hxxps://drive[.]google[.]com/file/d/1KdvgxM9woKFDI92ZE3I7cD9JhF9qMN_x/view?usp=drive_link

Analysis

max time kernel
1044s
max time network
620s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1KdvgxM9woKFDI92ZE3I7cD9JhF9qMN_x/view?usp=drive_link

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TLauncher-Installer-1.5.1.exe

Executes dropped EXE 2 IoCs

pid	Process
5028	TLauncher-Installer-1.5.1.exe
1188	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2324	javaw.exe
3968	javaw.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000236d2-3929.dat	upx
behavioral1/memory/1188-3934-0x0000000000810000-0x0000000000BF9000-memory.dmp	upx
behavioral1/memory/1188-4768-0x0000000000810000-0x0000000000BF9000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.5.1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "686529041"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f0000000002000000000010660000000100002000000012c9aba7089a95ba4e13f412467efa9e0d208715aa9633f46b76d2e690bf0a55000000000e800000000200002000000062e994aa5c3d9def581898fcc4612afb93867cef8ad09328e45037d92876579a200000002b4a43a3a37556e4de004a43a658eb67c69b3ec5acff9e046c8a18a536de4191400000004a0d50c7b8e6155dd6e6f7c9cc68dfe85bbe0f62bdc8732953a0288be3b07e86a000f3190750c9d0a8535360c5e1c02731c9fa8767ed1217b0ac21880638c7e7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "686529041"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{68E50A9C-6C68-11EF-939B-D20DFB866B4D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31129717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f00000000020000000000106600000001000020000000131dd3e1307052153eed19549a98a4054f69a658d211d5967f93dc91c6c10238000000000e800000000200002000000059219c9d01afd060ace9d3bf0edbff3d8e50cdb5a8931f40d9a30593c08a0b6c2000000049d3a72024b0b34274398187834fc69a1fb6b3e903877f2218d5b670fee717554000000043d24c8fa532c79dfadad89e5d2f7d3a36051db4dcd968a191cd36f5853c28b99fff283f1b725fc3743f9e92cea4c49077d786dc5ecabc9d7e5b6b39c03fcc1c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d034eb2b7500db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bbb3297500db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f0000000002000000000010660000000100002000000019c175c453762935e3510692b695800ab2243b8fac6a63f76e49042eb6205356000000000e800000000200002000000025f4a43cb07ebe5f111ab1eecf5ff16c689d0df6789d2f52c54e6f11f3fd9a7020000000f0fcecef31c48a8c7b6d3cc1dcf1b5baf68a0ffdaf59c8bc3c81c037c9f161624000000011dee146f445d8c6d5d7c78135b743d71b3cff8e904dbddee235464f79ce6759d355dc2d9f391033cba93211391f0c539180fbec6b2747bd1d6ac31660d6ec49	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "692310301"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129717"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 609db8297500db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{54849E96-6C68-11EF-939B-D20DFB866B4D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 5a003100000000002659527e100076657273696f6e730000420009000400efbe2659527e2659527e2e0000003c350200000009000000000000000000000000000000eae3e600760065007200730069006f006e007300000018000000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	javaw.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{5C1911D8-2C7E-4997-8BA3-DE6D4CB4117A}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 543403.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4928	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
2080	msedge.exe
2080	msedge.exe
2312	identity_helper.exe
2312	identity_helper.exe
6048	taskmgr.exe
6048	taskmgr.exe
5156	msedge.exe
5156	msedge.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
5312	msedge.exe
5312	msedge.exe
2940	msedge.exe
2940	msedge.exe
3200	7zFM.exe
3200	7zFM.exe
3200	7zFM.exe
3200	7zFM.exe
2864	msedge.exe
2864	msedge.exe
4164	msedge.exe
4164	msedge.exe
1904	msedge.exe
1904	msedge.exe
3548	identity_helper.exe
3548	identity_helper.exe
5916	msedge.exe
5916	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2324	javaw.exe
3968	javaw.exe
3200	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	6048	taskmgr.exe
Token: SeSystemProfilePrivilege	6048	taskmgr.exe
Token: SeCreateGlobalPrivilege	6048	taskmgr.exe
Token: 33	6048	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6048	taskmgr.exe
Token: SeRestorePrivilege	3200	7zFM.exe
Token: 35	3200	7zFM.exe
Token: SeSecurityPrivilege	3200	7zFM.exe
Token: SeSecurityPrivilege	3200	7zFM.exe
Token: SeSecurityPrivilege	3200	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
6048	taskmgr.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2324	javaw.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2324	javaw.exe
2324	javaw.exe
2324	javaw.exe
2324	javaw.exe
3968	javaw.exe
3968	javaw.exe
3968	javaw.exe
3968	javaw.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
3976	OpenWith.exe
752	iexplore.exe
752	iexplore.exe
5368	IEXPLORE.EXE
5368	IEXPLORE.EXE
5368	IEXPLORE.EXE
5368	IEXPLORE.EXE
2848	iexplore.exe
2848	iexplore.exe
3436	IEXPLORE.EXE
3436	IEXPLORE.EXE
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3384	2080	msedge.exe	83
PID 2080 wrote to memory of 3384	2080	msedge.exe	83
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4224	2080	msedge.exe	84
PID 2080 wrote to memory of 4900	2080	msedge.exe	85
PID 2080 wrote to memory of 4900	2080	msedge.exe	85
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86
PID 2080 wrote to memory of 1516	2080	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1KdvgxM9woKFDI92ZE3I7cD9JhF9qMN_x/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb53e546f8,0x7ffb53e54708,0x7ffb53e54718
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1128 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1972,9811313797300685399,4517002554855608912,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5536

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SKlauncher-3.2.10.jar"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2324
- C:\Windows\SYSTEM32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
  2⤵
  PID:2936

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SKlauncher-3.2.10.jar"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3968
- C:\Windows\SYSTEM32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
  2⤵
  PID:4868

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\Rise\Rise.jar"
1⤵
PID:3984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2684
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java.exe -jar Rise.jar
  2⤵
  PID:3780
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java.exe -jar Rise.jar -noverify
  2⤵
  PID:1800

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Rise\Rise.jar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3200
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7zO08C27B4D\deobf.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:752
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7zO08C915DD\deobf.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3976
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO08CB6B8C\Packet.class
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb53e546f8,0x7ffb53e54708,0x7ffb53e54718
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,3216422111530581928,7362395371340171578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5916
- C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe
  "C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe" "__IRCT:3" "__IRTSS:25259921" "__IRSID:S-1-5-21-945322488-2060912225-3527527000-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
42a35bcabd69ad3963896791b8775d19

SHA1
b73d9840977c8e229f2f5c26a353e5775a16152e

SHA256
099ab7552c56556192c7fb5a634453f0225fcb6c30f0717e107bf8630cde7aa5

SHA512
d8ab8b0e870961e035b90b20781c66f9c23f90cc2e97d3eb657a70d64a0c1ecef7853053d6a83842d36fe0795b9fb6bdb167b0e8a016473e062cbb83ff55d9dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26765ae01f684e494133667e78b130f2

SHA1
3990aedd696fdc1821578a22988e5e7d34ffe42c

SHA256
84fed24481c4750f30b39825418d88b4a8140b7e57affeb1099e59a5ae6e072a

SHA512
d2d0c05926322a456b8821ab249d396c704bfb4ae9951f9432078165542ebe77bd9140167ba7797bdd37f7c6458adc3ba1cc30e25b02f1f1c5cfe1a0f4218c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3dbc96b0-e91d-4935-a716-152bfe623520.tmp

Filesize
11KB

MD5
71707650edda22883b068afe92819432

SHA1
3bd172ee0ba79786d54adbea205f13eebc09ab71

SHA256
d0cd509109c90d9620b59c5f35629319da6f226a03c48b9a90258b490d1e690b

SHA512
9cf63851cf3bbff108369b29f069a3e7f7920f5a2b553068b4135010f9d607682272792da512f843e0b2cbd4fa0ad01fa122fc799c91de59cfce3e4b620cb8b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
38KB

MD5
bff21faca239119a0a3b3cf74ea079c6

SHA1
60a40c7e60425efe81e08f44731e42b4914e8ddf

SHA256
8ea48b2ac756062818bd4ee2d289b88d0d62dc42a36cb6eee5bdd2ff347816c7

SHA512
f9e5baefacae0cdb7b9c93afc43ad6ec3902b28c0cdf569e1a7013f4e5c8dfb7b389b5e2bc724b4ddfe554437320f4f2cc648642944c6f48ad2a78815acd9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
1.2MB

MD5
32139f48f78db664a075c5d39e28ce97

SHA1
a25e15b34f0782d6c8a9dc369634ff926f740a0a

SHA256
fe0f999d998460777abbbd062e27e7e88c9648afeab8db0cbd20a6218b656e8e

SHA512
167e6537edffdcfc3d89834e7adee03aaaf50f567f24b5da32a704e9279b0781995eb6e28f0a1b64f8f2f5ab508b4d090228c57d9b4cbf3ada5d3bdc29a33d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
19KB

MD5
60fa0c40fa48682969937904a20f9690

SHA1
ef95e2838832c60bd319187ef9adf02cf1705803

SHA256
0007d746ef6abf9360b70a15e3788ba327b6c76a6a345d3bf51d104cc32fd00d

SHA512
2fca1a07a46c298c51af92813aca0577ae0eadc09421bac1853034f19f0f2532c7f27460b217f92530b0a46d62e9fb5301472808bd0f0696371834b4ba96941f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
16KB

MD5
f1e42f23e232151e37e190eacdd7727c

SHA1
d7fb4673ddcd63e98212a68776dc25b6d28fa9f5

SHA256
d9d8890cbe90e925f6a1414928d03c6b69bcd38e3f7be87b1c171fe52d226f0c

SHA512
5c984fddef22f9af697ad6ad504190e152ec09852eb7f9b6967a560f823aa740cdf4ad5385a36c22ec8b4d758c8a34e8ac93ccf5e289e41d249f246c45b7a38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
123acc36fd2693964d632f992739d70c

SHA1
4e02c1c21e53818a9545981a94c29b52c5b21927

SHA256
86a7e40b9c2f2c689185eeea8e50c044e3e0ef5c8baf9ae5258980e8fdb86407

SHA512
dbf44685094b638af1df60a23dd675d660b62733948ee5ddd894df56001bd3b6c136108c74a1e3b9507aa28a3dd052d2aad45249ea3b059a5bd49039bbd98b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
79bcf2043c54e2b3a42fa28d6bb7e876

SHA1
3eee744eb80ba23e825c001deefe32c6aab81be7

SHA256
d64f3554fb5b7253df2b5a7eca065a070bce929a672e0cde3bd372df728947c2

SHA512
1054c3c0067e64383e36eeca9b13c0d52c4d7e4ac48f574b018b3a6cef3d21d71e50627f58e7700115726359aff54812f8468cd65218dff5ed8a7952faf61d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a16699582a0c73a0b9e5a711ecf81fee

SHA1
3b556914ac16f7866b3652a821af7a95b3353276

SHA256
4de42e48166e66c143a4a9b1d5bad7996fbfbd11a0e01488890be13415526b52

SHA512
60b9db8cd80e92ef720be0c2cc17ce97346ccb983eecbb843b3810076f178284d5eb22b9895a7bbb6f04ad7dd5e4aac15a7d127d56a9f80f76699a8d2e3c8dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
14a830cdb0892a0bdb531f444059e691

SHA1
3509eb07b8acfa41d9115eb7dcfe2345ba9f5cae

SHA256
217929ba66883e36d73c0e53dd193297a1867df5a9cecaff586b0b1099a0e4c2

SHA512
9e2d8ed5a8aa793387743ea313b7219a4938c6a0239ea44bb268ed24ef3529e184e234ff41eb1e7683a35f3e94b750108237005a287b3862da5d927da10440c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
1562ecb1b5898398325864fbefdc07ca

SHA1
0ab193cb99097af430921d991a5367510cfb1114

SHA256
95a259b2a081e0a9092a203db30af56a07518e731364e925222fb5200f2551c4

SHA512
cc4915c3256d1fb77ea4cf22123c0d56143fec42fb956410078b98a65b5a6fc2b5769b231fd057b41fea293645cf2aaa97a7853d90ec3f89256c64d47f3588c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
d8228b560e9c9f9935f0a5949f351004

SHA1
376655368ee8b00fe0f5c8ff4472e3803ec1bc17

SHA256
fbaad20b5f5e772678301614661f5efae1c805e928425eed1f38786ce641d241

SHA512
6bf66fb5bf22b64776755df46eb75784f84f138e4f67c2d9cc7606e6e1581f161091ac99a27148ebeb68c555ccea88a257fe9ab79437548235577bd8d6e5a721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e632ffbb1843945417b0bbe50628050

SHA1
4013dd8e0ad473ea909363146c5df410cb1c29d9

SHA256
6b2d0acd884a0c7939bbb696b45686fe8623f7c684c5d96e38b894db91b96c1c

SHA512
9f968225e77f72881293cc5eaafafce227796fc1552f05afe014fb6e220f7747438a77ce56d154db0f16c9237409607d2419f272bc7afdd15e8d642884e1c724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
add203273c2753e94cac24abce222918

SHA1
f61d0825e3683c6eaedb0cb812a60bd1cdf908b4

SHA256
7b7ef9a403241b2f2daa418bf4bddf81d8eb4f3425c675f74ee4955d283c0e96

SHA512
46d854d18caa37d95080ba50658046f8c0bd82175c9d0a1e25ae9388ae37f8cd5b2340f453d51919335d004e08fa00669b6564c56a80bbd0d5f4e1e2feacc798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
acd11aa6243647dabdffeef804beb1ec

SHA1
64d43f426f85b2b866141e15eeaea951841eca43

SHA256
6af79629ac129d864d8b9073bb8b121cf5313789c0c8a16e98938cabcc7d2fc5

SHA512
2fb1080b6206080b187dcf905dcca539fcff16da4db473c80997b50f64d91388c51a409b6242501f16a714f7e278b26de0cc1af68ca14d4252b6f8e0d807bbde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f1aa547b186cd4de3e02db24c43be5f2

SHA1
b82d6dd9eeb09d6a08a6a6538ba290a231f69530

SHA256
c340ab3bfa181621f0e1fba16dd034279d410cbf271e89fb19de6c6589cc9ce1

SHA512
1e8ee1f5d30483a698670d9d4356c48e4f08f17a245c05640849fa71622d5eb89ef4b5e50e0f1a7132314c1031afd5e749ba5c97d35e58f3f657f2a89366bb1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1e05c5907c91883f9c68687edeaf11eb

SHA1
bb0dd8c9e904daa9c3a40a581c7306664e3916ad

SHA256
9044682f1e91992326324bc5d43a947f63b9cd3a848ea03db689f0d0bf88ee9f

SHA512
2503d1bca3108965d88d8c026ee22fc0176e1e02c581df07e8b4ada6af983563a4a949c3f8ed0c8995d4fe2d5707dd12b054ecbf6dd491e0c211c40ce7fdba9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1480af6388ebb862936bf04af1fc6e4e

SHA1
f9034c3757bdeefa4a95f454017fcfbae671aef4

SHA256
9e7ca7fb25e72fb56b649c433b3f031ec6d426f0b27890907e200ec14c713187

SHA512
ecc763be3a1e43282b5271e21f589cae8b8f935665a18e144b2363ddec7897fc0690c40f2954d1cc7f7a7d17fa31e4a60e0bb61e6fa113826764ceb4e0c0e288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b548978773aaa22a15453088514efaa1

SHA1
11a78de37db8f2a72ea398f8f66026788d69f04a

SHA256
a9d182783442d2bc180cafc1adf668b389b4aa40bca475ad68b3e0a9e8bd727e

SHA512
d29a193d5e1808ff4507e03be00e0a6a9d71afc98e1b21cc0a703268c5d9b22fff05a5f1008624ad825de5c85774ffe497f2222606b6ce07f7d01bd5d567052e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
cf7f2a160cae51f12170768f6313c35a

SHA1
486d0ba804683d40c10c6ceac543b1b3150d17e4

SHA256
5ca6bb549f279a44d58c746b68e6d1bbfb857888440b253e35a6158b73b8a196

SHA512
0c06b40e36f0e7d53a95ced9032e284badc74d10f8f5dc5208167cc6a6b0e71eade3cdb125d8dc5b159a1ebca8b33fa941365799f64887c05f25aa5474bf9a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c8d5cba7b5e2fc0e03b7076a40136ade

SHA1
f9be96e45779e9725e51b71e047cb06cc32fa094

SHA256
f34e5db6514ebf30591bdfd5fc8887211299540332d81a6c5b8ca5e1d6a8f2e4

SHA512
3084122492d19331835556656362836044772e504bcc476815a1e15c5ff364b1c74bb61e0aed22cc71f3868e7ae9b40330214271ad732cb4b2376a5cd07b0afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7586a7919f94cf24becd9e41050e2495

SHA1
54df74b6b89288bb845de33bcb81735c1d414088

SHA256
b2c981f46fa4ee537769eb406d219136f9f7ad34e44769944c6c6c104d3e70b9

SHA512
de7f266040b199954ac984e859606589974a4f032f2cc4d503d840f6ac4271e45f51cce586fc82c370d9ccd7d07a16085e57bd5800a53bc54dfaba8fd3dc9b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
ed548bd67c08abb07376340f46774695

SHA1
5a0e6c9fc1e93f54f6b939f66c8758fc2727a2bc

SHA256
4034dfba3e9a7d365661f0422b830d211dbdf34d2c3dcdf9ea716d825740fad4

SHA512
362506a5fe883f465efdd664446c326ab421156c93ceb19d8c0c17b245138eef50a9ffb2d46992c2512c323bb9d431ee39865b1d37d05fac994306687cd570cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4ed0869daafbd10bc92e450ed59ab56e

SHA1
0d363729022e9854df8b58c3ce0ea8d08585bb37

SHA256
e1d9ed7aaf3dc3a2cf60c9616e1d28b5a8fa66ced3a278f01df91dea1be9c789

SHA512
e1e6d6014e22a9fb5009312f8f95c0611a2ea427ba877dec3735ca7cfc0263b7401c5d1d45703df6f01612731e8a057e1e1a14efc29e176d69287c41ff2b033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6d76043a5d8405e88e59ba651547b6cb

SHA1
e678e8f575fbad5493ae98b179a230b25bf2160f

SHA256
604f42cad0cbd73469ce1fa53eb906baee7fb51f403ea27af0f748e2bfc909ff

SHA512
03b313c57405d20c063fe8911c0fa8f15d980d2ceb957f544beca92686e23b70c664cc0771bac4495516d97904732b3c6167cdd5d4797e42ee0f0f3d10e54f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e9172bf8dc4f38ceabf275978c4ece11

SHA1
db17a3de0e2a3623231bb3e6ea3fa4446deb80af

SHA256
17756fde54ff1fe16bebc0af338b17ce25f96dacabfd733cd3209bf375dff7e5

SHA512
b417f02a6201714ee1624a34edc0b5389d81d44a87477ad5d08182f9da7d65497e2f8390bfae64cbe33a8655f8b4b6b68e516289dd83463778d3bed7b72825c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b1dc22a51dd321fb7e27374f62935b19

SHA1
4440b84288b18a124234cc84987a5d9089365ef7

SHA256
7d16f0c68792a455da4a7e7f97db60481260d2232e217ea85361153aa0a90f8a

SHA512
aa8686484f6845452a0fd8549e98b5c06660fdef5d4180bf8b3be10eb71b0a33b6dad8f8966f60eda93c2253a9a35e1d8d91dd353a419ea51cabc61228711a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59209e.TMP

Filesize
48B

MD5
64713b17ccd0a88d44e834224ae03d49

SHA1
d8fcaf4a95f99cdbbd20f949b27ccd8f48d99a46

SHA256
e1587c9d92dda6ae82083acc09aff04c59d0968554c9e9debf2d3c9ec4a2d94c

SHA512
e1e1b7a13b28014edbc7787472564f79267333b3c95cf8a07f475b37f6b27adc3ff91f30fa3162b62480875f62f4762f1a9d5f2998b07b12574bbd22737d2a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b1f0b7a96c1a7c9e3a1f19dbcb644c9d

SHA1
70eb96ce15fe4afdd7c1f32b01bc8fc3ee581ba8

SHA256
02a30d3ecba9a9b6f565c1f7224adb46b8564d8012e07fa6925332305f88715c

SHA512
9076a80585a6f2fd7ac0cc7b9105bea0f3ceba27c3dee3ac901bf43aec9d8da9988e31c31c8bb73034dc8e164f7515032f0515aba19d29452adea0e3468e603b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdaed45a51da0b836820e1c2e879313c

SHA1
9e11f30b684c2a4c2d7ea66a1090240f185f1ba0

SHA256
028f86d74487d217fb5cb1d3d43bb59a027cfc6d3b69e49b55dcc394c8d2d834

SHA512
d8e40bab23ad7f74f263e8862875bb25223eed61d7d20a56e0aa60ee72c7d3cff3eced0c58692f07a32f4c7885d6239b74e10a969411c99ff1f2d95648b59802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53344b56fda6c26a055132df7a920dc0

SHA1
40148ab9a2d803cb9a5fab2fe86688899fc7b92c

SHA256
278b7ec97423e0a33432442d6aa43aae81717f8176385d14b1314d7f010d1c0b

SHA512
f0e182f03989e5ded4667808284dfd370942bd2fc189e825d2ecb1541522e06b513da544ca1911d38cf335253ea0aeb254b36f4aa1309fa49070d9ee76f29d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6e8e499775ab98e3ff89c3d8b1f8cc53

SHA1
1da94d0dd28e45b710707767f01e345496517a49

SHA256
8990209e3750b75d73ee4a6428408acbdaec1b049d33d6eafcd49277bcdab131

SHA512
f5c83c816184f1c0591ce85d3717608b94614ff7561e0366f46144072bf1f9f09a1bd6ee8f7f12ee761542d41f2f308ac53c252c6bcd76d79464afa64f746b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ca194c59236077fc2aa058fde5fc0444

SHA1
51a1befc33ac0c9c222dfada65a9fdb127672fe9

SHA256
8bfb3b80de600614f03988e8c0f8bbe4807f70b62ceaa4149d07e666f5f4f282

SHA512
7d08ab138c0bafe37acb7b62fb07a34c41f18d354ccda9016b41240955509a4c8175a97120a56a03fc1b27f6e0d01a61977393fd9f635b3671661166e9c74fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bc207dea4b63712eb13db99fec48a6d1

SHA1
64bee593e0132623e88f98d3197f6163eeebe418

SHA256
d3890c258810f4b500ac55ce87adc9674326b6d7e402333b07cf279ffb7feb47

SHA512
2bb03823f937646e8e06cc550a48d090d789c5adfe430e7a7f01bb8a5566b38bac47579932420b047d8420fab181df9ea6f9cbd8d6a3521b287f0820fcdb0212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bee866eae42942133517fd738d98cc1b

SHA1
5b480cc610750f13098ecf66f1e83537c934bd05

SHA256
c8ffa293cdc64ed82abf04863557c5e32074fa6b83321e0d6f6486a03bc0bc71

SHA512
f401da6af19370de9f88836e2911a71efacc87188ef612289bb911d44d6537714d118f254c021a0c00f4b8cc240428dc8e98e6f39b75b0bc5d9e7fef70b81a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6130ae8ce32c2ccd99965808e284dc35

SHA1
4d07536a465aa18dd6ae9a08a17301cf4c8fd843

SHA256
2f449fe715647a26c58b09858565b21f212f72df8ad8976d67bd2b7a5f4c4168

SHA512
352fa2c36b238205cfd0dd01a6f674b97d0f062896840bd52f0c02638defc1a5bd537e0c40a686a7e6f758fdee1646ccdd92cac9ef898a9c9b489cb8d11e389b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582892.TMP

Filesize
1KB

MD5
33689bb856ad144034000113b8d1af6a

SHA1
7c2204dae10532e14061a522d0bc4e2dea62cb5c

SHA256
5f291146427544d1f4be5dfa7740c7d9e77705601552cd9bc8f09332ce18adca

SHA512
9e73bc0e8a560080a8eecbc7ee5ed5b463312dcfad68211b437bf23d220ab096709a06b837dba3d639500ca2297a7e3ef930a503da94217e5e7ae49ed479ebda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b3cb49bb-90f4-411d-955b-81ffae2b592b.tmp

Filesize
3KB

MD5
2f3a3d27ed1d05a82540cb62cbeec49a

SHA1
8eedb47ec4a54b8658b4f08184fb11978f158334

SHA256
d6d463277b824432ef2f4b3ac3fcb9cfbf14b591c0e92e6d269a2a687a041753

SHA512
d533756d2f86de4065a91d6c22f23d55029cdb6ff5bf4b6c45259ed9bfec84e6c7be377d833281fe871505cae81c61f6451f975cffc78b02a564a37b9a8acc55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000015

Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
29eb76222f3ab7e8695ce0a0d246f1aa

SHA1
6b418202ab53e5ffdc8e22919b8752d6bef41c2f

SHA256
7e3b63d928db1588bf8679a63b0e0841becf5ae0b2bfd302238184e43ad98bbf

SHA512
9803047b1e9a4013039dc8c3de51687552d8d27d358801fb2f9385bcb7640fc8b6feab423f3c74d33cbf5fa0f93281b6d7f37f4235d310a0a7c438d7e01c4465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fde021323bb35e42d89c290addc9f2a9

SHA1
0bf9734a756d5ec311ef6bdb0c41e6d360e601ce

SHA256
d6d4131ce6b5199498b6a2e41bf19c50a9775efb1a2053bc134c6a3dd7d65d8a

SHA512
d0cf99817cc4bc6c989439fe41c8f17bffe73c8e7d25403684fdba79df966154f7c163712d1e07aad3f0d084bef048e0f13afd241abf213d7ce1ec1926cc4302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28b457113d8ff591bd89f258c87f9910

SHA1
013b89b5c324637f6b86c4cca124ed46bebcef0f

SHA256
59e9d4eb0ea1e3ea66afa98230961ae46fe824f82a97e08fb2892e2e2305f95f

SHA512
eb5514a281f9b84394d0d00e2b5401b569b0387e3deadc27eca11742c4d4d46194e4e3a72d790046932fccfee7fc92c9b7881330168bbd4d2a826cbd1f81287c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a89f337e169b0e1fbee76e58d846766

SHA1
27ce9efc62af1b0d6279fb866b23501278d001f9

SHA256
e1aff43fec077dcb43cf26c63131d0495df1a39d737f3b1f794402a0ad91553e

SHA512
fcfe86b18af68ac237db80f8f11f60eca0c8142fbed32fde69d414b66fd0317ad2ca736eeca3704bfb6b92a4a6300d8eb662a709566cd6649a56eb2f9fff986c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8440f20c5bd579311a9f5ffa2c849a7b

SHA1
d30a99d0085a2199977f3b889797b538f8f1ead6

SHA256
8573db51e6ffb765fe1ab38c22b13bc0a35e228733b8e66e2cb7d4fa6ee27536

SHA512
08e0370d2724481496c93e785b32892673161b012fea34038b9a7f0d8737a9d31d5e5be3b53d00de1c9b1218ab02bdbd289d5f8e6e5685624b343741c20ac10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
64eaa986d00904cc2aa083588308dfd4

SHA1
2d0c6aab71006e92ed226b0e580eb9d1cbb7d1dc

SHA256
610c4f999a764621b3f4fd275398df86c6d52ee9dded2975bf0607426871ed0c

SHA512
8a125d515226f57df16231e744771157d7611fd137c5df1666352ec7b52dbb1e00617ede12b53898a05c4bc4cef297dfe0650ff579d9bd0d8fd2f19e36729ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{59A66DC0-50CC-11EF-9393-5A160BE295C1}.dat

Filesize
5KB

MD5
57c743c27614abf967787d6bb351302e

SHA1
f64e3c5dc59d0a8f22f8a746b84c8f6faa68287f

SHA256
2c1128a07c9ed5a883a90860f12309a0a6c840e1d113a9d59d0c30ea52baa329

SHA512
46250e080f7eea488e62d0bbc5711ccf9b4ea299c8dbd713bea152ab3809922c877031ff860a56f500336410b0a6499cd81b715db91a310ee5993eb7a84e0163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{6743CF27-6C68-11EF-939B-D20DFB866B4D}.dat

Filesize
5KB

MD5
999ad17557be4e7c192647a16c25d1bf

SHA1
62cbc2a944def7c5596569aa5687b6fa1ca513b4

SHA256
ea69227beaeaef09bde88ea6ff073c8f3e3b18fd4b1d648370f7ecae58c005ad

SHA512
aec82655c0749e4d85ff2b378aaa0b4c662263cb8d8fed6df61d41cbe6a6ec6434ef46daad8c22390d40428727b6f2739bdd0cacdbd36840e6513f6e6580a1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF2301125326745324620.tmp

Filesize
400KB

MD5
12ec66b825b504d752e8c333bf81dacf

SHA1
56896d3e6011466b7e6631c714c57e20ee8366d9

SHA256
5fc09af94a447fae6f82c00f15dfaef9eae7c560e6cbe46d3e84524019a574aa

SHA512
8cb838589ac4f9819b7e2204517445df94663d3217297212973e8b2d9fece162155130ddc783e7e89ef2832d38bace731b2ae3b73aff36ad782c707813bc52b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF3484534791298631332.tmp

Filesize
397KB

MD5
fdb50e0d48cdcf775fa1ac0dc3c33bd4

SHA1
5c95e5d66572aeca303512ba41a8dde0cea92c80

SHA256
64f8be6e55c37e32ef03da99714bf3aa58b8f2099bfe4f759a7578e3b8291123

SHA512
20ce8100c96058d4e64a12d0817b7ce638cec9f5d03651320eb6b9c3f47ee289ccc695bd3b5b6bf8e0867cdab0ebb6e8cae77df054e185828a6a13f3733ede53

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF5253586002964301615.tmp

Filesize
412KB

MD5
c5c41f7587f272a4c43a265d0286f7bb

SHA1
916224c963d04b93ed54ce7c201108f398e7e159

SHA256
d549110689cdde0821ca2c7148f7b47a097166b4169786a4a9ede675f5ce87f3

SHA512
d4b4d01088d9f506368dc19d709b4ba6be764929b0dd05775841e14cbbec674f216b81515ae529e95abfd22ed2f3e2d2774363dd4284c8c8b57d203599555f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF6573780476610992594.tmp

Filesize
404KB

MD5
4154321279162ceac54088eca13d3e59

SHA1
5e5d8c866c2a7abfd14a12df505c4c419a2a56f7

SHA256
6bdebeb76083e187c7ae59420bfc24e851edb572e1a8d97c1c37b7b2dc26148c

SHA512
04ca175774cbe3f2d83543c01cc388e2715ab7b1378143db41bacdc7e7eddf05d3beef476f6acbe7ddeb34861984efb5fd7f299ec1820697c440b372d258aee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF6921752432608165454.tmp

Filesize
405KB

MD5
8f2869a84ad71f156a17bb66611ebe22

SHA1
0325b9b3992fa2fdc9c715730a33135696c68a39

SHA256
0cb1bc1335372d9e3a0cf6f5311c7cce87af90d2a777fdeec18be605a2a70bc1

SHA512
3d4315d591dcf7609c15b3e32bcc234659fcdbe4be24aef5dba4ad248ad42fd9ab082250244f99dc801ec21575b7400aace50a1e8834d5c33404e76a0caac834

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF7302155494386764838.tmp

Filesize
401KB

MD5
a473e623af12065b4b9cb8db4068fb9c

SHA1
126d31d9fbb0d742763c266a1c2ace71b106e34a

SHA256
1bda81124d6ae26ed16a7201e2bd93766af5a3b14faf79eea14d191ebbd41146

SHA512
1fbc2841783140fe54f3ab1fa84e1ded2534bcec3549ade2f513491b32178df515bd63a0a4a2c35017a6850ff9c3a24f8602357d912acf8ca92b8d68ba846d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF7822471920853036236.tmp

Filesize
407KB

MD5
9a21378c7e8b26bc0c894402bfd5108c

SHA1
72bd9f3ca75ca691ce86fe1ebbdb269f5f737bae

SHA256
0d34f9588400a586b774be97e66ae8c076a8807b8455df0587b39d2a4a1a3b42

SHA512
4a9d23a01f1a7474e0339d4d8b151d0269bfaf7d9e13ff6aa34d7f929002e8ff185f273e6f7afd2d40df3e0630a962dc7767d870dcf1766f3e04b8029a7b452e

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8192724446193379067.tmp

Filesize
403KB

MD5
118abbe34a2979b66d6838805c56b7cd

SHA1
7f320cb81660fc6dff9cc5751f8fcc0134847c77

SHA256
d054d998ae12be33820b100e0ed3923d513fa5c79c6d4e7ca1953afeb262ea9b

SHA512
5bcad4a03ced2ce76c5ebf78cd2c1328a4ee27019807f56a48bf8a0f936c57f351f10726c176952f0cf08776a5ce53d34c14d6a848925be2789408a61678f381

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8713320166255931268.tmp

Filesize
405KB

MD5
4b1ffad3c0075af22674765ff1ee2f56

SHA1
1f7b05d0ed1c6c15736115a59ad844adea5f1f66

SHA256
fe3714926082ac5764327e3b67ae52cb6f0cf6b8c4221c064a6cacf821079414

SHA512
427db3fe5860676fab65a9b895d205620a1ec0aa172f45aa9ecef261820e25b84f3413bc5d0a9d0c1311422a8da1f5706ac4f6211a60aacc82974cf00ff036a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8714282511973624375.tmp

Filesize
398KB

MD5
ff5fdc6f42c720a3ebd7b60f6d605888

SHA1
460c18ddf24846e3d8792d440fd9a750503aef1b

SHA256
1936d24cb0f4ce7006e08c6ef4243d2e42a7b45f2249f8fe54d92f76a317dfd1

SHA512
d3d333b1627d597c83a321a3daca38df63ea0f7cab716006935905b8170379ec2aab26cb7ffc7b539ca272cf7fb7937198aee6db3411077bedf3d2b920d078a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF9067469294010652084.tmp

Filesize
393KB

MD5
b97f16379b4c106616f60f702733f5c6

SHA1
85c472fb9a7f256643bc4bba10f158dfaa1d1e8b

SHA256
4c392dcc8ad916f0f9df7559ab5563b01dd94f9f3b2db34617fe392e00060339

SHA512
d124af2c705b97cbb307497f88c47a5f7d320174d48626ea14ac27d42bcf8016f32810cf7ecb6af1261297b8c331a6ea89e2e35c3e2536390d8d6e500ed8d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF9112354736001148227.tmp

Filesize
410KB

MD5
c4c47e3d7ed51a6bb67b7b8088a4b0e3

SHA1
b190f4e4e8f838c46ffe9507d966ea4d8b37d8ce

SHA256
5e606f805a71432d4875de7dab737bf9dea1187090f0a5190da9b1bbab09f57c

SHA512
b4251618479c52398ca71cfc61ad88230a14145771ef1085ab9288486d7bfc841f0ea222909f8ba6882db6076df26bfe37e1c23917569270c86d6e7adee7cf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08C27B4D\deobf.gif

Filesize
135KB

MD5
2c224f443c9352d33367d9f0c21a8ca6

SHA1
d1dec961e8edf957f5da4175804ab0537fc80ed1

SHA256
50325950af52290211f68caa7bce2a08c481f9b94a638cc987eca68c44ae226a

SHA512
cff8b713fa5d30329821431352fcf5fb018ec173a0c9ee37f61a29c074f7a47b51f8657e5f78db2854b7dcbbf2e1b9d73c8e57b76906cf63216ac08a4e126a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08CB6B8C\Packet.class

Filesize
280B

MD5
a563e207ff614f7d1b119ff00feaba5e

SHA1
83a81ee73d6f45b148082dface7a3d212452c792

SHA256
4cd4521b9e213625bf5ee9f23f9191ce88642294b9797861449459d117cadd2f

SHA512
ec6cc0b3f0277cb7970c56d22ccac4a730c26c653e9fe94a9c4908b72c065b3b6baa9ac1b79ac98a6e1145763f0b61110eaf436398ea40a890ec9dfaeaa823b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKL_TempStyleClass6983814668890462413.css

Filesize
264B

MD5
efc4d8d677045102ef5d0c9dad45e9ab

SHA1
b09108160f0b41463c8b49c3154709867803b7ba

SHA256
203015cc925d561820d225a795e1c6a56e49ff12fe4c874709e717335aa0dc18

SHA512
a67beeafc15cef58cdd0d3d26445ca2cf6eea067320909deaa8a3d05452eec4ea8140b70d67a305ef3a376b5eb52590305240130853e594541bdadb88c226a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
981c6bd23ad276e43a0716eb2c2d86c2

SHA1
9fcf7d51c0bc47a6bbd07c98a98bcdab041cd961

SHA256
6fb77e0ab35e79e357ab4172f65e58a8c8904653b088be2d867619ad66cbb309

SHA512
44cc99cbea974ee1fcab4ca9a58ddaec073555c9ba202452cb579a199e63dccaf83a4b0413b54a788ae44f9cdde1c78d887661483f66eaf05ad2e42cdde1469d

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-5755610949500.dll

Filesize
23KB

MD5
8b9f16320499ece60d7ff0c1249c6df7

SHA1
cd8fc57c064533df66f0ceaaf5d76f8c4f8cb3a0

SHA256
f8a3af19341ac0f12f55ad28169d22b75aa66ed818692541307393c22f986727

SHA512
97384ee1faa1be807388f4077fde5db94010f06420b1ff3a05edf77fb91c9a8163b0a91cb1b7e648c0cd8c4d599e552050f64b8f7c5c81c1be60cd35f062e9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2029099889780403878.tmp

Filesize
1KB

MD5
4bc22d05b225a34a3ddb4f17d2469b77

SHA1
11a7a273129b3deb9cd2c77ef1834b5643469d3d

SHA256
face76c9c4fad9476a1d80483d41772c805808a1383012b1c22065e30d32ede6

SHA512
e00b03ba7550af9676c56c1ae39c00ccbae42a06011b37e3faec174ee1eda3dd16a223194824ba3f11e7d8bea78e74991af31b51a9066c3941864e13c91c45df

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF18F4BF652E2179EA.TMP

Filesize
16KB

MD5
39951edfe44946fd79e32fd25bce0947

SHA1
d5c0d914e930acfe6b78aee85ce8c98305c07211

SHA256
1fdb3626c8f92b9da328f048a88b4258fbd479de92078328942da01b2493881e

SHA512
e722df8785bdad4716fd099be30df354ea8ce8aa09c6b25a00ce9ec22009e37ec36f7f5872abf3317409c27b24a32046bd4ecf7e6064a9e95b627a4acb25dce3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json.bak

Filesize
559B

MD5
f1e418b30fdc627fbafdfee7fdbdc595

SHA1
f4daf40c28f0aa56313e8b333b88e42b141c05db

SHA256
4d288a82a8845a31c3878a00aaa83a46d9e5850dde04a142296e18213517eda2

SHA512
036f5fcd64e606c80def3a454c32a31228e6b46ee9352fdf1be5ad82753cb04a3ff1689a9e43cf186ad9c09f72ddf464b21cde0387891a458221f137f4c797db

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher-fx.jar

Filesize
16.2MB

MD5
c195d84d975cdfd033ece9fb4ac479f2

SHA1
08a3fcfa19616a493a4d3a0af775388357275edb

SHA256
ef945fc0b2f547fe770267e64be595bc22429866d6931f85538c49f381c11d48

SHA512
2634894eb704e7d18dee35ffd8f77a7cf9935db627cda4f0a3f138479c3e66acac6d5d4369464aa2764c7e3b2949daa88b74a2e78c4e460fbdee1bd5b4a8b0bd

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher\accounts.json

Filesize
393B

MD5
5ea2c681c58cc02da2f377bcca14261c

SHA1
b90888b13b04e7e07d6e8c8f2a6a416dc5c3b74e

SHA256
8ac2f61dbf5fd59941f31fe3cd12c76571ec5992eee0651f3e9320a3cc606bc7

SHA512
1b5713973b65242cf6bd4bf145b57c7cda887e5eab5f3b167af5250127fddff01e04b555086ac326b0a025577d8e23aa3a882b3f51d302c83ad9cfd720688623

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher\sklauncher.vmoptions

Filesize
122B

MD5
bc1a9c2eee2a390645b649e004e696ff

SHA1
95dfbdf8fa83d04046a371f7ad5dbee4ad44f46a

SHA256
651e9eb5261ec8944f0b0014ca6591950080f6ab69d3917703d5923594ae9491

SHA512
0d751d33db3659a31cac7b116a944155c8f0a72f7d68233e894d8bc17c094ffd07e35c5bbfe34c92951d4bbfd5a8af14bb907b241ca20b8000f62041cee03a3a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher\sklauncher_data.bin

Filesize
1018B

MD5
31c36b33084251f0cd780fc40a1cf933

SHA1
d7b6a90414c95de4ea87924bd72ca9a447dbba18

SHA256
8fa5be9ecca699c0f91d9062468106cbbb9a79341a543bcc0344d9696357a804

SHA512
1ad8b66a6b7c6f603bf2376fac03f5deed21b809e16d95d82b6abf0cdbea4519a7db3afa2a382adfedcc1417d22d6293984fc82d0c594670a80851d3a1dcb46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\83aa4cc77f591dfc2374580bbd95f6ba_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
bcf4ee572687551a1e636ea91b994adc

SHA1
eab109bd4edf4e590c097bf050d51bd4f8f6c784

SHA256
5e7fc754cba0c265ac38798a7c4b33a484afa894b6cc9bf58ace681b4e1c347e

SHA512
3ab68e4475391efed06af8778e3ef1d8c00672d861678cdacc8aad367094cfaf2b12e7fc5c295834b751d869253c4a7f45666fa00cc53dbbd3de0434de8a4f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
29c5acc35785826813383a8f0a06f046

SHA1
00d8580d18208e11b1d91517b82c5068ae798f36

SHA256
a9f93721a9d67e79b24b2ed490bca4e328ba009ff5e4c24649393cb381fe80b1

SHA512
b6ad7e2c68aed7ec07246c010517cb84560a28438c6f16f26d84b80d06c6ab054c59c530e2da6e9f8204dcda7720bb2f514948cdffe6375ff9ca7901a099eb76

Download Submit
C:\Users\Admin\Downloads\SKlauncher-3.2.10.jar

Filesize
1.1MB

MD5
1495e81aa573744050268cb330af8281

SHA1
b67d9bda787a526c79128179e5000924bca11dd4

SHA256
3ce7e5aff85320e1d393eb34e918a6b71a667bccf08252fbdd512443e5d62f9a

SHA512
e321e4b9243815b4d0b3ab34c380c2b8da0e8e264b791018a4385967946e8cf320fb5bcb695b7aa75e5a9420ae6ced6ea3c05ecfaedb7a1a6e02a1438a2c9d4d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 429031.crdownload

Filesize
20.9MB

MD5
951928ad641df582c567dfffd2526d42

SHA1
6768e9ce2e35fdf0f96fd1206bcb20603660ec48

SHA256
118c7c516cde0963f3ed2f157f63a989c639110f2c962a8dc94193b940cef879

SHA512
038a6cb18953d4d38c5254551f26befe2b83f699bce396569f0aaa3c808fd7559ffddd800d81b4bce323a1fc088f77af8b47e1806801cc82ca675e33ffe5faf1

Download Submit
memory/1188-4768-0x0000000000810000-0x0000000000BF9000-memory.dmp

Filesize
3.9MB

Download
memory/1188-4604-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1188-3934-0x0000000000810000-0x0000000000BF9000-memory.dmp

Filesize
3.9MB

Download
memory/1188-4785-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2324-981-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1315-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1267-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-977-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1262-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1316-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1336-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1307-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1257-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1229-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1218-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1211-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1204-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1332-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1015-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/2324-1042-0x000001E7FEF30000-0x000001E7FEF31000-memory.dmp

Filesize
4KB

Download
memory/6048-221-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-217-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-208-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-207-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-209-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-223-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-222-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-220-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-219-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download
memory/6048-218-0x0000022020480000-0x0000022020481000-memory.dmp

Filesize
4KB

Download