hxxps://archive[.]org/details/gta-san-andreas_20220115

Analysis

max time kernel
1934s
max time network
1875s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12/09/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://archive.org/details/gta-san-andreas_20220115

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
2588	powershell.exe
4992	powershell.exe
1992	powershell.exe
2696	powershell.exe
4728	powershell.exe
2456	powershell.exe
4672	powershell.exe
588	powershell.exe
1472	powershell.exe
4348	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2064	winrar-x64-701.exe
1868	LSUBAAETIVEQKRWS.exe
2844	LSUBAAETIVEQKRWS.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2440	GameBarPresenceWriter.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gta_sa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gta_sa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gta_sa.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "3"	svchost.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{F9AD306F-798E-4091-AFCB-454B187A6C0A}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{75D3201E-E9A9-4AB9-957D-C59F610EA431}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{6DF04200-DEEC-4247-AAA3-E86ACB43D759}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\Registry\User\S-1-5-21-131918955-2378418313-883382443-1000_Classes\NotificationData	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000003fb97257efe4da01cc79f828f5e4da019d685dc6fc04db0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{6D3B46EE-E0F2-4A90-A281-BF67003209D3}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GTA San Andreas.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 447311.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GTA San Andreas.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
4328	msedge.exe
4328	msedge.exe
1432	identity_helper.exe
1432	identity_helper.exe
3232	msedge.exe
3232	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
4028	msedge.exe
4028	msedge.exe
4956	msedge.exe
4956	msedge.exe
1140	msedge.exe
1140	msedge.exe
1500	msedge.exe
1500	msedge.exe
2224	msedge.exe
2224	msedge.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
2256	powershell.exe
2256	powershell.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
2588	powershell.exe
2588	powershell.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe
568	gta_sa.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1500	msedge.exe
1316	OpenWith.exe
5032	gta_sa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1000	AUDIODG.EXE
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2064	winrar-x64-701.exe
2064	winrar-x64-701.exe
2064	winrar-x64-701.exe
1500	msedge.exe
2732	gta_sa.exe
2732	gta_sa.exe
2732	gta_sa.exe
1316	OpenWith.exe
2732	gta_sa.exe
2732	gta_sa.exe
5032	gta_sa.exe
5032	gta_sa.exe
5032	gta_sa.exe
5032	gta_sa.exe
1916	OpenWith.exe
5032	gta_sa.exe
5032	gta_sa.exe
5032	gta_sa.exe
5032	gta_sa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4512	4328	msedge.exe	80
PID 4328 wrote to memory of 4512	4328	msedge.exe	80
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 4548	4328	msedge.exe	81
PID 4328 wrote to memory of 428	4328	msedge.exe	82
PID 4328 wrote to memory of 428	4328	msedge.exe	82
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83
PID 4328 wrote to memory of 5056	4328	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://archive.org/details/gta-san-andreas_20220115
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e4d13cb8,0x7ff9e4d13cc8,0x7ff9e4d13cd8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,166784412130229260,11797140942248790792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8184 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\671df3b616f74229b1f7b49ea11067ef /t 1796 /p 2064
1⤵
PID:3992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2624

C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe
"C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:568
- C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe
  gta_sa.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
  2⤵
  PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe" --test
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -Command "Register-ScheduledTask LSUBAAETIVEQKRWS_run -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe' -WorkingDirectory 'C:\Users\Admin\AppData\Roaming\Adobe') -Trigger (New-ScheduledTaskTrigger -AtLogon) -RunLevel Highest -Force"
  2⤵
  PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Register-ScheduledTask LSUBAAETIVEQKRWS_run -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe' -WorkingDirectory 'C:\Users\Admin\AppData\Roaming\Adobe') -Trigger (New-ScheduledTaskTrigger -AtLogon) -RunLevel Highest -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe
  C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:2440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe
"C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\ReadMe\Readme.txt
1⤵
PID:1928

C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe
"C:\Users\Admin\Downloads\GTA San Andreas\GTA San Andreas\gta_sa.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:5016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
41KB

MD5
58756d99d2376dcfbede6057dd25a745

SHA1
76f81b96664cd8863210bb03cc75012eaae96320

SHA256
f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa

SHA512
476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
1.2MB

MD5
f82813a24b25c6893ec5554d13139a3b

SHA1
6b84a890b09836a83d6fbb1ee4b6ccb0f3a0c977

SHA256
3dc6e68a674af350282d944874cc881de0d1c1feb05a28fb76e2d27fbd094395

SHA512
6980afd3050c41cd7068acc8754a7a7150ecab1d3d60192e87a2ee09351cfc88f9a53e82e791c4bb3dd9d380952fd551ad32b4c04f49d6708271c2a4b90c0025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7554a4748e2c887eb0880a06a92164fd

SHA1
b8c7f6cf754a8069f4e7b943e866e79b19e1a855

SHA256
3943ed16eca96b3e16433d7aa6c48e501cc886c0611621ccf54f10db45629863

SHA512
39b10558dee73a484ffdedc3325585346cf4ef09043e481becd0bf54dabbd257167fb5bba8d12346fa5bd77f9f6794d57f7a160feb9dfa7f4d3e6fff6c9b1723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7fc2f9511b7e26b772eca43bfc60912c

SHA1
1aabd572b5943ebf462aaf29a49e053238369ae5

SHA256
44f221d056e2077f338fd651e139fc4e35a6c97e78333899adf717f750ea775f

SHA512
ce3aae874dd64419563c9d2e99b276bebd5cc208fb5830204f356368798fe01e71f9eda0d4f02a26fbcdb7d426180b0ad152773f9f7cd3ffc85da4fcf5411303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
53f143d1eec37026c95cbed0e0e2bfe0

SHA1
f93885f5455da2cf0497b7bddb126010a488eeab

SHA256
d708ecf436bd7b69f29311dcf2a8be84e1a110e273f4c4749403939cba1a3f9e

SHA512
003cc031f0ec52e3404bb7d714d91d3da628a9b406459b0ca5f1828829b3b8cfd700d25ccfa7f53709bfea6686579d958bc4ed1f6bc3847171a3003ef8cb236b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e39e31a713308194b140e9ead436dad9

SHA1
9c45891ff53d74d38dad294951641e5a4481f0c1

SHA256
535942d24ada1961aed8dcce244c9dea37e9be471baf946dbc4feec4fc8ab985

SHA512
6be357339ae06ef272ef9fd9abde20ac33d32c9ff7dfa98d4a5196f20ffa0300ae763452a744e5f793a15830e3a1558f320925b06d3e8a717ea10885291cff7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
700a3e14becd774f4a6ffe741cb451f3

SHA1
54a52c1e7c3fb0292f74f0df16f8185917421334

SHA256
5510a7bc266a491c6dd19e006c061491ddbc7c7d7bd26f4369d2aada301b6ac6

SHA512
46f56f37a17c34a6c08b850774c029cf669f97243f6daa995ec2df7702181259b69d4760ee0428d6f81a6f9949a243d5d83fa089712e2ea2cf38aa2eef49798a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
576B

MD5
8613388efc3e826a4741683851bd0b81

SHA1
3d9ea6a2a13925d3073114922e3899c70abe796b

SHA256
c1ff7b57caba94bce360274a0129cf2b1ff46c45d9355cd3240cf1c06366b034

SHA512
a45d23ebcdf67914256bca5ff0f0e73af78876e38905ee850e09ee32c0f23708fd6d445e5c6bf77836451d98e3ab878d0c439663fecd6a4dfede71e67dbe4ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ab4a7526f8aa4f66c8f16e705b528d11

SHA1
4e85156c97546c007fdc51d979b2836a41040ee7

SHA256
16143d6edf1467af8281f3f9562fc579a098033a8a9ab71da8c97817db29b0a8

SHA512
4c909ac6cf08cb58052578fd98ad3cc618d228c70c773ccaa29d9e332c503a627a5ce58a41848f9227e43c23fda3259ac263cb1250d33f69275108fd5015a1ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
55d5e75fb37784d35d5c652a7ecfb58a

SHA1
5e04621609f3c9fc077a379c926855194dbf521d

SHA256
d8597def524712733ee2c1ba345fb0583bb66620e9f255e7564f2fab270ac7fc

SHA512
3cd1dbfaaf477c79aa0a5a5663a87e6f857add9bb0635325dcc6f2d576b4020bf6d47c1f3db0bed3d310424130fd927344ea1735162efb4ec8a5ef3dd20ef384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
23223e1ed95cde0bd9b3806d22cdf451

SHA1
277100af9e5f7c78db500b3b4aa8defd0eb8b017

SHA256
de530d6df901b7b3d6a8b17b5e2ec80b72ce9278ec4da835a01a0bc7518c5c71

SHA512
88d25e749da0f0502ae39cae0414a15d765629c43f7382307f48640e75ae41c4419907743f49f3de83fd41bc899e94c156816e112125bbe1cf963e5564ce62aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b80b75b860ce3921cdcd7c241774f96

SHA1
ba6d9653b3d2a59c7d064280ec0f8116ad67b920

SHA256
ecad448359ed4317d906f18050d748d07a3adac611204215235b6e76df9c8ec9

SHA512
27c3ec81f4e94d76c9b5ae54a36c4a8b29ef0f52832e689fe15043e841a41227805a8a4924467a58c1d4aef9756c80ee691830aa38ad24a1df93444b9a10c862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de63c70f5af4c25a27c50beeadc069dc

SHA1
833213f9d865e7499eb81925e85532a794cdb9da

SHA256
d887f292e09465429d43087909dc8a60607d46e08ff16361984e68ec15a25caa

SHA512
276352564be5ba1f96a50171be2fe1bbb92079574f38ed4783afd1fc17d946ca04cbe797ce41530d0256e4a11a352997f2640cd0184b7a3eb4e07cfbb9661fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
73ef896f2d95b31f977dbd74fab2ca65

SHA1
550461e99287232bb034175efddf0cf2fc78a1d5

SHA256
6d8f38f28cd0c32daabf759542af246caa3602fd0f4f4187b76d074705a33a0c

SHA512
bea575cab0777845a544990475a46e05e17d79a75987c211c25c106a147de5b3f208a997b32d002c9ab002de185e667caa67839f2174e30642c2fe11a07c318f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c184409b7f2833f1eabeeaba2cde602

SHA1
5f84d2c11ed93200b01fd812b72cd635dffe61da

SHA256
c9b0009196cb1322919956b6e4ee07fdd896264993e7a9884bfeb4df14cb817b

SHA512
65cefc31c1ae1f26417a0f605435f00a30699f5c5182c498641392bda0d681f7782af24eb8fb277cb3aefada455000abdbdefe9bb3d9c45d02233a6285bba9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
130b7b7b81b3b1b40809a8545f092104

SHA1
5ea31c95148dfc8205080997882eed6fdb4ec881

SHA256
c4eb1ae668d81cb002b57645632a1d5da2a28f67f31392c50614c80796b108cb

SHA512
c9e325809fa03d3de067bf55cc9d2f418315d72e384c17708e1d194f5de236c1946c0c2ba94ca89d13fb9b357f6dc0e80b665bd39755d2de09134878c7b8f565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
247fc4347c290698f45e08a868a6e8f9

SHA1
6f227235c526c10d2419d91ec97fe7ffa37bde86

SHA256
e3d904346da05153eb8716fcb3a91277198bcaa69ba00fed6cf45445009dd0f9

SHA512
5068ccd3bd64b95a85f8f7a673718bb5b27c0bac7bcfc9e1b5175adc7b9d25d85d66a675fe55a44c4a1110e7231b088c277e881e69db82ea5b3042b4ddcb1caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f03bcfc8ed2cdac26198575de8991409

SHA1
366dc87f7802cd9c11348a21023a213b23407eaf

SHA256
f242436d5aadcc3fe47cc730210a0c59bbf99806d1c7e0c5f936dc194fca0d41

SHA512
a05d05c522a5ee098a5d9cd630fa1ccaa895b8980e2b5e4832001e6ce8cf5da7fa40a59abfa4b8c238df1e6747454d20b0293f47bc49bcf7b56b26bb21324387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45ef8b0668efe82aa58065311a979f8d

SHA1
0c98d92f3c731b720f4d7d165e576f6a323dcce5

SHA256
ab0d13db2c40a15a76a63187c2e35802569a37fface5d7dcd3bafc4107bde333

SHA512
c92d903e2faa256f3c923062bd22fa4cc965e187f76fda06bd8b06346cbc20b92b9ae7f0626bf0f3d75a5ea23a855b2e8d24846108702b53b46c395c6bbdb211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
6f080036197dab0df11186bec613020e

SHA1
abcc33d5f5bff57687f7f84c131820eea5c2901e

SHA256
714bd340b69b00aa7d2526788c4803bcb1d2fcf44350a37829bd12c7cb9d0ce9

SHA512
73b6577677102a57b3345fc2ab20bbd3b35ab86a23eed7e3fcff041d73f3d546e280b6a3a5cf70c413cdafec608b84d07063dfba3adddf10479d89385e07aa14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
3a89adbbf53440fca37d9d6f5f995aae

SHA1
0b805ffc1b976fb83c54e71a9d8537733a61a448

SHA256
4fd7b5d9ae7e59806ce3b0ce48bdb2e55160eba7366051934fbcf96ccaee9a98

SHA512
9a93d9235d1447e51e60e5cffbe4bdf16bd1b06fecf27823451249dd1d7c6cfe57d212b3fc5cc5122e3865e387a388ec918020964ddf6d9c0ee5e86b4e120dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3917a3f36a499ff6d0fd4aaa5ae6552

SHA1
014e20facd9a6fcdf4bec957ad8172d023e81f84

SHA256
19ba7560e0366e6f332088b35c5bb52f48451a7b8bbb7c1cfcee2e33aea91e2d

SHA512
0ed81af37cfacc182de178802f2b68f94a7e8041d4b4a3bb76006f4a435da5ab8d911a6c63d528a016a0f79906aaaca3a9deb5df565017bdbedf4ffb4db7b124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e65bd9ef95a6054cea205dc4f592553

SHA1
7602414da06394f2200d461ade02217e32c122f8

SHA256
2c5d9621d4fea79629e75cee819e07c7158b579114c8c2e4311d225a4c036db7

SHA512
3bf7eb7eef1fa24a0fb33c2d0403281959a34e04530b989329feadc5e1c25e125877a2c00d28f63450af246a34480fe7ae1fc10c2cc81e7091c7db229433b554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a5c7206bfe86f433d7f3a1a4a852bad4

SHA1
08f6c3590df65af0abbb0c8f726e0bba9d644833

SHA256
a8a8b494dc243327bd19b8718b5449bbee3c209aa99fd71387ea8bed7ed587ff

SHA512
f158e6918bc87fc2a58606ea6096aa2c830d8210368dead7fff137682365e278d09c42e446a7a6cd06a338c718669108d588288ac9ccef46ae88b49e20b5c575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58270b.TMP

Filesize
540B

MD5
ebea531a7e527d5682babe16d4647977

SHA1
f4fa2251753d9d57bff03aa35306bf8cee2fd12b

SHA256
09dee8bf342a471b049ab1588a130b88b01e1d51dcac565f02041c361f2cfe8c

SHA512
8189a482d854b1adb9d73b18ffcb31fb0bdc2fc27148a452eb7f41483e39d408c619cea53e87dcc6abc0e69e1efe8a52c05610ab98f52b3218ae11c5cfd0a583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6859b71404be18aa688ad29a6e0c407f

SHA1
4cbbd74299bd5a3c55e31ec187527e5885a27be2

SHA256
62cd673c5f1b62be130e081d82440b1c563d7a49e0ddde987e0cc7b78434c02b

SHA512
255d67ca3b4443fa49c1b40da3b81d7d9e2519774e0fb350391161eaae32cdf602ec7cf59f669985148964de5467e8e9de14b84948fa72d1f33a6551764aa44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e035ade6ac43248f9959bfb6338d52e

SHA1
1cd9dd81bbc82903045f0fe449803709f4f6b7f3

SHA256
0e8f3cbfe116a69e3e2cbeeda8317e54bed27ce6d6b6f543449f92b2175388a0

SHA512
0edc302b74be74b8c975f8eca81f5d51a03160eeb5062d3f5657acd8819a82f0bda1d104e799b91cb7c3fabef8be49fce9977d0e82c5b5dd564957a90e73a135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85eb81ebaf6f4103592b719ed03c8e0b

SHA1
bf47c5c8751cc2db7d3d94010d6e3bdce1bc8bc8

SHA256
a50934fe7b8b08346ba69263b12a34d6aa96fca7dac6e60e5acf7524055e9d90

SHA512
ff5f730660fbb2aa45394d122e54481e8738e846361f3ca0537a1966077d468fb3643d97f747dd5ea64bd0d67ef85a1876e0a195eafc615ec107441754eda6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5d5a0c84f679d9f63e5423bdc03f263

SHA1
9153e00c1b0e7d9ebd68ea4c26c65bafb1f7ae30

SHA256
32e28574fa93d31d09bdab8bee46298b5c98cb824c73fc1cdeaedc7fa9c1c986

SHA512
71e7299e763e512af35423226626b5841cd0a53a1ec267f888977fb2e07ace156240340900068ea617db0b6662298a3deb40d9052a7884fe4ac8d35c05d8cfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
37a402115265638e6534dc7dcb598873

SHA1
f138cce249d1bf227efb39b1accb72ee3aebbd92

SHA256
498a25bc1003926d7517936423e36aef2764a71ad7652d51b0db80ddb7a1bfc1

SHA512
e85d31dcc02b8ebf84734e2545e1887bb6455d7bf98e15f5032c71135fbfc3b29cb5afe380733a32e7f8120fc18eb1c92da6893d4e892489adee4c18ced916f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64497dba662bee5d7ae7a3c76a72ed88

SHA1
edc027042b9983f13d074ba9eed8b78e55e4152e

SHA256
ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47

SHA512
25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa6b748cd8f3e3c0e41549529b919e21

SHA1
5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb

SHA256
d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8

SHA512
361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
190b28f40c0edd3cc08d0fd3aca4779a

SHA1
425b98532b6a18aa2baece47605f1cf6c8cfbd11

SHA256
8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce

SHA512
8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
119f072cb44ba7b650fdcf73c670cef0

SHA1
c2c60b6f946a7b06f86ee1f50c2487e6d4c44f3a

SHA256
bd76b46dd2400be6c57f805ca3ed77e87a55440d1e2bdbc822b984e07cea8bdb

SHA512
f56c37835af1c800362f248344bb00cbab528a2be60d9a8c7e14ffa214b55c9a802769d60151c954051fc52df5a67895d899c18819ee89c1116a5bb66064cf73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5bfa8bfa4724309248f8219e3501e84

SHA1
dcdf5cd53a02d97515985215ad46a36feb37167b

SHA256
6f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a

SHA512
5c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1ff5d340b32338bc8b712902ee4d2d59

SHA1
c91905cb568f4b571819b009588119521eb73d51

SHA256
56cbca096e7c3a6d7c1e36389d333ac4cb0c9724cfea408f14b6306365e03ff8

SHA512
682baab5cd5711d2862f2910147e83f177903ec5de0513d8c15f81128eed6467cec2e3001b15f582086ecaeb87b7692778824d7f3206422ae05ecb32f263912a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9030854a24cf37b7b4e3650aac67d427

SHA1
27f3e35705bbe6388da04bf97e09da1875a6bc71

SHA256
e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0

SHA512
f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bda95964af6686f13b722b5afc511019

SHA1
a61077c1cf551bfb18bd4aa58a50fd127897c8fd

SHA256
fea4fcf87c1ba433a7c5a078733f65b837c20cc105c5b7125ba5f55ee65b49c7

SHA512
a44e2078f2486d3805e01d2eab93f750f2035a3c3e8f2deb3946470ecf42c06c8fdaa2b04ad8d2941ed33a6cd68f0ed75b47fd1dd650129dc047daa299bced47

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks3xmmya.4al.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS.exe

Filesize
839KB

MD5
499fcea1b50829226a68a6685e7aad02

SHA1
e81ec17a8901ca4a003ce8e7a68c88472485c8b6

SHA256
b7955e0b700c2bfc8083565b43cb2aabd6f6d41ff79af64b0e6bb2cdfbd4e45f

SHA512
b7b0626d4541db85f07f5b66d1e0e9983f11ad2f7a8ff56b32c1327eec68a6057ee50a0d31ce30165e87280364f6fd6c30345fb735dc964332883cf8718047ab

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\LSUBAAETIVEQKRWS_0.dat

Filesize
10.0MB

MD5
9d1c2c907248643d68368f48f9044d5c

SHA1
e6c7e93fec8669d7326fa48c0e6b2498797e8e43

SHA256
65c67fdbc9d05e514c72709c0a59c608d76df0b4f7c02ddad4d073baad6fac40

SHA512
88308ce7917a886a2141ca4d79c042285d0491c48bc1a6c217bd1bb926e88b10cf3ced486160da2c6877b9e0af63a664590d0a50633b20f9ac2e52d9fbeb91aa

Download Submit
C:\Users\Admin\Downloads\GTA San Andreas.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 447311.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/568-1153-0x0000000000420000-0x0000000000E12000-memory.dmp

Filesize
9.9MB

Download
memory/568-1093-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/2256-1128-0x00000167AB570000-0x00000167AB592000-memory.dmp

Filesize
136KB

Download
memory/2732-1101-0x0000000001890000-0x0000000001899000-memory.dmp

Filesize
36KB

Download
memory/2732-1100-0x0000000001920000-0x0000000001931000-memory.dmp

Filesize
68KB

Download
memory/2732-1129-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/2732-1099-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/2732-1103-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/2732-1102-0x00000000037B0000-0x00000000038B8000-memory.dmp

Filesize
1.0MB

Download
memory/4636-1261-0x0000000001B10000-0x0000000001B21000-memory.dmp

Filesize
68KB

Download
memory/4636-1262-0x0000000001810000-0x0000000001819000-memory.dmp

Filesize
36KB

Download
memory/4636-1264-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/4636-1265-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/4636-1268-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/5032-1175-0x00000000037F0000-0x00000000038F8000-memory.dmp

Filesize
1.0MB

Download
memory/5032-1176-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download
memory/5032-1173-0x00000000018F0000-0x0000000001901000-memory.dmp

Filesize
68KB

Download
memory/5032-1174-0x0000000001910000-0x0000000001919000-memory.dmp

Filesize
36KB

Download
memory/5032-1266-0x0000000000400000-0x0000000001577000-memory.dmp

Filesize
17.5MB

Download