Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 12:23

General

  • Target

    https://github.com/ALEHACKsp/Valorant-Spoofer

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • ElysiumStealer Support DLL 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 4 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 51 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ALEHACKsp/Valorant-Spoofer
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd001746f8,0x7ffd00174708,0x7ffd00174718
      2⤵
        PID:3828
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
        2⤵
          PID:4628
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1756
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
          2⤵
            PID:1856
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:1972
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:4292
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
                2⤵
                  PID:1360
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4060
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                  2⤵
                    PID:3088
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                    2⤵
                      PID:1772
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
                      2⤵
                        PID:2604
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                        2⤵
                          PID:3580
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3152 /prefetch:8
                          2⤵
                            PID:4276
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
                            2⤵
                              PID:2388
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1772
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1088164520845485316,4214871040822107426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:756
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2696
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1604
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:2004
                                • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\AMIDEWINx64.exe
                                  "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\AMIDEWINx64.exe"
                                  1⤵
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4428
                                • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Fortnite4.exe
                                  "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Fortnite4.exe"
                                  1⤵
                                  • Manipulates Digital Signatures
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Modifies Internet Explorer settings
                                  • Modifies data under HKEY_USERS
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3616
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c wmic useraccount where caption='Nemesis-88683' rename Nemesis-88683
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5992
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      wmic useraccount where caption='Nemesis-88683' rename Nemesis-88683
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5876
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5644
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d PizzaXYZ-27113 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5772
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5788
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d I LOVE PIZZA-27117 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5836
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5808
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d I LOVE PIZZA-27117 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5932
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd"
                                    2⤵
                                      PID:5972
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {I LOVE PIZZA-27117} /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:6040
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:6016
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {I LOVE PIZZA-27117-13862-31967-24692} /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:2492
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:740
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {I LOVE PIZZA-27117-13862-31967-24692} /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:5276
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3300
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d I LOVE PIZZA-27117 /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:4232
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5308
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d I LOVE PIZZA-27117 /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:3968
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:6072
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d I LOVE PIZZA-27120 /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:5328
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2460
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 27120-24611-17063-15988 /f
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:2124
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd"
                                      2⤵
                                        PID:3088
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 27120-24611-17063-15988 /f
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry key
                                          PID:5684
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd"
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5772
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 27120-24611-17063-15988 /f
                                          3⤵
                                          • Modifies registry key
                                          PID:5820
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd"
                                        2⤵
                                          PID:5852
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 27120 /f
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:5912
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5932
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {27120-24611-17063-15988} /f
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:6028
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd"
                                          2⤵
                                            PID:432
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d I LOVE PIZZA-27120-24611 /f
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry key
                                              PID:5996
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2492
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\1 /v ProcessorNameString /t REG_SZ /d 27120-24611 /f
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Checks processor information in registry
                                              • Modifies registry key
                                              PID:5220
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5276
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\2 /v ProcessorNameString /t REG_SZ /d 27120-24611 /f
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Checks processor information in registry
                                              • Modifies registry key
                                              PID:4740
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5244
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\3 /v ProcessorNameString /t REG_SZ /d 27123-2591 /f
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Checks processor information in registry
                                              • Modifies registry key
                                              PID:1740
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd"
                                            2⤵
                                              PID:6136
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v ProcessorNameString /t REG_SZ /d 27123-2591 /f
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                • Checks processor information in registry
                                                • Modifies registry key
                                                PID:6088
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "cmd"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:6084
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKEY_CURRENT_USER\Software\Epic Games"
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5216
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "cmd"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5328
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine"
                                                3⤵
                                                  PID:4700
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4172
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2980
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2444
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" / f
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5972
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3176
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4516
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5820
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5812
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5776
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:6052
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5996
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2468
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5140
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1472
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5248
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5320
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                2⤵
                                                  PID:5340
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "cmd"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5296
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /v AccountId /t REG_SZ /d 27130-24088-5120-22642 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:6108
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "cmd"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1000
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /v Machineid /t REG_SZ /d 27130-24088-5120-22642 /f
                                                    3⤵
                                                      PID:2460
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "cmd"
                                                    2⤵
                                                      PID:4512
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000" /v NetCfgInstanceId /t REG_SZ /d {27130-24088-5120-22642} /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5932
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "cmd"
                                                      2⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2412
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000" /v MatchingDeviceId /t REG_SZ /d {27130-24088-5120-22642} /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5824
                                                  • C:\Windows\system32\rundll32.exe
                                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
                                                    1⤵
                                                      PID:3312
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1716
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                      • Enumerates system info in registry
                                                      • Modifies Internet Explorer settings
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3560
                                                    • C:\Windows\system32\rundll32.exe
                                                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                                                      1⤵
                                                        PID:6012
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                        1⤵
                                                        • Drops file in System32 directory
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5436
                                                      • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\MapperSpoofy.exe
                                                        "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\MapperSpoofy.exe"
                                                        1⤵
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:5988
                                                      • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe
                                                        "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe"
                                                        1⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:408
                                                      • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe
                                                        "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe"
                                                        1⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1868
                                                      • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe
                                                        "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe"
                                                        1⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5332
                                                      • C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe
                                                        "C:\Users\Admin\Downloads\Valorant-Spoofer-main\Valorant-Spoofer-main\Volumeid.exe"
                                                        1⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5172

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                        Filesize

                                                        328B

                                                        MD5

                                                        7c5683d278b82ebda565652df83294d2

                                                        SHA1

                                                        140ee75912523bae5b12eba3da9d9d1387f38777

                                                        SHA256

                                                        c3fe9d27eb77b7d7428792fcb9395a3fa36793bda0702d4e208dced4622c6779

                                                        SHA512

                                                        92099a5f973930fbf87da07b0b735d069ca23edb5e80243e09fde0c075088b1af407556cab9b1f478721560dc89804d5c51a9726783dc10b523e2bb6abf45589

                                                      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        c16f0e9dba90141eb3fe60f1c7677235

                                                        SHA1

                                                        5aa067cda4307fc7445149dcdb8166ac55db15af

                                                        SHA256

                                                        34ab90dd5910ba8c945066a35320fc9cefa2ecf9ac0f5433612dc433bb7a25df

                                                        SHA512

                                                        ae0bdea61de54cdaee2126bee36d886d779d695470c14b35fb05c02fe5577e02bf5b04d79b41ee82bebfebc1d24ec0080404430d64a0a2d097fe52e9b8b909a1

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        eeaa8087eba2f63f31e599f6a7b46ef4

                                                        SHA1

                                                        f639519deee0766a39cfe258d2ac48e3a9d5ac03

                                                        SHA256

                                                        50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

                                                        SHA512

                                                        eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        b9569e123772ae290f9bac07e0d31748

                                                        SHA1

                                                        5806ed9b301d4178a959b26d7b7ccf2c0abc6741

                                                        SHA256

                                                        20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

                                                        SHA512

                                                        cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        4276159c0376708f32de3ee96a4ba9bf

                                                        SHA1

                                                        7be46d25619fe3cd64f48d7dafa96d8199005617

                                                        SHA256

                                                        eda8f35ca75be7436e4e667dcbcaaba72378a1771bc85e26284e4525cb52d1ae

                                                        SHA512

                                                        51626f02a4363a80bd4be1ce437dd286a93f301ef0bc4d923fb122e8ef40c239d788a4be8c2b0ef168bd09b692573e0fca5d1811f4dad4c1d25e87ae0498fa4a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                        Filesize

                                                        577B

                                                        MD5

                                                        60b50cdd27515b6e6a3186e70ad6c1e5

                                                        SHA1

                                                        0724a9f1a29cddb89efd4808f1705f8e97e2ed5f

                                                        SHA256

                                                        e0abd1f92c0bbdae2a13c5d3289a7c506af8a4d055de3519b04545c1dc1968c8

                                                        SHA512

                                                        d356718713b9b1501d6cabdd51c68b0337e5c8630b2579a4a3ae961a026aca7c6aad9223d8c2baccdca58a1bf54c1c127151ca0c4556aa34957ad6990369e66a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        355120e339c4d992ffaeb28641961e65

                                                        SHA1

                                                        bb4346e387c0891e56ba52fc7722cc711a584198

                                                        SHA256

                                                        4c8f80e69702792ceb1d30e60c7bbdfa77b08473c3786ae8a4f3c2088690c03f

                                                        SHA512

                                                        3eb3d6e46adcd83d7dd3245e9c9b73f1e517158ef1f1c46cb4902e0903c3a4e3607afb3c419fea04aa779f18b77ecbf4fc12726a8a5803e5f85336de2ce8b8f9

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        ac8a653b1e4156b5bc8598cd59836999

                                                        SHA1

                                                        894cc0014f1b83081fc81659188be8e2b6133e70

                                                        SHA256

                                                        89ce1e99ad957ff954c60440ca36dc70393cc181d387561c3c9fa41b436126fc

                                                        SHA512

                                                        833d3b1f8a84475ef44ef487502d1e2342bf1a2151f75b795a273906c2cead4a1c6a58fc7dc0cf64c0c05e4241388eeca2c63a94eda5769a86542c624482b3b2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        c8d57a96eac5d14d341a68f743271d2e

                                                        SHA1

                                                        9bd3d725cad8f325ad5d20f804e4abc8370acc0e

                                                        SHA256

                                                        be5434fb768ab0d61ab585eca00e00e8437660fd8639973b1c94cf9923d2a857

                                                        SHA512

                                                        606c4cf9447e037595ed23eb0dbe1ff91b24cfefd3a541dbe6d4265310f6aafa7d83345130ca17760f2a85d24de91df0af2f29948d98ccc0e61f93fcf5e4953b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        34100de7942996661d3039cd37c5e2fb

                                                        SHA1

                                                        b7c6b2386abe9929af08c58b1e3a7d89451c3951

                                                        SHA256

                                                        9b1236a329f16f657347bbd424f7434301cfeacf275ab2afa2bc669f7a9769ca

                                                        SHA512

                                                        124dcab78b9635a1a1ba11e084ab31e17f84a51fdd5ff40dbdea50afee0c7f2b8f5728c7e832a536177b7e90169f19fc9dca89b950691e01bb2fce9daad2108b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b2e0.TMP

                                                        Filesize

                                                        873B

                                                        MD5

                                                        0b2ac92b9a289fb4871ec17e11471f84

                                                        SHA1

                                                        0d3d9353d0d366d48904707ba2548038a614fd87

                                                        SHA256

                                                        0c41874a401b014c14295b44d5dd0900bdde9b4387fed857bd10f942dd2ee6ac

                                                        SHA512

                                                        5907121f68563764acffa84fe15368b8a5a0c693b8566fc342fd358c3586c49d88b6f4883ed7f8f78fe501ff74afc06adedd79e3093791a2fce59cf71ce82c73

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        6752a1d65b201c13b62ea44016eb221f

                                                        SHA1

                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                        SHA256

                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                        SHA512

                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        12KB

                                                        MD5

                                                        d629dd708adc4d6b6399c3247bc487fa

                                                        SHA1

                                                        1d01b0d68198bede9f20b5645fd61c7e4310ffa7

                                                        SHA256

                                                        3878b594186edbb207d1f2c258cc4183fe1a023a732949e7f8027598b391ca9a

                                                        SHA512

                                                        7949161bc5dd4647f51650e78921bb9b0b79dfb59a45ad5e6efdb13a6bcc9eedb01b30f9a4b73e91c4bb4871f119ce2f37ecb7254fa7ee7cbfcc00d0ac861810

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        ea3303fecb9f7ebf721a27b8432e1449

                                                        SHA1

                                                        905656b29fbae201506c26009a2289cf4cc4268e

                                                        SHA256

                                                        7362df34cbf045be6c477c9be80618c9e4d9183df27f73b1dfba45b7aef5cdb3

                                                        SHA512

                                                        efaeea13a4930bc67af4228133a9d084e63e7cb021c34e250e9ecc2717fea2c6c97320e1c9392dd097eee3ca7ae2da2a681f809ede020279fffa5a13e4700f8d

                                                      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        358c99a9231f8847de2ce55fd2b03368

                                                        SHA1

                                                        3c101e12dbdc2e61f14d3326c16746f94d8d4929

                                                        SHA256

                                                        75aeb6718bec1d6077c8679cf4a40f1a96a75f3b850c4e47c58768ce4dba98df

                                                        SHA512

                                                        a104110b5ecd7aaccc19d4bab349285f1df68e42428b5390c525a3c8915e8a2bb2bd71a6060a15f3b47e3bf23e18011ee80367f3af7af2df1aeebdfce4879ef8

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BC21DLFP\microsoft.windows[1].xml

                                                        Filesize

                                                        97B

                                                        MD5

                                                        de8c3284b53ce01f80468986fa6d34ff

                                                        SHA1

                                                        7cf8a1f0ae8190e22ae631a97231bd511a963419

                                                        SHA256

                                                        545ca1e80072abbc9e5fb63b170a55984ea7bddbe9bf815cb1f007ac708a6445

                                                        SHA512

                                                        cc63b8ce2a1fba378ccc74d2260009bb6360a405e3775402a92b0ad71e1db2bfec533791df5c16f133d91c0b651053a41dbb80c483e56fce1f160caa43f74b2e

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

                                                        Filesize

                                                        36KB

                                                        MD5

                                                        8aaad0f4eb7d3c65f81c6e6b496ba889

                                                        SHA1

                                                        231237a501b9433c292991e4ec200b25c1589050

                                                        SHA256

                                                        813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                        SHA512

                                                        1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

                                                        Filesize

                                                        36KB

                                                        MD5

                                                        ab0262f72142aab53d5402e6d0cb5d24

                                                        SHA1

                                                        eaf95bb31ae1d4c0010f50e789bdc8b8e3116116

                                                        SHA256

                                                        20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb

                                                        SHA512

                                                        bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bcfc57c2-36d2-4d8a-9744-f252afd51276}\0.0.filtertrie.intermediate.txt

                                                        Filesize

                                                        28KB

                                                        MD5

                                                        ab6db363a3fc9e4af2864079fd88032d

                                                        SHA1

                                                        aa52099313fd6290cd6e57d37551d63cd96dbe45

                                                        SHA256

                                                        373bb433c2908af2e3de58ede2087642814564560d007e61748cdb48d4e9da3f

                                                        SHA512

                                                        d3d13d17df96705d0de119ad0f8380bfe6b7bc44c618e2fcd0233061a0ab15beae44d38c48a880121b35f90f56c1529e5f4cf1a19acb9e2cbba5d1c402c749c0

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bcfc57c2-36d2-4d8a-9744-f252afd51276}\0.1.filtertrie.intermediate.txt

                                                        Filesize

                                                        5B

                                                        MD5

                                                        34bd1dfb9f72cf4f86e6df6da0a9e49a

                                                        SHA1

                                                        5f96d66f33c81c0b10df2128d3860e3cb7e89563

                                                        SHA256

                                                        8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

                                                        SHA512

                                                        e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bcfc57c2-36d2-4d8a-9744-f252afd51276}\0.2.filtertrie.intermediate.txt

                                                        Filesize

                                                        5B

                                                        MD5

                                                        c204e9faaf8565ad333828beff2d786e

                                                        SHA1

                                                        7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

                                                        SHA256

                                                        d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

                                                        SHA512

                                                        e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bcfc57c2-36d2-4d8a-9744-f252afd51276}\Apps.ft

                                                        Filesize

                                                        38KB

                                                        MD5

                                                        84ac0c242b77b8fc326db0a5926b089e

                                                        SHA1

                                                        cc6b367ae8eb38561de01813b7d542067fb2318f

                                                        SHA256

                                                        b1557167a6df424f8b28aabd31d1b7e8a469dd50d2ae4cbbd43afd8f9c62cf92

                                                        SHA512

                                                        8f63084bd5a270b7b05e80454d26127b69bcb98ec93d9fad58d77203934f46b677a3aaf20f29e73dcd7035deb61f4c0aa3b10acbc4c0fc210632c1d74f705d2f

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bcfc57c2-36d2-4d8a-9744-f252afd51276}\Apps.index

                                                        Filesize

                                                        1.0MB

                                                        MD5

                                                        f4514c93191e0efc0f61036e4ebb341a

                                                        SHA1

                                                        c80478e9a734790c18584f67a43518aa4a7dcf58

                                                        SHA256

                                                        43da4fa5f62affe399ceaac2d489b7cde610963a48e72d445bebe6f2c63a3600

                                                        SHA512

                                                        8aecb3491767e040a52f351908004db2c8f2f083397744585c2832212ec8aa288d3492be941a48b04774e16b43672ab167209776cbdef6692fef684fc54666a6

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{256f7058-895f-4571-94cd-724fdcd54897}\apps.csg

                                                        Filesize

                                                        444B

                                                        MD5

                                                        5475132f1c603298967f332dc9ffb864

                                                        SHA1

                                                        4749174f29f34c7d75979c25f31d79774a49ea46

                                                        SHA256

                                                        0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

                                                        SHA512

                                                        54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{256f7058-895f-4571-94cd-724fdcd54897}\apps.schema

                                                        Filesize

                                                        150B

                                                        MD5

                                                        1659677c45c49a78f33551da43494005

                                                        SHA1

                                                        ae588ef3c9ea7839be032ab4323e04bc260d9387

                                                        SHA256

                                                        5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

                                                        SHA512

                                                        740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{256f7058-895f-4571-94cd-724fdcd54897}\appsconversions.txt

                                                        Filesize

                                                        1.4MB

                                                        MD5

                                                        2bef0e21ceb249ffb5f123c1e5bd0292

                                                        SHA1

                                                        86877a464a0739114e45242b9d427e368ebcc02c

                                                        SHA256

                                                        8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

                                                        SHA512

                                                        f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{256f7058-895f-4571-94cd-724fdcd54897}\appsglobals.txt

                                                        Filesize

                                                        343KB

                                                        MD5

                                                        931b27b3ec2c5e9f29439fba87ec0dc9

                                                        SHA1

                                                        dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

                                                        SHA256

                                                        541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

                                                        SHA512

                                                        4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{256f7058-895f-4571-94cd-724fdcd54897}\appssynonyms.txt

                                                        Filesize

                                                        237KB

                                                        MD5

                                                        06a69ad411292eca66697dc17898e653

                                                        SHA1

                                                        fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

                                                        SHA256

                                                        2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

                                                        SHA512

                                                        ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133682847182471494.txt

                                                        Filesize

                                                        73KB

                                                        MD5

                                                        4c036314f080c753345c8481caf9ae5f

                                                        SHA1

                                                        c90add2903b9de1bfac12a139e2551af8ec71745

                                                        SHA256

                                                        ca7a49706055df15b0d7f15795ca9846c18f76f20ce135c039f99096bf164b71

                                                        SHA512

                                                        2c42b710436c2153a935fdbee7399177deca03c9c877cff99ef2dfa237fc7da5cc0dfbd93129122b268f8eda79f34e41ea5f9c901e5dee35861a2c9dce09bc38

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

                                                        Filesize

                                                        229KB

                                                        MD5

                                                        3e9f411c988e350a62f2b5101d794b09

                                                        SHA1

                                                        2fd49737896fb43d31328eb433c3bc3caabb1199

                                                        SHA256

                                                        f6a283c9131a2eecef465fd4431f88095734cb67772a0982b4a890506d7e2299

                                                        SHA512

                                                        80058aaa9e9b62f0dfabe8d50fd8a3b05ed2be37af8aa673b2ecfb98a09431fcf17305f87abb03a3bb3d4d3c03995937a06586ba236f0c9be6665e041febecbf

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

                                                        Filesize

                                                        9KB

                                                        MD5

                                                        72773d2ef6344f82b3ca7be6f40421c1

                                                        SHA1

                                                        518f47d5e3bcb5d24daf91c4fb360f0754f52e40

                                                        SHA256

                                                        407b389c2cea7e4234cda60fc98cdaa4af72cd61b38d6eb830c9421920ef1101

                                                        SHA512

                                                        a1443aa53943a5ee739f634b6738509ac97e5e1f99e858ec1ac705ecdad7ba7e51c61e56e8683f5a02816923e2293e2401c8b22333a426467da0ba727ebff9f6

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        e73fdb498b0026e6b4d84d85e365f6c8

                                                        SHA1

                                                        3d4af22daef595c965bd87ec1b287e93a62a2f01

                                                        SHA256

                                                        d9ade73e231e729ba8a493498e24b8e25913edd7b17840889d4031d93693f206

                                                        SHA512

                                                        cf4aeb8679f4b25cf4ddfcc6f915f02f87d3ef5dcd3128f9f68e5e3692bbe3884456f28d85731cb3bee900d1e2b801a90f03ba3933fabc3b02a83fadda46f429

                                                      • C:\Users\Admin\AppData\Local\Temp\.ses

                                                        Filesize

                                                        53B

                                                        MD5

                                                        2458c630731270ec966cbe254fc7506a

                                                        SHA1

                                                        b1b8e4c53920aa487ee4286b0449ffd5908ba933

                                                        SHA256

                                                        9b258a9d0fe054d870934ec8deef46c8f8d948b8d3096162b4eced826a4d61c5

                                                        SHA512

                                                        e434201962c4451ab7a5f7245cdec449745b12ce5daf14c11e5d92ae6269f5a08b74448657f871016fffa298428f360efe5ad7e2bf0d7d7de15d72d6040a9209

                                                      • C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

                                                        Filesize

                                                        40KB

                                                        MD5

                                                        94173de2e35aa8d621fc1c4f54b2a082

                                                        SHA1

                                                        fbb2266ee47f88462560f0370edb329554cd5869

                                                        SHA256

                                                        7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

                                                        SHA512

                                                        cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

                                                      • C:\Users\Admin\Downloads\Unconfirmed 865726.crdownload

                                                        Filesize

                                                        5.2MB

                                                        MD5

                                                        ec0dab7fed03907adca447869cfe8252

                                                        SHA1

                                                        546f3308503af8d92cd841210fe7fb71a17c661c

                                                        SHA256

                                                        87e343bc7a031476674f7c325bbdd6a702b135ba52cafd375a49eb228f84716e

                                                        SHA512

                                                        1ff97f6ce1172d5deb7b0c8d3fd88fd0196c34c9b28923dd0aca3820f357a8e3071b54e5b2310338938f4ea1893d076a236f76432a22444e22f20b0bf086caaa

                                                      • memory/1716-370-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-359-0x0000021A6C380000-0x0000021A6C381000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-372-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-371-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-367-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-368-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-374-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-375-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-376-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-378-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-377-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-379-0x0000021A6C3B0000-0x0000021A6C3B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-381-0x0000021A6C3C0000-0x0000021A6C3C1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-380-0x0000021A6C3B0000-0x0000021A6C3B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-382-0x0000021A6DC00000-0x0000021A6DC01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-383-0x0000021A6DC00000-0x0000021A6DC01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-369-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-318-0x0000021A63F40000-0x0000021A63F50000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1716-335-0x0000021A64050000-0x0000021A64060000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1716-353-0x0000021A6C230000-0x0000021A6C231000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-365-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-366-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-364-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-363-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-362-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-361-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-360-0x0000021A6C380000-0x0000021A6C381000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-358-0x0000021A6C380000-0x0000021A6C381000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-373-0x0000021A6C3A0000-0x0000021A6C3A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-357-0x0000021A6C370000-0x0000021A6C371000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1716-355-0x0000021A6C370000-0x0000021A6C371000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/3560-430-0x00000260707D0000-0x00000260707F0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3560-395-0x0000026070480000-0x00000260704A0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3560-414-0x0000026070440000-0x0000026070460000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3616-309-0x0000000005A40000-0x0000000005AA6000-memory.dmp

                                                        Filesize

                                                        408KB

                                                      • memory/3616-303-0x0000000003520000-0x000000000352C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/3616-302-0x0000000000F80000-0x0000000001012000-memory.dmp

                                                        Filesize

                                                        584KB