44caliber | hxxps://disk[.]yandex[.]ru/d/6_MHEpvPPBEKoQ

Analysis

max time kernel
299s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-08-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/6_MHEpvPPBEKoQ

Score

10^/10

44caliber credential_access defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1276872451782869143/xGmDsBJgF-XmVjYHmlWeJITbvIMFvsWrmdUxR44Db6po18jTFjvMRKTFStoHQMaCMZPQ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 14 IoCs

Processes:

7z2408-x64.exe7z2408-x64.exe7zFM.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	process
3808	7z2408-x64.exe
5920	7z2408-x64.exe
5232	7zFM.exe
5444	Insidious.exe
2000	Insidious.exe
6744	Insidious.exe
1796	Insidious.exe
2552	Insidious.exe
1164	Insidious.exe
4344	Insidious.exe
6380	Insidious.exe
2092	Insidious.exe
6960	Insidious.exe
6928	Insidious.exe

Loads dropped DLL 1 IoCs

Processes:

7zFM.exe

pid process

5232 7zFM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5232	7zFM.exe

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
113	freegeoip.app
114	freegeoip.app
115	freegeoip.app
81	freegeoip.app
108	freegeoip.app
109	freegeoip.app
112	freegeoip.app
117	freegeoip.app
119	freegeoip.app
11	freegeoip.app
82	freegeoip.app
111	freegeoip.app

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe7z2408-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe

Drops file in Windows directory 5 IoCs

Processes:

UserOOBEBroker.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

7zFM.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\7zO07493DAA\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0741AA8A\Insidious.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0743AE4A\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO07474F5A\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0748555A\Insidious.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7z2408-x64.exe7z2408-x64.exeFileCoAuth.exeFileCoAuth.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690957892088739"	chrome.exe

Modifies registry class 43 IoCs

Processes:

7z2408-x64.exe7z2408-x64.exemsedge.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{6532040E-7283-4508-B2D5-C6B9A533A97B}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe

NTFS ADS 8 IoCs

Processes:

7zFM.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\7zO0748555A\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO07493DAA\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0741AA8A\Insidious.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\debug.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 229929.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0743AE4A\Insidious.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO07474F5A\Insidious.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeInsidious.exeInsidious.exemsedge.exesdiagnhost.exeInsidious.exe7zFM.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	process
2560	msedge.exe
2560	msedge.exe
3156	msedge.exe
3156	msedge.exe
1424	msedge.exe
1424	msedge.exe
4204	identity_helper.exe
4204	identity_helper.exe
3328	msedge.exe
3328	msedge.exe
108	msedge.exe
108	msedge.exe
1164	msedge.exe
1164	msedge.exe
5444	Insidious.exe
5444	Insidious.exe
5444	Insidious.exe
5444	Insidious.exe
2000	Insidious.exe
2000	Insidious.exe
2000	Insidious.exe
2000	Insidious.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
6724	sdiagnhost.exe
6724	sdiagnhost.exe
6744	Insidious.exe
6744	Insidious.exe
6744	Insidious.exe
6744	Insidious.exe
5232	7zFM.exe
5232	7zFM.exe
1796	Insidious.exe
1796	Insidious.exe
1796	Insidious.exe
1796	Insidious.exe
5232	7zFM.exe
5232	7zFM.exe
2552	Insidious.exe
2552	Insidious.exe
2552	Insidious.exe
2552	Insidious.exe
5232	7zFM.exe
5232	7zFM.exe
1164	Insidious.exe
1164	Insidious.exe
1164	Insidious.exe
1164	Insidious.exe
5232	7zFM.exe
5232	7zFM.exe
4344	Insidious.exe
4344	Insidious.exe
4344	Insidious.exe
4344	Insidious.exe
5232	7zFM.exe
5232	7zFM.exe
6380	Insidious.exe
6380	Insidious.exe
6380	Insidious.exe
6380	Insidious.exe
2092	Insidious.exe
2092	Insidious.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

5232 OpenWith.exe
5232 7zFM.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
664

pid	process
5232	OpenWith.exe
5232	7zFM.exe

pid
4
4
4
4
4
664

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exechrome.exe

pid	process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeInsidious.exeInsidious.exesdiagnhost.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	5232	7zFM.exe
Token: 35	5232	7zFM.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	5444	Insidious.exe
Token: SeDebugPrivilege	2000	Insidious.exe
Token: SeDebugPrivilege	6724	sdiagnhost.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	6744	Insidious.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	1796	Insidious.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	2552	Insidious.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	1164	Insidious.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	4344	Insidious.exe
Token: SeSecurityPrivilege	5232	7zFM.exe
Token: SeDebugPrivilege	6380	Insidious.exe
Token: SeDebugPrivilege	2092	Insidious.exe
Token: SeDebugPrivilege	6960	Insidious.exe
Token: SeDebugPrivilege	6928	Insidious.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exemsdt.exechrome.exe

pid	process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
5232	7zFM.exe
5232	7zFM.exe
5348	msdt.exe
5232	7zFM.exe
5232	7zFM.exe
5232	7zFM.exe
5232	7zFM.exe
5232	7zFM.exe
5232	7zFM.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exechrome.exe

pid	process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

7z2408-x64.exeOpenWith.exe7z2408-x64.exe

pid	process
3808	7z2408-x64.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5232	OpenWith.exe
5920	7z2408-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3156 wrote to memory of 556	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 556	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3632	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2560	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2560	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4748	3156	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/6_MHEpvPPBEKoQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2da43cb8,0x7ffb2da43cc8,0x7ffb2da43cd8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,3349726272403647561,7276290395797793292,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Users\Admin\Downloads\7z2408-x64.exe
"C:\Users\Admin\Downloads\7z2408-x64.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5920

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\debug.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5232
- C:\Users\Admin\AppData\Local\Temp\7zO0743AE4A\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0743AE4A\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6744
- C:\Users\Admin\AppData\Local\Temp\7zO07474F5A\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO07474F5A\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\7zO0748555A\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0748555A\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\7zO07493DAA\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO07493DAA\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\7zO0741AA8A\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0741AA8A\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344

C:\Users\Admin\Desktop\New folder\Insidious.exe
"C:\Users\Admin\Desktop\New folder\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Users\Admin\Desktop\New folder\Insidious.exe
"C:\Users\Admin\Desktop\New folder\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004D0
1⤵
PID:6032

C:\Windows\system32\msdt.exe
"C:\Windows\system32\msdt.exe" -id AudioPlaybackDiagnostic -skip true -ep SndVolTrayMenu
1⤵
- Suspicious use of FindShellTrayWindow
PID:5348

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mce1wg0b\mce1wg0b.cmdline"
  2⤵
  PID:6880
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9503.tmp" "c:\Users\Admin\AppData\Local\Temp\mce1wg0b\CSC39ABB37F8B2F44FFA587E1E96732998.TMP"
    3⤵
    PID:6928

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6600

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:6868

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6884

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6380

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6960

C:\Users\Admin\Desktop\Insidious.exe
"C:\Users\Admin\Desktop\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb158acc40,0x7ffb158acc4c,0x7ffb158acc58
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:6336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1400,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3620,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4288,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4292,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4280,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4780,i,2950206107997223390,2888196700836899281,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:5868

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:7012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\7-Zip\7-zip.chm

Filesize
117KB

MD5
99b88f4d6d13713053db06b449ed6a9f

SHA1
f718e09a42e9ec49db060589d24135ca6929e8e0

SHA256
f830ddc5280d00e1cb160f9e5dd114292d5efef66c23c3c03c224894250bac2f

SHA512
9f1cb9ad8023b340c82e987bab33cddd817e3ece892aca7350650343396d4dc5d00cfd99c0718a862280c81d7d525c5e870390e1cdfdb4987b6663b1394cf1fc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp2

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
6KB

MD5
86d07103fb8d487d17d33974c0bdc0c2

SHA1
d0318dd9296b5fd92a190329faf5f16f9cc131c3

SHA256
ee3d0eb585da90d0bb36a2f3d2a7fb5fdce5336141ea8f779d7450d8a4b16c42

SHA512
367edb4e86c904d73078ad0cab8c627ab123bde3d647aa21ed695bd54146f7669791e9f38dee27070bc9608332cb0fb6d85798e22e05c505624cb7b6d4ace3af

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
10KB

MD5
387ff78cf5f524fc44640f3025746145

SHA1
8480e549d00003de262b54bc342af66049c43d3b

SHA256
8a85c3fcb5f81157490971ee4f5e6b9e4f80be69a802ebed04e6724ce859713f

SHA512
7851633ee62c00fa2c68f6f59220a836307e6dde37eae5e5dca3ca254d167e305fe1eb342f93112032dadafe9e9608c97036ac489761f7bdc776a98337152344

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
17KB

MD5
2d0c8197d84a083ef904f8f5608afe46

SHA1
5ae918d2bb3e9337538ef204342c5a1d690c7b02

SHA256
62c6f410d011a109abecb79caa24d8aeb98b0046d329d611a4d07e66460eef3f

SHA512
3243d24bc9fdb59e1964e4be353c10b6e9d4229ef903a5ace9c0cb6e1689403173b11db022ca2244c1ef0f568be95f21915083a8c5b016f07752026d332878a4

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
771c8b73a374cb30df4df682d9c40edf

SHA1
46aa892c3553bddc159a2c470bd317d1f7b8af2a

SHA256
3f55b2ec5033c39c159593c6f5ece667b92f32938b38fcaf58b4b2a98176c1fc

SHA512
8dcc9cc13322c4504ee49111e1f674809892900709290e58a4e219053b1f78747780e1266e1f4128c0c526c8c37b1a5d1a452eefba2890e3a5190eebe30657ba

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
4KB

MD5
07504a4edab058c2f67c8bcb95c605dd

SHA1
3e2ae05865fb474f10b396bfefd453c074f822fa

SHA256
432bdb3eaa9953b084ee14eee8fe0abbc1b384cbdd984ccf35f0415d45aabba8

SHA512
b3f54d695c2a12e97c93af4df09ce1800b49e40302bec7071a151f13866edfdfafc56f70de07686650a46a8664608d8d3ea38c2939f2f1630ce0bf968d669ccc

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
8KB

MD5
264fb4b86bcfb77de221e063beebd832

SHA1
a2eb0a43ea4002c2d8b5817a207eb24296336a20

SHA256
07b5c0ac13d62882bf59db528168b6f0ffdf921d5442fae46319e84c90be3203

SHA512
8d1a73e902c50fd390b9372483ebd2ec58d588bacf0a3b8c8b9474657c67705b6a284bb16bba4326d314c7a3cc11caf320da38d5acb42e685ed2f8a8b6f411f4

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
11KB

MD5
de64842f09051e3af6792930a0456b16

SHA1
498b92a35f2a14101183ebe8a22c381610794465

SHA256
dcfb95b47a4435eb7504b804da47302d8a62bbe450dadf1a34baea51c7f60c77

SHA512
5dabeed739a753fd20807400dfc84f7bf1eb544704660a74afcf4e0205b7c71f1ddcf9f79ac2f7b63579735a38e224685b0125c49568cbde2d9d6add4c7d0ed8

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
dbdcfc996677513ea17c583511a5323b

SHA1
d655664bc98389ed916bed719203f286bab79d3c

SHA256
a6e329f37aca346ef64f2c08cc36568d5383d5b325c0caf758857ed3ff3953f2

SHA512
df495a8e8d50d7ec24abb55ce66b7e9b8118af63db3eb2153a321792d809f7559e41de3a9c16800347623ab10292aac2e1761b716cb5080e99a5c8726f7cc113

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
4KB

MD5
6bdf25354b531370754506223b146600

SHA1
c2487c59eeeaa5c0bdb19d826fb1e926d691358e

SHA256
470eaf5e67f5ead5b8c3ecc1b5b21b29d16c73591eb0047b681660346e25b3fb

SHA512
c357b07c176175cc36a85c42d91b0cada79dbfb584bdf57f22a6cb11898f88aecf4392037d5cea3e1bc02df7493bb27b9509226f810f1875105bbc33c6ae3f20

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
7KB

MD5
c397e8ac4b966e1476adbce006bb49e4

SHA1
3e473e3bc11bd828a1e60225273d47c8121f3f2c

SHA256
5ccd481367f7d8c544de6177187aff53f1143ae451ae755ce9ed9b52c5f5d478

SHA512
cbbece415d16b9984c82bd8fa4c03dbd1fec58ed04e9ef0a860b74d451d03d1c7e07b23b3e652374a3b9128a7987414074c2a281087f24a77873cc45ec5aadd2

Download Submit
C:\Program Files\7-Zip\Lang\de.txt

Filesize
9KB

MD5
1e30a705da680aaeceaec26dcf2981de

SHA1
965c8ed225fb3a914f63164e0df2d5a24255c3d0

SHA256
895f76bfa4b1165e4c5a11bdab70a774e7d05d4bbdaec0230f29dcc85d5d3563

SHA512
ff96e6578a1ee38db309e72a33f5de7960edcc260ca1f5d899a822c78595cc761fedbdcdd10050378c02d8a36718d76c18c6796498e2574501011f9d988da701

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
17KB

MD5
5894a446df1321fbdda52a11ff402295

SHA1
a08bf21d20f8ec0fc305c87c71e2c94b98a075a4

SHA256
2dd2130f94d31262b12680c080c96b38ad55c1007f9e610ec8473d4bb13d2908

SHA512
0a2c3d24e7e9add3ca583c09a63ba130d0088ed36947b9f7b02bb48be4d30ef8dc6b8d788535a941f74a7992566b969adf3bd729665e61bfe22b67075766f8de

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
7KB

MD5
bf2e140e9d30d6c51d372638ba7f4bd9

SHA1
a4358379a21a050252d738f6987df587c0bd373d

SHA256
c218145bb039e1fd042fb1f5425b634a4bdc1f40b13801e33ed36cfdbda063ed

SHA512
b524388f7476c9a43e841746764ff59bdb1f8a1b4299353156081a854ee4435b94b34b1a87c299ec23f8909e0652222595b3177ee0392e3b8c0ff0a818db7f9a

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
4KB

MD5
29caad3b73f6557f0306f4f6c6338235

SHA1
d4b3147f23c75de84287ad501e7403e0fce69921

SHA256
a6ef5a5a1e28d406fd78079d9cacf819b047a296adc7083d34f2bfb3d071e5af

SHA512
77618995d9cf90603c5d4ad60262832d8ad64c91a5e6944efd447a5cc082a381666d986bb294d7982c8721b0113f867b86490ca11bb3d46980132c9e4df1bd92

Download Submit
C:\Program Files\7-Zip\Lang\es.txt

Filesize
10KB

MD5
ed230f9f52ef20a79c4bed8a9fefdf21

SHA1
ec0153260b58438ad17faf1a506b22ad0fec1bdc

SHA256
7199b362f43e9dca2049c0eeb8b1bb443488ca87e12d7dda0f717b2adbdb7f95

SHA512
32f0e954235420a535291cf58b823baacf4a84723231a8636c093061a8c64fcd0952c414fc5bc7080fd8e93f050505d308e834fea44b8ab84802d8449f076bc9

Download Submit
C:\Program Files\7-Zip\Lang\et.txt

Filesize
6KB

MD5
d6a50c4139d0973776fc294ee775c2ac

SHA1
1881d68ae10d7eb53291b80bd527a856304078a0

SHA256
6b2718882bb47e905f1fdd7b75ece5cc233904203c1407c6f0dcdc5e08e276da

SHA512
0fd14b4fd9b613d04ef8747dcd6a47f6f7777ac35c847387c0ea4b217f198aa8ac54ea1698419d4122b808f852e9110d1780edcb61a4057c1e2774aa5382e727

Download Submit
C:\Program Files\7-Zip\Lang\eu.txt

Filesize
8KB

MD5
c90cd9f1e3d05b80aba527eb765cbf13

SHA1
66d1e1b250e2288f1e81322edc3a272fc4d0fffc

SHA256
a1c9d46b0639878951538f531bba69aeddd61e6ad5229e3bf9c458196851c7d8

SHA512
439375d01799da3500dfa48c54eb46f7b971a299dfebff31492f39887d53ed83df284ef196eb8bc07d99d0ec92be08a1bf1a7dbf0ce9823c85449cc6f948f24c

Download Submit
C:\Program Files\7-Zip\Lang\ext.txt

Filesize
7KB

MD5
459b9c72a423304ffbc7901f81588337

SHA1
0ba0a0d9668c53f0184c99e9580b90ff308d79be

SHA256
8075fd31b4ebb54603f69abb59d383dcef2f5b66a9f63bb9554027fd2949671c

SHA512
033ced457609563e0f98c66493f665b557ddd26fab9a603e9de97978d9f28465c5ac09e96f5f8e0ecd502d73df29305a7e2b8a0ad4ee50777a75d6ab8d996d7f

Download Submit
C:\Program Files\7-Zip\Lang\fa.txt

Filesize
12KB

MD5
741e0235c771e803c1b2a0b0549eac9d

SHA1
7839ae307e2690721ad11143e076c77d3b699a3c

SHA256
657f2aceb60d557f907603568b0096f9d94143ff5a624262bbfeb019d45d06d7

SHA512
f8662732464fa6a20f35edcce066048a6ba6811f5e56e9ca3d9aa0d198fc9517642b4f659a46d8cb8c87e890adc055433fa71380fb50189bc103d7fbb87e0be5

Download Submit
C:\Program Files\7-Zip\Lang\fi.txt

Filesize
8KB

MD5
a04b6a55f112679c7004226b6298f885

SHA1
06c2377ac6a288fe9edd42df0c52f63dce968312

SHA256
12cc4a2cef76045e07dafc7aec7cf6f16a646c0bb80873ec89a5ae0b4844443b

SHA512
88c7ed08b35558d6d2cd8713b5d045fba366010b8c7a4a7e315c0073cd510d3da41b0438f277d2e0e9043b6fcb87e8417eb5698ab18b3c3d24be7ff64b038e38

Download Submit
C:\Program Files\7-Zip\Lang\fr.txt

Filesize
10KB

MD5
a49801879184c9200b408375fc4408d7

SHA1
763231bd9b883692c0e5127207cbfc6a2a29bc7d

SHA256
397a3af716eb7f0084f3aa04ad36eab82aab881589a359e7d6d4be673e1789a8

SHA512
f408203907594afa116a2003d0b65d77c9bca47663f7f6b26e9158b91dad40569e92851bf788a39105298561f854264a8dc57611637745e04e68585b837702f2

Download Submit
C:\Program Files\7-Zip\Lang\fur.txt

Filesize
6KB

MD5
06b08fe12c0f075d317cf9a2a1dd96bc

SHA1
0062ba87b9207536b9088e94505d765268069f63

SHA256
6ba88938c468e7217bd300b607d7a730530e63d1f97562604ec0bb00d66a06c9

SHA512
9f9fb1c045d92c1f8035d547554457e3466ae861a04f1cd3f57965e4a92f0fc433b2a7b3e9e1e71588e97f8c73d5914a750deded5d3056e327d7efe19a220198

Download Submit
C:\Program Files\7-Zip\Lang\fy.txt

Filesize
5KB

MD5
03d38f09189799a0d927727d071c54b6

SHA1
17ff3a2c83e6a0b0733f2a9a8ce6b83af4f1b137

SHA256
c1c050ed6fe2f8fbc048fd7d82944b8ada784415b6e62316d590c3c7aa45e112

SHA512
e511c1a271a3d78cb7f6111759eec4d7cfc2d46f71f87aa3c4ac1bb11cd4e55e7d4dbe54f9c5107025ffe8c5fcadad4359dc673bc802b82388e74a8f2fa60ff7

Download Submit
C:\Program Files\7-Zip\Lang\ga.txt

Filesize
7KB

MD5
236cfc435288002763c68c4bbee7b39d

SHA1
e74a2402c2cb744dbed8ac1c2154fb1de38148f9

SHA256
b18730124208d26e5e88b76bb99985bf61938d7a994b626b2de5230557d2d8dd

SHA512
fa6941594454cda55e081f15f367f430559849d218895b0b157a2204e8b30ae95db99c62981a9c30a152a63d1bdb8edd975bf06ee5adf1f31b42a2c10cf11580

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt

Filesize
8KB

MD5
6cd7c2b4d6bba163b1623035feb4297d

SHA1
5df07bcfd1edbd448b566aea5789ef251303de69

SHA256
9280ab90261b0c8f206eef7196d7531e4e4932c9174ab899cee4f8ed97cc87c6

SHA512
7ed13085ebc2545b434f5671f958f7a5faa1bc29f7c10721a972afd2c886fc39f0a6e290e70f1f8ea798199ca26974257eaf9b8445652c9b02c789e198191a3e

Download Submit
C:\Program Files\7-Zip\Lang\gu.txt

Filesize
16KB

MD5
93cdc8832328a22e198920630d597268

SHA1
315e5b1c77fb4e2d0c3cc1f48b6db4c79ce9488a

SHA256
c6e54e2a93b821bc974209cd7e2d10e9fbc4ff07d238ae84f552e4ade271702c

SHA512
e8355a42f3a3b5f21d5d4c7a21324433c997ad39412b3bcdcf26edbd5ef882179168b2b5618f9fe631b88407608ab1a83bf139db05c09b608fddf01694b710df

Download Submit
C:\Program Files\7-Zip\Lang\he.txt

Filesize
10KB

MD5
0771f160d56b1890a1cdc2ca040d2616

SHA1
36e69202682bf6993273b521424ec082998f6ca9

SHA256
03b4ea89cce3aa4193a7e3e1e6180dab8359388df3b574379935ea39d7b8d723

SHA512
b452c75292c7d365aa5759fb3f49de674255e839caa687436474b782f615b2ad86a11a58809a5bb60115b070c9b738a461db24e70502598a3bfeccf373220dbb

Download Submit
C:\Program Files\7-Zip\Lang\hi.txt

Filesize
17KB

MD5
18d9c82f12e07b71e03d6086deba0dc3

SHA1
c6c11c6f1fc00a25dd53e1c78f207f6c8c8b8b13

SHA256
5f79ae167a917860f95f73e5ed007fe250f30af794bcfce17941f9ef87d22a05

SHA512
196a859d52a1a742b98460eaf113552dce2cfc63378b19d2902beabc1e66cbd9e26bf37fc26453832aa10929aaf0196ed9211332e63c830b0e5946013c82bdc1

Download Submit
C:\ProgramData\44\Browsers\Cookies_Edge(94).txt

Filesize
2KB

MD5
5d599305d4c7f39a3386a57a83bb131e

SHA1
cf42d0469839b51ff4a9b83824d2cc72818c2e85

SHA256
89dfb56291e47a38b9dc56205f537843ae1ebd528ff2e151b6c66bc32b5a17ef

SHA512
f79be3c7de930ec3e39101bee51a9cd0bf41c285c506f7262ecadbcbed3d1753f16d9bce04b9ca24e59a014a2ca57c3f655191471bd65d17d515ec21e87b477a

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2550435360\2024082521.000\AudioDiagnostic.debugreport.xml

Filesize
1KB

MD5
0e530248a8f6c22f91f61014d6745111

SHA1
709dfd64edd46f051df945887f0bd3754e1b2c70

SHA256
e4afc405451f4ad12b1c223ec1a3b1b7a5e01910d7b23ff621c8580a72dd961c

SHA512
6ec196c035202f1f47f7379da0c788899ef2ff5f056cb5883e4051881bc9fa701f600789d036ffd80c66d9f84a46b167ccb6f9bf48ea93017bcce7a8557ead36

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2550435360\2024082521.000\DeviceDiagnostic.debugreport.xml

Filesize
1KB

MD5
ece114da2cad7a1c6763336ced1b2bbd

SHA1
4c0decb9e9c3c4c6bc764bb0d0612649b3899efb

SHA256
6b0815bfee07a011aa5c873acef7aa7d1f43b35ebe678a4fee73d6eb6cffde76

SHA512
c102abeb4b716e5432865a9b93feaddcd8802d32460c00a901a25413d2b6bb82948a661e54f9129587762cf8ee4b48fd10ad40a4908a431403227b5ead5d9517

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2550435360\2024082521.000\ResultReport.xml

Filesize
7KB

MD5
01a1496478c0c98827dac2b267ec9f68

SHA1
b52dc7f2cf5b4e359f3f95a3c59c1acbfb624c78

SHA256
e4eeeee102479e84365f0de09ed7b7c9540bd8ec2a62059bd953bf61d4b52b74

SHA512
751f4abbff94636b0a51ea9e953672218e029f637f74f58821fba659cfc02851dbebe3de3c3dc8e7b14a89f598a1d25b14649edb2e7247a503a577513405e770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1b0530dee5f4e792fa812ae9d872c688

SHA1
e48a60d0a159aaf9717fa3dcef016334bc4a341b

SHA256
969916c5cd420255dc228a2952614d5fd9d7af48388d88c0a1038b77229b9fb9

SHA512
708666beb7798a4b0d6918551709e3a45eb61814aee8614ffb1ab3ba2e969461a0007198d8715620f8d8325184cf6bb3c21e804cef1163e10196b7297628a800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
247804fd07a018ad2c459924b78dc3ee

SHA1
babc820998ae3660396191f7945b30b3cd4f80b1

SHA256
7acf08cd541466159b60fc239e4c4a8c4c7a305d23e5baf9cd7a43d9d230153b

SHA512
2b8c4c31deb86338d51731a91024f0307331ae8ab6430200309f82f18241ff4e3210a3e3dbfc0a93f18f207898d385acc1cef06bd489fa37fc2d77b27fb3f42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee94f440d0326faab6202efbec7d4891

SHA1
9d555033cabeea2394aa07594d6849fef46d05bb

SHA256
b703cbd7fae8c321bdb29163961b5886ec8cd79423ae1eee0ca957ce6d3e6219

SHA512
7671dc29f19538c70a2acdcc6c3ba71bc9ee015fdaa25f16f1a77aad681b891259aa3d2a3439dce02f664ae7998351c769f9720642bcdf5e879b873530d9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cfd8cced5b866a75eb3e2a6f9902ab3

SHA1
e35d8e6569414ac505e5c832fdd412d78b94475d

SHA256
bd595c5d2e0e0162f5d2a77bbaca9a5b1d93c0666078b4a164561ea620786895

SHA512
1bde89dbd4a21518aff9ae9396c024186bc1e013c216f8a7e402592775802ea677d92ff790d9f6c0acaed7a30fe51a95814c8cfda2c886ec2084fa4eddbe6c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
eb517f4f989c76ad40d445d627dc3bf7

SHA1
d2de7f81a785c0148ef5852b8f6e9080922af621

SHA256
173458a5927505e312df53dcd16b33d614211e56c8b8d41c7704b6171586295d

SHA512
ca2558718f3b14a84b327284b87d882d13da0cc787b5cc2613eb996a2ef3522920cb52a7db74504266401ae52ddb7ac4a8f24f42cf63c3722a6b10775954298a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
96751d755418095007940b700c62d544

SHA1
858b7511da3281df8de83de0ed3bfdbb0b74b74d

SHA256
15be1b7b542d34c40f7c349c72f141f5e1f7348494720540d812cc4872daa035

SHA512
1f1c955b076358986b419556ab5589ea110f60898d643ab6d2ad2f9c609f5989d423c03ec844ac4b879ef5c8b4149624bc1e12a573ec0d0487489b18fd903b6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
69cde57c305d8a8c521ce351c635185b

SHA1
cb5ab8bcbd724c2909d0ca6a8e5ef130d0fdb0e4

SHA256
d993a0ec255ad1b390f899f06fed6e795c01b9347901f60fe01dffe79de3c5c0

SHA512
35490906e377af48666af4c587630a0d390b31a2bf1deb7af069559547dc32e2f598cd7768f386968178b97dcb1b210285563aba3518275e7700e151a89f28ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
55KB

MD5
3bf95563cb618a2688f5163c7e299717

SHA1
ab60be7710c20a05c7497379dacd4769141a1e8a

SHA256
458644c9bcc546a41b0fdd8e0a5249be9235a8bd7b3767b74b616c91e5cb5f61

SHA512
d48cefdabfdc9c12e26e1100cd646dd382b51b9c8f06ee1b2e08dbd269fc5d1cc0f746df8cb46eaa01824d40d3ea9c705af9bce6e7cbe49a93043410333e5220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f2ad96a11dc6b4e1c449e8b292b45d7c

SHA1
3b42c54869cc75cafccb9b4b724383851006f22d

SHA256
ece1e90cd1647ff5cffea3819db285ee99b4c5254ec4bbf06feddfd321d8c387

SHA512
3f75cb1b24383e66fb806a143020d88a24f519013202faa6853cf064ff998e2a38bb09f593c26b1c6abbe99ce9c09ee0b73fd6ebf3dc7e20ae654d3d3039bae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
fa81fb85e755145ddb74b5ce5825ff8a

SHA1
1cfd3a5017a9e6116cde0b87d8d8e17c7636a6b1

SHA256
b046ab98a40e7c7b51436b0d9000d8bbc16bb6d6260d82a6a87181a88595c146

SHA512
5355712087302d2bf3e83c85d244020eb8c749fb114f7506b5d4bb068526326a4b4a65f5329a636ffc5e74463fee7ba579b32b8bc55979cbd9ca2cab64168f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
88713d443cbd02d99fdc9df5ff340831

SHA1
a32bfad194c2c6bbf64030c6dd86fae01f61461b

SHA256
6e277f14a96231faa4cfaf88ae4eec09a7792adcac4fd741e826e11311535538

SHA512
9d2e53654737f8e14ed5118916bc34585570f77bf04ebdd79708cf9f31bb93140e14bc1cb77aa3d263779ccd9ae87f99aa6234b51306711947dd5901a9d8bd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
adb606d0e27cd4d29a0f8b55e6d39f15

SHA1
a61b5f5e581461b7bd730205799a2ce875e2d0fa

SHA256
03b930f10b7e26b63a6f12be26465017968434e8cd5f1b77f958629b3f428af6

SHA512
5ac4bca1983436f3817430d4223c58a7817f9690542b56dcf12a9a1fc642fbc11af8a8667b0a1ad817a3aa021fd35d2d89a8240a589e24257e682a3bffbaeb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1d7ca0e7e27e6a97cf9b1ba58f666d5

SHA1
9c1ffbd049aa45483ae1b2610baf365a31f17522

SHA256
a02bc872d115032d745d6b52bdbcf2f7782934eb47afa13bbf46ccbd588dc1f6

SHA512
dbda02cffb9843ad002b812b91b2e474f161a400a8e7abe4c42606c7a7b24b12762e03ea1a0a165ae837aa5103142a5ca9e818b7289217ce3b30cad2ca3a22ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89785ace51b569297e044565f48ac475

SHA1
b7680d9f9edae48294fbeffec1e8977ca04c82d0

SHA256
57dcff886b191caef6d4cb4056d5039c2f7aa171bc6c039bd762a70dc1807c1c

SHA512
b76cd02734c323a998efa98da27ad3d815b4c526b163fe2f8344c371bd5a7d992f760903c723b13e938834c040ab6a9213fa84e8932017a7f75bc68045fab8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
567c510090adeb9042eb502bad642883

SHA1
c9b930771fa8c1c520cdc36185f00de073761aa5

SHA256
5350f84f51a2bdbc9ec8aa8ddeefe056a308c543432efa71cea917939b5de95e

SHA512
425c6a0719427587556d5a9a822b74037959ad9785813ce037dd4eb4fea29edcdcff9b6411e4e97aecbb6465d69b662361906c49b22551057cd3d27a086cab81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e0b17d0c822116ab34891dc55d586e7

SHA1
978a23cbf6f3f16e5b35199827b50909663a3946

SHA256
27f762ef092b207e543e98c3a042f48323a48fbeff29161e768ed41a6510f864

SHA512
765be08b04e5251c344b20b915be72ab52ee8ae16d5b36d5cb33856ba206e49123fd98f97514428b8ee5eb9308c65fe12d1bdefc13b1f693de693434fe097cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ebd3a0175dfa71e975649a0289ea82c

SHA1
bc4727808d7d23569ffef43459de0449341a642d

SHA256
a56d669f5e3b25184eca1239f566cda80b2976c06bd633ace311b2b57ed6ffd7

SHA512
bc1698c76be9970f23ba8c109009bc6da9adb5436cb44d87b5ead3adb505f69f3e38637892bfbbe35823cbc9a3b973a4c9060064bc04d153754966e273f734f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588160.TMP

Filesize
703B

MD5
27e7099d646e437fc463b7ab1c232c9d

SHA1
18f944948390bd6b423ad76eb33c5baf0f7284d8

SHA256
0d5a2580310e735ac3608c3217110049ccd868c96642e57a27839e5f2788a416

SHA512
b37203690ae8e187fff4d220fb04ee86ca71dd912feeb76a61e074aa6ee0401431b7c45b3bb233bf4ba28bc2a9363a6d0bae13f7f07c5347ec7d1bc16e511159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ee64d3f375beee9d0dc486a847e192f

SHA1
a9a0a711897d69bb9b8d1cec4ff7451490d71e6d

SHA256
50af579d734bc3360f6937699a82c76425d7bdef9ba49ced7e3d66c4b5f1c78c

SHA512
636e2a45069ca3d94931b7fc50e1d2b715086e641989dc2ae2f9bb939e5b94f44d3f81d429e92d2aa9ab2208507732dfe7161ab92ccfd14fad6f8017bfa76b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
641ae7aa4e6bc946ba5a30ca3bef14f6

SHA1
e07c5dde3c242170f981111abbf99e38c9d4ea1a

SHA256
8f1754baaed711ff6d8b0473dd180f9d22d72d68f717d065496cc1d6c4a9cb49

SHA512
e436316fae58c6239fa3a24eef5bac9edd0dae444fe37d4de6452ca7704dcd120a286945bf028a52b0470ff274b1ee146c79c50700607218bc2b1c0eb3481bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efd508b5905ee295e218f95efa047bdc

SHA1
417e618ecb5ff55df79c89fec36646518bca1e55

SHA256
ba15c45730378f76699cc1a96bb6e99e35c2bf7a11a303524186f6919978ad02

SHA512
e7caafa84909e76a69fdc73edaa1a3217de1ff5607e0b664f9e78dd5a9eda36eec82e7bd4cb5e1a0639163606706c81bc0a6975dfab13eaaedcc1e449a0d99fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
291753bd2f1941bfc8456c292b9456b4

SHA1
bb21a322a8b8beefeb4178842b513316f8a4020f

SHA256
73ebbcaa402f92801d495a99a378c930631fcee3ae57c21ad62b83f88ae55a3e

SHA512
735bd903c809429c85d5c52446e54adfee162cd2a8c99708069df77fdf54602a02cce4f745193b1b09f531adf2b063d0ca68637dbdbd97c45a5a7ce44659ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0743AE4A\Insidious.exe

Filesize
303KB

MD5
76dc4548eb7f3255913e19fe0a3a9286

SHA1
4e2efa33af6abca5046042f7ed5fb9b17fc8f5af

SHA256
7c0c394c161920494f515bb092e2c7c959f52f6078688153f492414d72089d01

SHA512
12845b0674e89bc0cb46b3c9c6b7dfb4f224751b7274935a555ec9888d4cb4d863b9300a083f253e6e47e561dae7515b13111096172ce1740bc80e7218d43289

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0adfbfa.lbo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64C7.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64CC.tmp.dat

Filesize
28KB

MD5
ceda30f101b3e0c216a779172644a19f

SHA1
b2d84619b81d092c5baa92c12f5c6af94ad7deff

SHA256
5985a1f7cadffc38eac4496c57281005b181b8511e1fdd98a6b26ba632a27ec1

SHA512
fc834e1737deb1f0b35628a7b2291a26e939e6607dcf356f464f6a881935db4305c2922cec85eb676358d36a3a4b585c7564a87de930d44ab5b93b772d1a2e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64DD.tmp.tmpdb

Filesize
5.0MB

MD5
bad3d8559eab8207539bb1850a708934

SHA1
35fffaf3bc4e269443c03adc58f4bc69a8439834

SHA256
23b069c40bb8498184a16648623747091482d53fc9660c7ed284970bb571ba0e

SHA512
28a103899d3731abb6aa514e4089c0025d910ca355ae5a4adf4e03bd54dbe7da1f44027f2adc9db13aa76d0f20e30af1a30461faf7f9e75e035de78ab5c4f867

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64DE.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72C5.tmp.dat

Filesize
114KB

MD5
a33481b308bc347cac2e395b7ff3532a

SHA1
fd6a52ce42334a2286d8e1807619afc12593111f

SHA256
6909d34d9fbe1e8b19456853f3080f897d7e40bc84db970413fd3083073c83aa

SHA512
a19ea96ac4f90f11162724c73cfe51bbe49e675d0677e25273a910db7edddeb3768291ecd6d19326afdbb181219cdf04661f3ad261c8230e487c13f45603bf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72D8.tmp.dat

Filesize
112KB

MD5
bfa938bbfb9d421400aa90cc63f97ea2

SHA1
8000e7c5a1a6461a647819f9101cfc1cd5825f32

SHA256
2a2356a6132f5161722a968fabf2bf3433ed3fa2dfd1749a1a506c4023c83e01

SHA512
5a7f9eee12ef6bb96ea2df4fad002209310ca17a8ed8df38de62e9851583edba5b165c77a2267a38be25aa088893cf7fd3158c173e975575de22b468100afbce

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(82).txt

Filesize
5KB

MD5
02b0a2323c22d3642cf5a31775d3e15e

SHA1
1048237dfd0d328019680a67d397a02f3538f05c

SHA256
2fa4472c9ef7ff9018376c224b84922a8e748ad07c84c2d687d83c536b4ea28a

SHA512
40e14cd6070f4b13c570f313ac91571f655d995dd1785c0d2dd39f5406103d72e6bd74717e211c0b9d9f546a3b51d016bfca4a4d5d39f613624152b86146edaf

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 229929.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\debug.rar

Filesize
286KB

MD5
d17027cd211d3c86a26a18ecc9fc26f7

SHA1
17244e29957235ba9c2395e297bfe839434c91aa

SHA256
6a30512541b132e3d7d02439ccb4c7deaad8ddf20d868126a77d36a970056461

SHA512
5ff831ec765ab498fdc334bb03c824482275952c67882c6e937cf6b07dc288cfca821e40bdcac67d2a6efab599f6ccc624d433b265fbe1d77de3044e07b4bf89

Download Submit
C:\Users\Admin\Downloads\debug.rar:Zone.Identifier

Filesize
747B

MD5
1b2006c7971d80ba4c48a65b074bbd28

SHA1
67700942cb2869064827e4d2e78cd1c602a2b105

SHA256
6b5145f2c66bb09eec80148aac0e9390152da91dc7a1e7f6f4ba178de41e5678

SHA512
b10c3a6bd11eab55bded04a1994f73a981035d1277c4f3823a12f4e48398d87b2a47a127cad85d56ddec83ebe3d70051a2efdc71ead0b9b10f54e54fb6443590

Download Submit
C:\Windows\Temp\SDIAG_6e7848c0-19e4-40fe-b8e0-a7746d89ab6c\DiagPackage.dll

Filesize
64KB

MD5
6ef17c58607ed77a6f89eb41acb23152

SHA1
d95619e0dede50bac6673a2d0aa8c0d3568e72d8

SHA256
3e402d868e09177d67b94117e5c61b2b1fe31d6ac6b4880a353871eac565c1b4

SHA512
4341e5dd5da7ade551c3edbc50bc5dc3166a434443d17e5cf5eda4aba13ab816703cf083b5f78acdb5698ce14042fb27dd3c11fcb28b46b346ffdb63d091eed9

Download Submit
C:\Windows\Temp\SDIAG_6e7848c0-19e4-40fe-b8e0-a7746d89ab6c\en-US\DiagPackage.dll.mui

Filesize
11KB

MD5
727ba12bb0d0db4ee042ec590830f53a

SHA1
7b316c92b9d53ab88f0de973c407f97baf2fffac

SHA256
e797792c1541b38d7085f051af40637ccbdbec3a2ed1ad7324fb7138e53f30b7

SHA512
948a262b66c583353d20249dd14efc0c430d5b13f68359ec145b5fb5aa84a4b5e0a58d642646c6fdccf8cdde672d65c19e0ed3ae451646688c08f9428b9613b0

Download Submit
C:\Windows\Temp\SDIAG_d16aea67-c912-4ea3-aef8-adb949642d53\DiagPackage.dll

Filesize
180KB

MD5
3288996974f21e8b6caa51a7ab983b34

SHA1
97d22fbd004f2d96cbd6d117af90c5bca2b96d77

SHA256
d7aab612ec43f7754fd0e89861ca3f05a7a564e9642e7a46bdc396be47aa4831

SHA512
3f8a15e990c0a71978d6dc83720a68cf95fb224f141bb485dc37729887878c932268c399a04846ea0f853fbeae1d685939d3c516463d5c04dbd76d26f08b274e

Download Submit
C:\Windows\Temp\SDIAG_d16aea67-c912-4ea3-aef8-adb949642d53\en-US\DiagPackage.dll.mui

Filesize
12KB

MD5
9292fc8e5fa1726cec13fe83d9fa4bca

SHA1
62ffe1faf68afd94557c7302b038f033f2f13aae

SHA256
a1c0edd2aaa8efc65b9bb67aa8aba926a65bba84954b76611c5fc9e95aa0599f

SHA512
63402a49b9cd7c7addbf806f6f94c8946e25ef6bbce21ac1b3958544c81d3885eac338830c89317a895cd07c8960c8a004d1531b3d83e35ce853f8aad220829c

Download Submit
C:\Windows\Temp\SDIAG_d16aea67-c912-4ea3-aef8-adb949642d53\result\Registry log.txt

Filesize
244KB

MD5
cdc0598c8c04c28c77251492bb677eda

SHA1
b35ba12f3375bc308a89cfeb235074c5e232da57

SHA256
59a871d7cce81890f0c4af10285b30274c931db1977f12561f0df0f543cce2b3

SHA512
7f67bc430ace85bc4d262025077ee27eaf9d6a7f1c76c3a402770a22e91bf588ef493be3ad13dafc4a7b838c920bb047d4f76de841c18a98592fc327f0f2f025

Download Submit
C:\Windows\Temp\SDIAG_d16aea67-c912-4ea3-aef8-adb949642d53\result\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
memory/5444-939-0x0000020757EE0000-0x0000020757F32000-memory.dmp

Filesize
328KB

Download
memory/6724-1425-0x0000020C29B10000-0x0000020C29B32000-memory.dmp

Filesize
136KB

Download
memory/6724-1439-0x0000020C29B80000-0x0000020C29B88000-memory.dmp

Filesize
32KB

Download