6084	sc.exe
5932	sc.exe
5284	sc.exe
5380	sc.exe
4856	sc.exe
6024	sc.exe
5528	sc.exe
5796	sc.exe
4988	sc.exe
3756	sc.exe
5352	sc.exe
5876	sc.exe
5364	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000234c7-50.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651172561296904"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{1B79C6BC-AA27-4704-95A0-4AC0699CA329}	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	Sahyui1337.exe
3400	Sahyui1337.exe
1212	powershell.exe
1212	powershell.exe
5376	msedge.exe
5376	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
1500	identity_helper.exe
1500	identity_helper.exe
2856	WinHostMgr.exe
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
2856	WinHostMgr.exe
1452	bauwrdgwodhv.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
1452	bauwrdgwodhv.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5400	msedge.exe
5400	msedge.exe
2332	msedge.exe
2332	msedge.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 47 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	Sahyui1337.exe
Token: SeDebugPrivilege	5024	Ilkdt.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeShutdownPrivilege	4772	powercfg.exe
Token: SeCreatePagefilePrivilege	4772	powercfg.exe
Token: SeShutdownPrivilege	5588	powercfg.exe
Token: SeCreatePagefilePrivilege	5588	powercfg.exe
Token: SeShutdownPrivilege	5792	powercfg.exe
Token: SeCreatePagefilePrivilege	5792	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeCreatePagefilePrivilege	1312	powercfg.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeShutdownPrivilege	5972	powercfg.exe
Token: SeCreatePagefilePrivilege	5972	powercfg.exe
Token: SeShutdownPrivilege	5832	powercfg.exe
Token: SeCreatePagefilePrivilege	5832	powercfg.exe
Token: SeLockMemoryPrivilege	5816	explorer.exe
Token: SeShutdownPrivilege	5752	powercfg.exe
Token: SeCreatePagefilePrivilege	5752	powercfg.exe
Token: SeShutdownPrivilege	6060	powercfg.exe
Token: SeCreatePagefilePrivilege	6060	powercfg.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe
Token: SeShutdownPrivilege	5200	chrome.exe
Token: SeCreatePagefilePrivilege	5200	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe
5200	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 1212	568	RadiumExecutor.exe	87
PID 568 wrote to memory of 1212	568	RadiumExecutor.exe	87
PID 568 wrote to memory of 1212	568	RadiumExecutor.exe	87
PID 568 wrote to memory of 5024	568	RadiumExecutor.exe	89
PID 568 wrote to memory of 5024	568	RadiumExecutor.exe	89
PID 568 wrote to memory of 5024	568	RadiumExecutor.exe	89
PID 568 wrote to memory of 2856	568	RadiumExecutor.exe	90
PID 568 wrote to memory of 2856	568	RadiumExecutor.exe	90
PID 568 wrote to memory of 2256	568	RadiumExecutor.exe	91
PID 568 wrote to memory of 2256	568	RadiumExecutor.exe	91
PID 568 wrote to memory of 2256	568	RadiumExecutor.exe	91
PID 568 wrote to memory of 1776	568	RadiumExecutor.exe	92
PID 568 wrote to memory of 1776	568	RadiumExecutor.exe	92
PID 568 wrote to memory of 3400	568	RadiumExecutor.exe	93
PID 568 wrote to memory of 3400	568	RadiumExecutor.exe	93
PID 1776 wrote to memory of 5436	1776	KeyGeneratorI.exe	95
PID 1776 wrote to memory of 5436	1776	KeyGeneratorI.exe	95
PID 2256 wrote to memory of 5448	2256	WinErrorMgr.exe	96
PID 2256 wrote to memory of 5448	2256	WinErrorMgr.exe	96
PID 2256 wrote to memory of 5448	2256	WinErrorMgr.exe	96
PID 5436 wrote to memory of 5160	5436	KeyGeneratorI.exe	97
PID 5436 wrote to memory of 5160	5436	KeyGeneratorI.exe	97
PID 5160 wrote to memory of 5196	5160	msedge.exe	98
PID 5160 wrote to memory of 5196	5160	msedge.exe	98
PID 5448 wrote to memory of 5572	5448	WinErrorMgr.exe	99
PID 5448 wrote to memory of 5572	5448	WinErrorMgr.exe	99
PID 5448 wrote to memory of 5572	5448	WinErrorMgr.exe	99
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102
PID 5160 wrote to memory of 5388	5160	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\Radium\RadiumExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\Radium\RadiumExecutor.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAdwBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAagB0ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5364
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5796
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6024
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5588
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5792
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:5528
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5284
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5448
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5572
- C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
  "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
    "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae6d346f8,0x7ffae6d34708,0x7ffae6d34718
        5⤵
        
        PID:5196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        5⤵
        
        PID:5296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
        5⤵
        
        PID:2304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
        5⤵
        
        PID:5088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
        5⤵
        
        PID:5308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
        5⤵
        
        PID:5704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11187728631839739707,14591378164891079400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        5⤵
        
        PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae6d346f8,0x7ffae6d34708,0x7ffae6d34718
        5⤵
        
        PID:4780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
        5⤵
        
        PID:1148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:5264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
        5⤵
        
        PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
        5⤵
        
        PID:2784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
        5⤵
        
        PID:2196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
        5⤵
        
        PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
        5⤵
        
        PID:2416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
        5⤵
        
        PID:5188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
        5⤵
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
        5⤵
        
        PID:436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:4596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
        5⤵
        
        PID:3700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        5⤵
        
        PID:2852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
        5⤵
        
        PID:5888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
        5⤵
        
        PID:4080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
        5⤵
        
        PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
        5⤵
        
        PID:3396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1
        5⤵
        
        PID:980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        5⤵
        
        PID:2824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
        5⤵
        
        PID:4876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6360 /prefetch:8
        5⤵
        
        PID:3344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6356 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
        5⤵
        
        PID:4248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:8
        5⤵
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2
        5⤵
        
        PID:2316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
        5⤵
        
        PID:4108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
        5⤵
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        5⤵
        
        PID:3028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
        5⤵
        
        PID:5804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16756354524275183451,14362107856555360353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
        5⤵
        
        PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae6d346f8,0x7ffae6d34708,0x7ffae6d34718
        5⤵
        
        PID:4124
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1452
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3480
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5132
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5380
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4856
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5364
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6052
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaeaebcc40,0x7ffaeaebcc4c,0x7ffaeaebcc58
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1416,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3532,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4100,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3756,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3508,i,12798507884562116468,6279050811414820590,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3008

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4ca87cb3-b303-411e-a2c1-58fdfc2702e6.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5b1154809b66070ad6e5a0995922d28d

SHA1
3fc309d640eaa5d3f05af0df2c8da254c8df378b

SHA256
750bd8a8860543cdfd568554b8283e5e1252a6deb1e607075b769778ee9248e5

SHA512
1795a57a99d8b33d904b2e3b3bb81d1e64af1557414ba3d7510604b2dc3864dc4e5671b5fccfe9a5db18f3ac338f500f673feaa110c78fa7f498650b24a8c019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1b3f1c5ca224e4a5970b76b9aa1411e7

SHA1
aca63b1d8d4ed9b52bcfae94fc281cbe710b74d6

SHA256
d9c108236848c63acc86c91af953085614ed4855cb4d9589c432c9793dd70c02

SHA512
81988de7c14dfbf8a9944f5c12406e1a93f81b598ae1d361a5abfa29408f563f65ab883fbd17f17e5b2025dd1be90ef6a090eb83020aad784f7eb8cacbbb3cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ae46fef8d9a2a97d9f098d8b9d5d632a

SHA1
c2849f7b8c281b6401c389e7508521452561ce07

SHA256
fab5621a7b1c87c2a6c627924663dc3f4658536c2a3924c69e1b23686cbaace8

SHA512
e3f79f16c7b8b4946657df8ae3ca58390782ed2ac42bf79692fd279a88e36ae21688899f57fd5419aee7c9abdddb389b4e9ba538659fafba247ea5cfeee0b8ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a2d70c13506ce4931d22c755b3655a2c

SHA1
8f742c607e3447c0248998a13a243d72f134f49b

SHA256
f70766506d6774c52cc2ef5e0ed1faafdcd837b0b781d8c67c1827c37e080833

SHA512
995b44a85cea6d941addeeed006a96efcf09ebb1e5925205f1d77718a1ed0c453a40bc08e6d9ef3b79092641535eeb4d436e9d6f5b2ec0760fe1a4b76e5b805d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f531dfef5ac39625a7a93f338679de14

SHA1
62cd9e6fae8f7dea6a80f05730aa3fd5909a0cb7

SHA256
34cae3c6017406081880c0c4c8e56aafd6e34c9025e0cb685ae147c44059f92b

SHA512
6daae0930bf4f2034e696657a7fea54e5afec10d05b32f9acc61e3bbf4183cf88be7a9adaec4992723ecff3966357697cd0f8602d64b458bda921b8d2711b4cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
09a319dd870c270a19a02ca5f4830b5e

SHA1
5218ef127a8c5912032e551c2b224526612dece3

SHA256
6bd0208e1035c88a6957428d83c6a8c77239c394c7bc56da78060880d164b5c2

SHA512
7ca5a27e07e18ed14eb071caaf47837850240dd0ee26a9c6e672026db0083c17cb6b7978cb9b4ac0258c739218cb380c8e19208e779836e94c009f71ab4e44f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bc4e4098ba9b35c2e9ae31058fce4e23

SHA1
ddd068c3bf192f1ea04a76bbf5d63a26491dd718

SHA256
683e4be7926f4b86b31c1dd5949cf1dd2f77e33c48004cd9ad1d0d7067eba6f0

SHA512
b966f15fc0e3cbae60391bd14595e790ed4899916f44aa4f8020533af16a4d264a62caa759b9879e0eee3733d33b9d2645fe41eb49a28675abe8ee23677f0970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb65d9edc56a6d84a524115481bfb81a

SHA1
28f25705aa8d93b3639be65cd8e0c23a2d4bf930

SHA256
f79dab0bec6341ade6ba41a5bceb4cda4344ecf3a7422b9a317c0e1999de6a80

SHA512
a5ee75ff6058fdea7cb00327a0682f51b0f93d4f9d6697371354d3110ffdd53552c1d5c03d717157a392d90134f7722851814924f3ac3beb077ff0dc4ac1007e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dc0ba2a4c6aaceed9b1d7676b8ae34b

SHA1
2de43dee29a2ae75ddf2b1d91509ee612ebbae3b

SHA256
126e7e731e6d579b39e7c46c418d9c8a3331876204e87eede128f52c35a445ea

SHA512
606eab3439f6e89ea2d8774041f297dc98e0ca65b0dd5fcd10ad6f14d6f4a61adaa465953b27a9d1bde094cd159f96ee51fb738276f2f021401ba0280ea9779a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b84adca67dd19845b7b0af5d55316c38

SHA1
3eae16c683a9a52354461ef2684da6d36ab73bf4

SHA256
fbc07b5e6061982449ff54145f010d3deef8f0923cc74dfcb87cc225311897bb

SHA512
5dc8dfba08f155adfbba01fae6f19ee87f04162850db0d4e8a2192ecc60d647a75506dd44e18fcfe5cadd08cced6a4540d9f153e84618c82b51ace01ab5f78ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
92986f15196afa72e98f1558860dc212

SHA1
259a590bd20f8583ba3e8b169140d432dd9a82ec

SHA256
61f5b738c10b3dfda20ade4c25ce8afd96bb2490d979d4c9db464b2d4d66238e

SHA512
e463e25e9ab2a6c27da0e35eda694aa5da61978bef67d32fc0023b6833106001a04d896206ababde3f399af9bf72047b92dce992005cdac711668578bb904dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
da14b25c7ace359852afceeb385096ae

SHA1
46b39175ba11a0ec99a0a5ee120b17e27183551d

SHA256
7657539b1ca036087b7d72eaf89afacc6a44d16e61e4da722ce9dc0f0f12f9eb

SHA512
fd0598c46635fe10560d81995904dffd23acc2b692d7d69112cd65cf9c3a6e1a0ab0095a170c431461817771deebba0b114b3ab2f59d48f754ac22f5e444c1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27c621cf450c2ad9b65d2641fd89dd7a

SHA1
6158e845753c4c09f37dbeaf431898cf5699420e

SHA256
f1e76328005654ef31c12c30601b9b0996194c99760f037b2ba70a549fc22289

SHA512
16f0b4204d9e977c727a7acb5b6fd3315b03656b5e00452129f56e048a81f133de3e5fb62fc09d482e2acd5e3cae6f551e8dbb5aba9b19624544cd35fcee3a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c118e3d0e39099e8e035b0d15ab0f982

SHA1
f60b75fe1665cd6ae4f3c9c419fcc26287ed2380

SHA256
651286aa34deb46a2737ecf03090703e440285c01fe3b9b822cf9d2949e9099a

SHA512
21f32d45c3e7a17e2d493be1793fcaa31e4cf26e115966744a5fed09403c9989434ab9eda82754693e7562a2de59080a2ebe1befae06ec02045c298459bc2288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
16KB

MD5
61e4576e6aa91cd435fe92f085fb0a3c

SHA1
fa21a6bad3a461c8f0e27b75913c8f1cbe0b2b62

SHA256
78d8aca4e50e6ba58890b68f8c3d6e562ff0b16516a0c3df56be18b69dca6aa9

SHA512
b250c2940f7ca24b763bfcd4d39d0022d6441bad54c415b9848ef949f8871f219289f044301de03313bf8cfa53bb2797c5590acc1b32889b0641f7a13b710bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
25KB

MD5
6c9f24607a85011c8fa145f30be632ad

SHA1
8f130cec0d0a6579fe8d398bc7e62451e7badda0

SHA256
7d5a1d5cc0ff324a2faa264a6d1a40115aa945a8d7c71808108da456125dc784

SHA512
79ef710010892897b208f4b4c61c043523454ae3bc9a765057ddf0b8e9f702d4a6ee1c13317b1fdf95caeda2b9d9fd182140614eb409b5fc72cbffc6c723b48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
897KB

MD5
d74b1d76b3f17d8cff2b2e9417be85a4

SHA1
fbd4854aa61a0889642a22856e71e17538daea39

SHA256
4c7a387c9d792cea3724900d255391fe4aa126e56148b3fc8a254c8d6a6a1f62

SHA512
7f44d913da17315030a56045e337ca2d42d61cdce72928ed7e7b2dfff4fcc8fc44496dd199fbf71dec89b62f09be95dc6321edea4c1088acb57d3f6cbe2e6ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
52KB

MD5
62b3fa13d3b51811dc3deab949275af1

SHA1
f69c64ae66702e05b2820e784f510f70b2a57221

SHA256
3f4cafa924885f281c21706bed2443fa5dad6a1075d9d8c9943b0791024ffdbc

SHA512
d0dff3068837cfd901301724337889b811008f7284d0dcd6ea8c2a19e77223a456405d0b324d0714ccad437246a401b92067d6052b32d0970b99d0909eff0e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
72KB

MD5
ab6a2d88f1c2f7910cb8c5fca8539dfc

SHA1
e9fac44e6af888f33169f4c4effa529c9d698a7d

SHA256
dc870877b813e56a9c2685483aefe026fc7bb4fd77aaf57fbd0bc7f379fa750b

SHA512
ff4ce6137896ba63c40d11c5202843637cfd1688b0f3e9861624bcc94e8ed1efb83fd04938143cc87b63370423b7c1c98b930fbc0f4cbb689b6b57201fef4441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
36KB

MD5
cc5089573a8b129f1067b84267b6e5f6

SHA1
8548f93c4c6ceddf429c7425133940935c9014f4

SHA256
bea4326b85ea3c3ead51e5fb0454c4e7ac8abf0fac19a5058af896b9901f6c87

SHA512
19d0094e42b2e259b813a2030fd9ad53e594e0c8a0223c4494af1063edab640e068e0f4e9a7a2fda2d4d484e622ce0b0b013a3cf2c098be04bd75a5c57badecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
143KB

MD5
1a5be1ecdd713c436505fd0124659eae

SHA1
e3923852df2cd99551a3700a3ecd08999f6cf413

SHA256
8cba589eee142fd55421a8bfb70549defddca0da2f1fd6f8f02082da3d177dd4

SHA512
a86e9847225451c6e24b0169f01ca5c98b3c3d286f62a64dbbf14622128fc13bb6bb9eb52dc610d5c9d1a994fad298ae523cd7ce48b6213c8f8296c9db3d487b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
37KB

MD5
72f23f875e8804b8c0a1e30879c37505

SHA1
1358e64334cf0b72d462f7417ee07fd2a06f177e

SHA256
375cff4a65254fd0de184c638e1f09ed2af1e9635554574f59ffb11df7a9e18e

SHA512
6eae4f5f49b0bcb8ee83019898c1c61811cdd95b70f4c5da3bdf12874b6e80aca3b0b7d9915b91c7f0193de23a303f9b72a980193bfc015a2f7f0480e32bc726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
98KB

MD5
a5584fe2915283397441c87c505daebb

SHA1
4c60a93a0aae1916b396591488b40a281000ab99

SHA256
64aa8cb7f695c3f1d84792c4137a0759d0125f487f5746c4b9c18b8447fef51e

SHA512
9085a0891b5cd9eebd27f11e259ee4666356049b5ae0441c5a859e74a292a951b4652bddf34166d2864e497ff3fa1547f377569f5bf1cdf329e8dec2b5cf202b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
25KB

MD5
1b7ac631e480d5308443e58ad1392c3d

SHA1
95f148383063ad9a5dff765373a78ce219d94cd7

SHA256
7fb66071ac6c7cfff583072c47bc255706222c2a4672c75400893f4993c31738

SHA512
15134314dfd36247db86f9b3d4dcb637e162f8fd87c0ce73492ffdb73a87492fc80330655617f165dd969812ed2ebcc42503f632d757bb89ba9116137882119d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
19KB

MD5
9dbec782554ff613b549c2b667c67857

SHA1
d81fac1044c42656a7df3f46c43b33e3c9ae72c9

SHA256
8aa672a751be805b7accfa6c6be9281948137b970985057f1c8dc78ae264b1a0

SHA512
ba33a2f9bee5cb7d3f196563e58184bd0c4a52eb92e7b0afd359c4f1358bd2bb07845fd6ab28d41c4ae7c0d5e931afe95cb30f8a80daee4e97990aa9f609e193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
63KB

MD5
1f63b30eb1f4d138e7bbe4cf01349aa4

SHA1
7c34b0c2fc6f949551b9fa58c99d035d6e6a6002

SHA256
36da78f31189b81a9edf717d77fbbe93faec80b01b7d14d43972cd3a3e71e1c3

SHA512
d5f91ec7fa94eb7f62f1721c058566e4eefb620777dd2d94ed908f8e2ef3b0437c44972fa193924363d0869854395f0e5de6bc694b33b7e5ab6f51b666e5b872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
20KB

MD5
75f4d34b443e0a3a8cb49c8db9db1975

SHA1
c62a665af984f19e83923c55e68ecd08c0f65ed7

SHA256
0a1ae61c5fbee61b2c1fb67a5a16ba6e006c818e07686a41075c7839fd5cb60f

SHA512
5466922989f347ce37b89401df1c72d690d9ab2d13e67aa55e3b3162d7fafb4b55bfcb2768501fe8d08af5fe576c4a4b423be2a06313efe0fda72c7135f50d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c1ed3e53c30757f6a13d29b92b45f2c8

SHA1
f6fbe066b3bdb0a05dde569e6aaa67b4f001c9f0

SHA256
1ec9bb5034e4a6412f6ed7137ed37d986110914fca1c3b0f98a923ff4188e4a3

SHA512
9600b7a923951ba9b6af07369fb73ac996f19e23b76e4147649b97d141b97be513e7e200e0253002db62da399e9bffc0ed2479fba0d73091d27d08bef95f93cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
55dec5cbe233ea3a1969e8af19379429

SHA1
f243dc3acb3397ea2ec0d4076434bdbac29aa981

SHA256
65021f0deca0163d5ef41839c4f3c0a4f1319b2cdf35a3cea55cdbf8349742db

SHA512
87b3cdc06c6eafe5f24d4394aa0bf539d7617bf9f9195a7bf6ab3af34e831ef0923da1bba814bd5ebd516aabe2b0b1ef5945f4e32f1b1df4ff645c6227ec3462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
65fea29549fe0e2c46eccc44046e8cdf

SHA1
b1c6cee33b6127f12118853a2ab4e3ce1a59b0aa

SHA256
81142a290ace2223b2260cfde456d7a072ab8d5294b49511eb53483ca38a5da0

SHA512
a88a3c32ca8a593fc452bdebb8f6b18620736a744c9960166574d93ae7c3f43d75ad2cb74b46b85b535df3b61fef16a5ddd7404eef8050058badc3439ee3f1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
6d13898afd9ad01680d000ce8151d22d

SHA1
dabbdf06427d5cda32d3ee397e6395532de80698

SHA256
035632d8cf8a3b1ea8d3ff5eef158e64a9a8fd35c5a3ee3e2e29ee23ac7af4f3

SHA512
f0cad54c6212c0e106a806e325ddd576ec633e616cb2f4f1b9167ec631991847a4e95b94b703563d497762339c8e2a3a3ae004d9850acda0b226975009702953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6328787aa47b49ea630f51860ad30416

SHA1
977a26fdde18447a4d415d5507ba7608d239f2b1

SHA256
6a60a247da998248ee666262efabaffaf1daf21dfa2db3ab8f3342edc075fab7

SHA512
e919b3cfbb0911841edb161d0cf0fd7f1f7d8a8b559c7b42cde0562de618a0ca28125b1f17b2a02a326044d47633af34d95ef6e5c1f20417fd1ce27c1a87f220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
560202c2b010751300c323d3f3278480

SHA1
e10769778aea7a507e6d4c1fda48d74308c680c1

SHA256
6e9e945bfc8549954015fba8aa7516c3f029e61b0360f78cbd172fb93a6a21e8

SHA512
63f4d2808ae832ba61d33d059bc6a7f6b1e5da8de35222c1bac6acfedcc0c0f026089fc433da06f6f68c37e02f92d8f22a631330ac8183b3ebee6b932622191c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
297c5acbaad700b5119ec8b97cff88bc

SHA1
4f51979b10ef76b4314fe079f31b900b0ed4dcb4

SHA256
32968e966f7961eb6f3bc2405d4af77b8c3b3965e7e71d4005f1cc1cfb75cf2a

SHA512
6c78c3d3304eb3a5433d1f9e3bfedeebd566b22cd4e62ab4479b82f6c9e24a4182ad433dccd5866600dd45da45af2774b0631a5f789416c2fcf64cff23287fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
9c76648e449b64592e43091fa8cee118

SHA1
7f4d48d9d69d725941b201933f017bb513771561

SHA256
3ff9c1e9e4825a1cdb06788bae8d676a22a1fa871f16da4f404264c2353b7b1b

SHA512
c9f0c51ac3c21bc86b8ff2ba36ee0ecb846cc986d396aedc1586fb0fec9702177360fda610bb4cf7de8b2642f8aa73316e72a3604894eaa238207ebdeea2c745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
321B

MD5
a90e791ffe937d0096cf73cf9bd5f0fd

SHA1
9b76d40e43cb2e4ad6a56c44d68eb4fd6853364d

SHA256
1181057a62d728d353a293651bd5da6087fb59bf16d8a5e10ab8293a68862ea5

SHA512
d0287b8c7e187712edb0963a899795c36cccaebca57e28ace55b1e6f908feb17b5c49872b15a8b43e3dea438b491477362c86a4232f6e39d23924c0e16cc66be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
8a30020ca6efc6942a6765305f152410

SHA1
e0310e908257990b1fa5c93a07e156a2700c3db2

SHA256
e855c1fbe35eecf5b575167b83eef2e85b16b9cfeed7534975cec63b310d414e

SHA512
96ef0b08f52dfb64d3eb60c1fded11b0319c33f874c104615e5b443a113c369f467c7e4665f5f79726c85e65f15a4255eb25ca42566c971c2058886f2ebdbbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
459fb404d5eaee6f8a4bf9a36299751d

SHA1
d33ff2b56705eec63371e810e014738689bb1b00

SHA256
3726ae658aad2821c5f7fb4a3649ed0f59f6d74d8ec51f03bf68e30dc115e8f5

SHA512
52803a41785ca20f1487fe3d34a23ee10a8d675baa12212173bafeb161e51631c53e3ee5ab3da5cfce4fdd76e0171a331360ec12df9f16e537ef620d57a3ed34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
fd32e630a8a2ea7280141cafb2cbb3b6

SHA1
fd36af65d51fbd7eb0d154c85eeebc2e529b6c77

SHA256
bc990adcda0f7b8dea8c38207d6e798b41d3df8a5530641aaae081526e3a4ce8

SHA512
b11f97ccc75122736c97822acd4c32aef7c060ac6477195946a86bc16cdf6ad51ecfd6f2bf7e0bc151324c126a1b064e284a6b60bb05d28e920a0c38307ef6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
83f3bf97c8f09eeecf604725009d87d6

SHA1
0e2cf166afa9663e254c9b68ba89f89fa4edb6b5

SHA256
76659f9e87dfa310483afb4136667a0f55cf36078e049e633edcd2dfae629b26

SHA512
1f9cac04ff033c9e51ed815b095d0244e55a86e77a66c3baa6541e7436351fb651f922c08917d84854cb8c98395443bbca3742a0339c50f5107da4a7c13f9433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
750c38b8560955f2b5298775027daf41

SHA1
c2b701be78a5f249bc4a9a8ad8bf8f15f9bbe8ec

SHA256
fab7e759657797576b86e8f9bd1c25b7c1c8fcdb64b996d2330126171484308c

SHA512
d45bb49ded727373259820c8024b2d6cc3e42834abbfa1e4fc8691a6c94503ed67cc28c797524bb6c263e466843aad87b232b651c6fe02c1347d5c5d72c8412d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47b1bab8cb041830930171c6ab34c85c

SHA1
991814a9cbe8af3fbead37e477642023afab5371

SHA256
64335a0c5020ee5c03ab44032fca51c245b1d8f2564708addaf04ea6ce79964a

SHA512
9b4a94f4b442788f59dd91658e90b75d72bbcf743ebc4196546b299387e85720b5523b60717b3dbfee170186129c873136243bf822608ef38570294805a53314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
84acff232c68b89d655f89681df73027

SHA1
14d617e6a0ca57038030d597f920398e13d6cbf2

SHA256
7dc0fcb8355fc9ba5b7987d06b1d5111487bcc78650a1dae7681cbd7a7bb04cc

SHA512
1f6e65aa07ab6b638b8cc562edb64695c5a1ab78178ce9ae00248f9b98f0d81fda604c55c0c18295478113d56702485175fb22ab9f315b0ab6fca5fa1303c9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ac5d1267fd7dfac80e3d96b83de637b8

SHA1
37410667a70f9cabe0042d5670608c30e4ab0bcb

SHA256
a82f3e0bcfbccb06970e65b6866fd5a03f238d2db37ef5c0dc675e4fc4bbc0f7

SHA512
8cc9ce0c3515e05e2de147fc247086ea9f4f9b821c829494aba60e2471a713afe7f36fe9a66cee01ec841cd8d3fc3d3df704acc37487c33c5e12ddc70b54d4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6850b22c2062ed0413aa174b9f6d6482

SHA1
5d0a50777bffbd807c9eda5e9042bc7b665c2197

SHA256
58a1479d7b906d66b8a036f059916e5fe2650e74c7c2881eae7f2c633605bafb

SHA512
672b56b8d86817abbc293183facd0c1bcb1d486b22fc5882c66075fdeb0a1bb9667e52be25761b8b77495e532fc326e1c92a85bdde50e4b7f8628592a6e02cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43b597e1f43403f50df4fa153eebadb8

SHA1
c66ecba60211323a4dc851b2556fcb74171bdada

SHA256
4eb7b0d158c1b81d4f948a3f49f075dd22a2e803585e52c8d94b125a130629d7

SHA512
a68267bdefafa7eb2fb98f7e946cc31217ca0181af75bfdde6e3155872c8a675649fbe05d0881da95c5ea27f74df77ce21b310ae54721323cfecf8b7bf8554f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
917ba5a9e7c2678395156fa249f717d0

SHA1
1db42cf47a3cd466cb420f981602c6fec24da97f

SHA256
dd11855e35e4a46a84b404fc6c391c6f84463d852afaf83a09b1c80f166cede9

SHA512
8de36bdba737b47bd6ecc90f31c0f7b52eb94a66892a3a6c6a20fff2f203c414cdcfc5848a52c13931db489b137158ca7e8434ea2095e77ad3728313720e970d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
13f68e1237905f8fd31aaab0c99660b3

SHA1
32cd7e48886479ef22c8b4f5ad3f79a2135e6260

SHA256
ec164bd86e3f898ca0593998f9cdd4e5f9014d54856619db7b49ba2b0a42d862

SHA512
a88057a3faf2f20d98fa0918744ad3bce943083fa1a955a24f75571c79b6abe16ddec2eb46a5db58689ff7e17602d112b9860e664ee54939b35850b284e5b078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
16df20905c30cfcad9e603f9747cbbf8

SHA1
c1c3b87fc9faa9b28eaa1552794152e7233e96ed

SHA256
b5e55e9384a9419b14955d21940b1440a13aa103dbd877aff6de684aa19ca546

SHA512
9aedf5df37d5f01a9bdc446f4936826dd19d45d47d9f266ce0ac14bec032c34f1cf475109974fced44c90451df4b20f95e97e99bc9ebee37cbee48f579cd6c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
013c22036148b81f6ac1e06384eea08c

SHA1
75ab731387f4427d41ed020445c1d80a764cd73b

SHA256
5b8b3cb3da2c154dad1b2883a63ade81fe82813324f82db6645036d2a240587b

SHA512
64d2508921817f48644a1934da895cb79a91d327fe67e2c5b5fad85eba9672290de965684ea863bfc9d7bfff09fc28ac0f482d8c99ed396d7332d460059043cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
ea75d0d9715507b6f34a5683dbac04c4

SHA1
9709279ec96de6784c602f219364e0f7706950c4

SHA256
b820b5fc42e79845928ac0d3d809a638a9b4cb38d785f8e87acab731f0857308

SHA512
844b7258c7e6111b6a78e6bb909d2fd774c6dd71d79f291626ba2e32eb7b8a95c3ddc4664a292defc5d3ced2426d76dfca831a35d4c18256277784ebef2a3723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
137b3b2f7e8b68f1bc44a54bc95f0e12

SHA1
d3821c9d90f9a4524f0041a49f1dd5892d32d3f7

SHA256
6fe755d9e70e65c70706ae9a93f436aa6ca6a51fb87b6007f102267861d62089

SHA512
722296387bf51ffa6197aae39d90dd31e0c23095261e308a555640e5267beaf417aef0011cc4854237e33fa96e0ab7c27969bbb364675f7ccf1d30edde1c82e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
5486f0b6747172fc1784d90c90d34355

SHA1
a74db27c66479ae94ded525a11db4e6f22a95457

SHA256
10696d3167f1b84ea208447efa0ed5a8f1e84af1ab7d0f77315609fbe781b981

SHA512
2e1a5a8d13a871c5011f431677baa2c62478526e18938eb348e925cb4122306c0df681865ca6ceda8d622bbdb9b76c7857fd5713e98dc7b94b9fd11dd25f6eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
4b48a37d8b70092ae68f4bf6cdc7a26b

SHA1
3729ab62e3b7f33c09e26129dbb4bcf5a59bee83

SHA256
806a8a54cb83d085a27ab24782e3ba062126881672332799288a59b317d5bc99

SHA512
580bd33a16d6874e65b5bca630e5b148dcc912b4a872e3b452210be52462e67b77fa6bddc01f8d0678681ff3da56f4e25f7e262f4f259b5ccca3c1272ffdf9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13365117000855495

Filesize
3KB

MD5
5af0c2662c2f8833fda822ef314bc525

SHA1
2b2990dbc4b7997a196dd622c3bbbdb4020813b3

SHA256
1aef9a68a5d62ed6d8647eb58170cd4495ea7ce4c479c03c0e7d01a820b1c8bc

SHA512
0c48a180c805e10d95d2b4df34fd3d01b9947cd8ca42c1ac9ecb50efc3cff0986f80e30d7a402225cf68081173e5d57e1291232d116b76c6d98cf7ced14a82f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
9bfdd77065a5297a979cf849f45cac06

SHA1
627771429a4142c64403bb642f21805cf814a966

SHA256
98086aca87cb2cf14fb242552f0b899bc458fd139fd3dc133592cde7f6f17137

SHA512
183196debfade6d6669d16a9a0104ffe71a5b69426188591eb61f5d993655397530910e5dfb413bbed2831a967f6da92870f91f0f63c5da50f533a9c31a86b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
e394524fbbe2aea4c6b3e53a3a8a4ecc

SHA1
89954670dc161addb3be1c03c39d5b9322dd6700

SHA256
298da81a6131d41baab8b752073d580c1a997ccfc72428c8a160104b20440aea

SHA512
0ae0f996ea5abf4ed6b0fc31c0d3c701152bc55fb36729eab39ae6574d402e8bea2ecadc74523ab445ae39e84e8976e3c54feb21e142b2887d2a6941c1bfde99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
8f6b116238dba30141e9c37adbd14713

SHA1
6d7290d6d3e6138df4ddc2f13917af0b564047d2

SHA256
c475a5dd1b86aa9102460c9b401cadaacea9dcf89c8c4a76b111a64a7cfa6023

SHA512
9a218e098a42cf778371a2044949a98781dc2e2bc0b5b7b5a939e8b11ac79e2c5e302b17d517285e4ce32a4098cb47cc6e8730e169fe77137dcbe5f994d6683d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
fb80340ac5bb1adc5eec081887d13608

SHA1
feb1ca9b8fb24ba685626bb87a9b1dc02ba61747

SHA256
e2bce2f9bc0dd8e41df98570a84dad49ecb46548ed7f4e3106380a1f1a930c4d

SHA512
fd3d777aa81c3160e9686b7989246e938717898353ded4630c4d28696358f77d73e660666760f7ce75a0189c6cbea1e060324c525720952ad2e6615b06720b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8056fca06d93a0c664b670368f40e6b5

SHA1
e99975c197aef5964c2291fe5b3f1c9dbbfdac8e

SHA256
2370db8aa8c0046e4346cc508bcefea7ff2f1bc22fb7dfc25ab6024bbeb74c23

SHA512
7c1802de96268ee5db78037071d6330759f8f2d4e35096e03fef2815e70a09bcbe41df71099e7c1aa250ab476058511e086d5e0948da8311b41f913fd28dad80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2fc856dfc9b6328787d305cb823a353

SHA1
d8de6404c335d8cdb563a9af15650d483fd3d5e2

SHA256
20ccc839ed24de2eae42d027bbb51bc4e80656cd000c4d918ff3248862f95297

SHA512
5900d8661933a9fe631eea172cf5caae6e14259970c219db5982d161bf36d8f31d877f83219633b76b1f7228188ac3c08931bc717ca3d02c3bff004b8a91c612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f4b1e3df292bf45b1489991e067d92cf

SHA1
968bbf7444794f7301fd0a1cf2195ba3e84a59a7

SHA256
f38ff9bacb646e6d98cd4be470ebf30aec88b00b73888b342a4046b954d8f2d1

SHA512
9293bf4e818d16e4f4c3095cd892f46ebe5a78d3af1e493c48b1bb65525205afbbbf6f901dc30c4781a7d24cd25089acdc406dcd7eccb5decb8665051f44929c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
428a9473ced013adb952bc8867d542eb

SHA1
ffc2268e248c90bc8b11427eadc7a574780ac91a

SHA256
ca08f7fd3b620d8ded435a2f12032e7b9b83cc5565659ffd2bace6d58e7595ad

SHA512
88b0c4f126a94ef91a3a087c1de0e0ddac3da55b7364bdff888fa6060ff6368952b6037f1988ccea60aed0ada2ea6cfc7aebd8f597f9f469cb07670d27cc3cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
17b43ab80aa6032e934db6f67eb8ce11

SHA1
4ec3f36a1604229094edda1872d0d19da45d23cb

SHA256
62573de636598ea88b98b3d1134beb89abba90031bc486a3c4d27596d7333dc3

SHA512
9164de6d62a0f7aefe6bf611989010f112de182e7f952a4051012a6b24188943fa74473386f5ecf3a5ad6435639d753d6155d30dc2459eee1c844dccb984fb81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
fdfe9aacceee543b87b7121ceb16112a

SHA1
83d47d014233eb66d90f0c6e023a2e4d2224cfa0

SHA256
e45e9b87cf8514be3f4459b16994e18c4978d894cef3862850af180570c6c0a9

SHA512
d324726379c38876619c673d8195574c0d09b49901828c814730b857944606b871b5cf7c2e1a3c826be819b8441451132ebf614de8d0914268a9217084218b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
418KB

MD5
e4f3042a30d6be39d6daa272ea08e97d

SHA1
eb8f00a6e97fe1888640d1b4d927143f004198bf

SHA256
c81a1a2d6daf90b6a28f72a339bb0231e61cd3f4c242a93a695a0975e43a6a21

SHA512
d22fe4c4a0099558b24359049f4c341acba3fdc68ec860fd653a79965d526e01f216def1c51d1577a423d25848f2e77ef9d23089215c549caa5c771ad07abedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a57b00cae4d57e8d8633281372ce31f7

SHA1
80b5f214676a9b2fc8f3ccb3c0cf59506aceb2f4

SHA256
b3328dc2ae622426df377e23fca9d18865e10671cd96a6b1021d7955625f145f

SHA512
d3f4f759fecf56045f54c20700b5bfdd869153800a53713a0f4b9ee6405d9f2d6329dea9982e768b03a78b37459d5448e34599bd0f6566442ee6f17b70b0ee56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f38eda3d247751a5718596b7df3a492

SHA1
d5cda010df3c70a3e55ea4a798227f30d2273815

SHA256
ed0ca92ce680e7a0a8f80bad888eebd1c350a67c80263a01eb795d603338f332

SHA512
e962a385f633e5d9fe9ef190643b26642c787f43ad5fe9d33d5a4d2d8aa644e393a05ef0a5ce18c79acca12993804c040e8740ccaf92b4d0a014ec90cad10a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c0c3889cf176f1489c419aeef572925

SHA1
93ca97276dc667fde1dcbc3c7c461841fc69929e

SHA256
2f766a4f8b21b1579912fb47799b44461c6f2b2798ad38114ebd61b272d9f9d9

SHA512
310bfcdc58df3688e48115f423f7ed2fe04969ea930bf5fde7d8c0d0c8af6041516901265e228c336e323b15971bf34da712b8da9ebbe37bbae4ad80b11c6a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e576a25efcee8acd3827cd6bb278ac5

SHA1
98783a341cf72fe0cf136c32480c553912688811

SHA256
f7b22488e8efee0368dcbf74b5dc9319733e98275bb0191617835e07c6127750

SHA512
e9b25a80cad63ee5768eb6f28e502cea10023ad5d536931fcec383d50acd2e938bdb1c2f287b13e34991361aeb73cc1f01c0b8702a0aa375fa44fb885b0031e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ede22b2c31f60a94fad8d7fa238f6dd1

SHA1
038c06cb818fb80fee1b82db0f822d5e74abd6de

SHA256
2a464100b205290dc104aeddd73d77eb0e5c3114021620ef6e7bfc1a7418ac64

SHA512
dcdbeeaa9652339bf99962e93a35e7918cfc977adb034d1e8322e2b9ef49e4c941c8c102fbab9e3f2ababf5dd6c7dc726b0c7ad2ba9551f557a597d8b998b428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\eec58e5d-3f9d-438a-a568-a7d7e44d4bbf.tmp

Filesize
11KB

MD5
5518eddbc67035d6b37a3000e59580a6

SHA1
73ba8d471217c67d671dd70fa02494bf3b377119

SHA256
952caf230590fc4280f9bd41710c601c2aa9ea503cf292fd996a39562cbafcc2

SHA512
cf73c22f3b0de0f663588c7d6dc6915be2b2279e49725e262ccf5de0d6d5d3800186669ab88330d0d580d484eef49da954354a18c30859b1e773cfad2acec4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4acf84c6d6d80574e9bb5d0790a7a081

SHA1
8ffda31ba2deab3a6d3a95f05083b8fc15f3da36

SHA256
bfb83e048e73ca5855de46d6ea0449a1b35d5db995050601b1373f3884280ce5

SHA512
1717f2126fc7da84eaa4753235ee43bb46d99026ba973e633a63c951f4cbabd2b6ea0525e9dceab61fa680189e5e7bc11bde702dd1a6aa6d094ce3e6fa65914b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\base_library.zip

Filesize
1.3MB

MD5
44db87e9a433afe94098d3073d1c86d7

SHA1
24cc76d6553563f4d739c9e91a541482f4f83e05

SHA256
2b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71

SHA512
55bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\python312.dll

Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqebhita.nkg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp

Filesize
1KB

MD5
7f673f709ab0e7278e38f0fd8e745cd4

SHA1
ac504108a274b7051e3b477bcd51c9d1a4a01c2c

SHA256
da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

SHA512
e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
6.9MB

MD5
d1ebfb3ff83375dc6897e50a95e8b2a5

SHA1
fd1cb7ac0181ee647419761871dd78ad0a09d44a

SHA256
ec709b3a8a2d6df0c990303226ef5d8fea4d4270add2d06e69b0db8b913fcd06

SHA512
f210610472f34ff991a93bf290deb7d76e38b11d534b21ac689f53432e018e12792d801d38afbfd722fdaea21f4cad47ca5a09b2f7c983d73cec57e01a9d5d63

Download Submit
memory/1212-1731-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/1212-512-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/1212-1720-0x0000000074F90000-0x0000000074FDC000-memory.dmp

Filesize
304KB

Download
memory/1212-1757-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/1212-1744-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/1212-1735-0x0000000007290000-0x0000000007333000-memory.dmp

Filesize
652KB

Download
memory/1212-1719-0x0000000007250000-0x0000000007282000-memory.dmp

Filesize
200KB

Download
memory/1212-1756-0x00000000078E0000-0x00000000078FA000-memory.dmp

Filesize
104KB

Download
memory/1212-37-0x0000000004CC0000-0x0000000004CF6000-memory.dmp

Filesize
216KB

Download
memory/1212-27-0x0000000073BDE000-0x0000000073BDF000-memory.dmp

Filesize
4KB

Download
memory/1212-51-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/1212-548-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/1212-1749-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/1212-1748-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/1212-1753-0x00000000077F0000-0x0000000007804000-memory.dmp

Filesize
80KB

Download
memory/1212-1747-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/1212-1752-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/1212-547-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/1212-520-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-1745-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/1212-511-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/1212-510-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/1792-1798-0x0000020237160000-0x0000020237182000-memory.dmp

Filesize
136KB

Download
memory/2240-1869-0x000002412AEB0000-0x000002412AECA000-memory.dmp

Filesize
104KB

Download
memory/2240-1859-0x000002412AC40000-0x000002412ACF5000-memory.dmp

Filesize
724KB

Download
memory/2240-1856-0x000002412AC20000-0x000002412AC3C000-memory.dmp

Filesize
112KB

Download
memory/2240-1860-0x000002412AD00000-0x000002412AD0A000-memory.dmp

Filesize
40KB

Download
memory/2240-1863-0x000002412AE70000-0x000002412AE8C000-memory.dmp

Filesize
112KB

Download
memory/2240-1868-0x000002412AE50000-0x000002412AE5A000-memory.dmp

Filesize
40KB

Download
memory/2240-1872-0x000002412AEA0000-0x000002412AEAA000-memory.dmp

Filesize
40KB

Download
memory/2240-1871-0x000002412AE90000-0x000002412AE96000-memory.dmp

Filesize
24KB

Download
memory/2240-1870-0x000002412AE60000-0x000002412AE68000-memory.dmp

Filesize
32KB

Download
memory/2256-523-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2256-53-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2256-32-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/3400-57-0x0000011603500000-0x0000011603554000-memory.dmp

Filesize
336KB

Download
memory/5024-69-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-105-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-71-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-67-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-65-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-76-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-77-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-79-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-81-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-83-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-87-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-89-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-91-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-93-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-95-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-97-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-99-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-101-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-103-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-73-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-107-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-109-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-111-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-113-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-115-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-117-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-119-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-121-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-85-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-63-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-61-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-59-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-58-0x0000000005610000-0x0000000005675000-memory.dmp

Filesize
404KB

Download
memory/5024-31-0x0000000000DE0000-0x0000000000E16000-memory.dmp

Filesize
216KB

Download
memory/5024-52-0x0000000005610000-0x000000000567C000-memory.dmp

Filesize
432KB

Download
memory/5024-1708-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/5024-35-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download