Analysis

  • max time kernel
    164s
  • max time network
    166s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-09-2024 18:59

General

  • Target

    https://ninjaui.net/

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ninjaui.net/
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb6db3cb8,0x7ffcb6db3cc8,0x7ffcb6db3cd8
      2⤵
        PID:5056
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
        2⤵
          PID:4336
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1368
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
          2⤵
            PID:2816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
            2⤵
              PID:1844
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
              2⤵
                PID:1404
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
                2⤵
                  PID:1256
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2184
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
                  2⤵
                    PID:1800
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
                    2⤵
                      PID:3112
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
                      2⤵
                        PID:3696
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                        2⤵
                          PID:3656
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4784
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4708 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3760
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
                          2⤵
                            PID:4052
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
                            2⤵
                              PID:444
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
                              2⤵
                                PID:2236
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
                                2⤵
                                  PID:4260
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
                                  2⤵
                                    PID:2328
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:8
                                    2⤵
                                      PID:4012
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2936 /prefetch:8
                                      2⤵
                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                      • NTFS ADS
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3288
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,18420788021473398863,2081500909568068482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
                                      2⤵
                                        PID:4100
                                      • C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe
                                        "C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:4492
                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in Program Files directory
                                          • System Location Discovery: System Language Discovery
                                          • Enumerates system info in registry
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1500
                                          • C:\Program Files\NinjaUI\NinjaUI.exe
                                            "C:\Program Files\NinjaUI\NinjaUI.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Enumerates system info in registry
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2312
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3872
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1704

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\NinjaUI\DiscordRPC.dll

                                          Filesize

                                          82KB

                                          MD5

                                          3956130e36754f184a0443c850f708f8

                                          SHA1

                                          4874cd51b0fa5652ed84e3b0c123bee05dcdffc8

                                          SHA256

                                          25c39f91f737d80040c72c9e3f95db0fece1c9653f501828adc16cfb1ec59d26

                                          SHA512

                                          157143dd69378e9914ddbb934229cfbc99ae7d80f4f787b7799fc254054d2c7b1e6f4551cddea30470e28b61309f858fcdb2d009b1c32953dfe5ea7fe78e9e48

                                        • C:\Program Files\NinjaUI\Newtonsoft.Json.dll

                                          Filesize

                                          695KB

                                          MD5

                                          195ffb7167db3219b217c4fd439eedd6

                                          SHA1

                                          1e76e6099570ede620b76ed47cf8d03a936d49f8

                                          SHA256

                                          e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

                                          SHA512

                                          56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

                                        • C:\Program Files\NinjaUI\NinjaUI.exe

                                          Filesize

                                          770KB

                                          MD5

                                          d52fbb3251165f268ebd170d84cc6ccc

                                          SHA1

                                          d139e9dc7ed028ab1653c262ef0c24e79fa87cf1

                                          SHA256

                                          cc603448c5876488b87fa407eaa2f50461a8306d62aa12919f3a03189197ef5d

                                          SHA512

                                          233ea93cd494bd3d8a58320e77a143becd7d69f8788629c43788d491ad75de5565aeabb27424d31f80a060db14d14fd33f18468736356402b4bddd4870470951

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          3e2612636cf368bc811fdc8db09e037d

                                          SHA1

                                          d69e34379f97e35083f4c4ea1249e6f1a5f51d56

                                          SHA256

                                          2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

                                          SHA512

                                          b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          e8115549491cca16e7bfdfec9db7f89a

                                          SHA1

                                          d1eb5c8263cbe146cd88953bb9886c3aeb262742

                                          SHA256

                                          dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

                                          SHA512

                                          851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

                                          Filesize

                                          20KB

                                          MD5

                                          ddecb50cf7f3cf6e0ebe9b3374ea2f6c

                                          SHA1

                                          dba013bcbc2aaadd3089cfcf720c42348a48817d

                                          SHA256

                                          9cea35a9fbde3b0328bc0e72f696919f707112dc8a15c3032becce86c48153c6

                                          SHA512

                                          38ca3a3421504ed4d5a6a9488fc2d686d99c0755970b713742ed2b24d8d0c3c971580d16669f187f1d3db428f2804ba8a463dd3c6ddca7cf6128cc97c9082648

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

                                          Filesize

                                          20KB

                                          MD5

                                          02507bb10d4f62115e72d3459ad3145e

                                          SHA1

                                          d75939d5767852a71428a1d466917e111e4f2ecb

                                          SHA256

                                          e65a23b49614545b65f1bc81750e14711621f6b992085cffe5b30597b972830d

                                          SHA512

                                          24d3b2831c7cba2fd0878811220a9bcfdac0fab8aef4dbe8c5547ee977b5586e616e975a940d15fde509d8e3faabbe4ee0c6fe7c6fa49cb6189448e3b41ce35b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                          Filesize

                                          984B

                                          MD5

                                          346105f53a389f31f3c1fc99665098cb

                                          SHA1

                                          d3fef7bd935a991e04e91c315fe43bda6881e0ba

                                          SHA256

                                          c3eed0a6daa1f3e70e21e9b9bcaa857ecef4efd84319914c1cef769585f7ccbe

                                          SHA512

                                          d8dbdb7e8e2bb1671e4c7a0b60ff7ffcd9ebc00aa5b376012f4f260fe30d95c1fe700801b62facf96d01474f2848482e06a56bcb8b94582709466e7fc1a2ea01

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                          Filesize

                                          672B

                                          MD5

                                          8abb1ff3aa0b831b3500dd40a0af9a16

                                          SHA1

                                          6d1952a2ad2aa7944ab9eab6d7e978875d7f62a4

                                          SHA256

                                          f45169302aa21ccea479dcf937b56c8fbd22206b013fb69a4b3d039ee655ac42

                                          SHA512

                                          603e5fdfc67ef17e69b240394ec068496423946e63fdb4f2af5581ad65bb1231985d7e8b80bcf66d2c5aa2069fea15823026b7e39e1b1b45fbc3d948b671eeb0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                          Filesize

                                          960B

                                          MD5

                                          52e43b38671cba54b19d7e6f4f448aac

                                          SHA1

                                          83889828240fadeb709dfa80f5b6dd1890e61415

                                          SHA256

                                          d4c1ed500199462b276773c0977f6005b08aeb67586c55264937d85bc0e63595

                                          SHA512

                                          c715f56b39354ce091c5ef4756593921da89f4b4492cf3db946314e6ae2958b1f1b4138970b139d8181fb6ed846894119665f3706c51414d6c69b8b0cd709c1e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          111B

                                          MD5

                                          285252a2f6327d41eab203dc2f402c67

                                          SHA1

                                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                          SHA256

                                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                          SHA512

                                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          2KB

                                          MD5

                                          d2cbca387ca2fd289dba42ff2cd04e11

                                          SHA1

                                          d4482b900860a7b8308c01af8d1979f19e22239a

                                          SHA256

                                          a8f9517869605b3508c2b53c720a5790000c1d63cf6d8b84ad54ceac9ada67c2

                                          SHA512

                                          51cbfae265e9a7e84443ad66ccd2c7c5ef6d76b856ebc13a549484145578910a8b32b709b11a3bd4468e6d9c70e214b9f5cfa9aa175d064e7bacc5664c74394a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          2KB

                                          MD5

                                          f7a66d3b0ed5c01ee819022527d0c8b4

                                          SHA1

                                          1536f7ed5d11aa7b09f85a44fdd32cfb06ddbf10

                                          SHA256

                                          ee11f33fe4f97abebcec393d07751c5c0298c5b4549fa25957d52d1f16dbb8ef

                                          SHA512

                                          e768c8ab60821011fee3ae4671de1d7464cbfef2db380db5a02ca21e7a82f64587bb97ea4fb48e1ecd708139e72860f082c9c5ba8c6af5167f9813a409a0994e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          9de3734250366bd9e0a1f01388eed2ad

                                          SHA1

                                          f4b400d488bfd75d0c42b9a5c0f5d3cae38ea1d4

                                          SHA256

                                          5e84380aa14b7fde9f16e09b54241bb561d4f8ea9bff65b0c4bcd8340891a6ee

                                          SHA512

                                          cfa14e3c6bbc08e42f61279d198542fa409c30bd2d0a2cd9b2597ef064897979adf0f84b70de97ba67989dece97fc28c1ca83940b6d607033b8ac246ebe48310

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          90b74d1a52ab10ccb0abf49bc5988a2e

                                          SHA1

                                          912b0770a03b11a3082b5e70284091ed32d88227

                                          SHA256

                                          4365f2ebe6fe1638f0d839e38c2d330659be600ff4a3895cd7bcda3b7a45d78e

                                          SHA512

                                          61480b6f752332cbe7774c0dc02105236c60eae67826268c6fd61ed9059a2ff66ba3f206aa04e6f59e2075c395f01902828ba80c012360f198c9d579d96c66d2

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          63472f516111c51f3c86ad74ab89dc6b

                                          SHA1

                                          c23a376bd40a7230878bbc576d199bca84f8a802

                                          SHA256

                                          c60249c28da28162bef18304f23921491c3692f14e070dd35158a6721f389b26

                                          SHA512

                                          2ed9b1f67c985d2ef7b7935ec9e009b4f027ae12bf55e7d1ecaa0dc17841759b1e0da31122d2a8c48b1f260b971763e1230397f44e7a603041752348e9c8eee3

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          6fcf41681686bcd4c40c741e57134fd5

                                          SHA1

                                          531e1195e57174aec4c6aa5bf1ab25831cd5817b

                                          SHA256

                                          c7e104e436488b358d8f42bc1688888b6d82d97917c6eade6b8aedf6be5dc770

                                          SHA512

                                          e4f0eee41b2cad88837c3de4011b4996c9017b52fb184c6e4ec99a482a89fb7000eb63994a69a1c0b3fd993615bf9364db68340c7a74a93a45f58fd618354b50

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\883cba4c-75e8-4978-aa9a-7a2a9fab4f87\index-dir\the-real-index

                                          Filesize

                                          72B

                                          MD5

                                          25104e6d244e987abfa9e3d00b9c47ea

                                          SHA1

                                          505b344e3ef56b217866f18b43421ce27c618fa1

                                          SHA256

                                          a80ba3475dbe378cc8a016e06e0d261b63b466e5d89e927c120f7477913f9a35

                                          SHA512

                                          3e0567511d8bdae80e64715a99cb1dccdd6518a076774ca79eb87767c2640c54e3af3be9b8212d164f536d7c7d5e3e37a4291e05b3cb227df6a7436a9d0119fa

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\883cba4c-75e8-4978-aa9a-7a2a9fab4f87\index-dir\the-real-index~RFe57f1a3.TMP

                                          Filesize

                                          48B

                                          MD5

                                          3323d625e364fb558e696a336c5c0220

                                          SHA1

                                          e5a9044095a4c578410507b800ba98b5a6049b56

                                          SHA256

                                          1b3bfc118602319cda5bd17bf386f0ca4a9b38b89872a03a908c528af4b37053

                                          SHA512

                                          5937f840e9c3faa7e1c2c5e8ef2edefb286e7412c9b105d403632dc189f9ee67e82d288c09404604366da753206de620e58e6c52754d8f283bd93dd56e2a1686

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\index.txt

                                          Filesize

                                          116B

                                          MD5

                                          08efa6ee3bc4b9052e171aca1b2a97ad

                                          SHA1

                                          4f975c0f7e57e62265190ac73f4a5c3d069fc379

                                          SHA256

                                          7b9cd01ddd6e7e273e925e7f5e1e3a680d491caad0cb2371736ac666be3015ed

                                          SHA512

                                          3cad133bb3006c7d7d4301f14839f9a9df4a2303be4f3afd9206e0d5c87cc0db41aca9b9a86586169d5cfe84d75e30192d27cd7212ce8d8d3ab4bb5501e28274

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b0d64717ebe9ca8e5c0242b29132e88ac9fa2f52\index.txt

                                          Filesize

                                          110B

                                          MD5

                                          99bba61204fbdadcd460ce8254a12334

                                          SHA1

                                          046eb9f82c4354ff048e1f52cb73f12770be14f3

                                          SHA256

                                          ba5d80d67c6f511bb1b4f298a07f15349a8d42e139e810e57b4028a5a6478f6f

                                          SHA512

                                          f95e3f06d4e07be95cf661c9a39c840404af65bbea07b9030d10c54b754758911120ba65fcb08764e960612ea13522bc6d0ee1be9dc8e3bb4741f80027104e9d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

                                          Filesize

                                          14KB

                                          MD5

                                          130fd23b9fd7d0751c7cfeb37f760559

                                          SHA1

                                          4ee5e44140de419511e091a2661068b62a7c5fd9

                                          SHA256

                                          5194f460a8ffa4b95ee5760b722b74001c5b7e851ea59720570ef2e720f04cbc

                                          SHA512

                                          5c3b966e74c21366c5df438311aa50bab9980efb9f01a9e484e0e18db81511974cb17045f62c3699e358ff3094f1c4c478165de9b05ba485157d3a358e6fc8f2

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

                                          Filesize

                                          10KB

                                          MD5

                                          4dc058e380cbf7b360387be194eaa77a

                                          SHA1

                                          1d9c16998dae2ea69bc0f9fc425eed1e9218a547

                                          SHA256

                                          a66427172c72b9dffff26d96c49b12a2ffbb4e5259669db885fff0c995f11b07

                                          SHA512

                                          fcccafbb38165940b3c631279f73856296afd5140b23a9f9db396c3e5c3a24ab6c7064b83583d7022dc5a831437a06099c3b51d9aaf797f3d0e2d63fd7df557d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                          Filesize

                                          72B

                                          MD5

                                          406588591316ddb12999351f59f00254

                                          SHA1

                                          66d7630ff996d24562bd30b3c6f6e61673ee5b38

                                          SHA256

                                          f8d622d075a1994674f82df5bf6e07f0fcad6cd125e9c56c401edb7c894d45c5

                                          SHA512

                                          f08f655a5daa78006582170cb77816ff10a09f1fb1557f34b3ed165537149bf15ec9a2b0a793685a126305609bc7555fce6eba7224e8487e69d386c64dc6b169

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f08a.TMP

                                          Filesize

                                          48B

                                          MD5

                                          f59099e3debb4a9a9b5a433295ef54a0

                                          SHA1

                                          8f8e73beb3102c451b8a2722af8478888c9d8758

                                          SHA256

                                          80f1d49609ef191f5d1c427a84af9ca11df48a1cc97a5ff0c79dafa996ca7d9f

                                          SHA512

                                          2b16ad95dba48d7a8e87e80f24b634c1232b396a72bfabc27f141814ef13796e96d2fd76bfc569cbf350924600fa02a6900f8fc016ceb252390249d08d33549e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          5bb7fdcf5fa04226902ab2670c7ffbe2

                                          SHA1

                                          f420d4243648ad063bf681dda544c21ba67aa4ae

                                          SHA256

                                          3929c51f5c794e5d1728ead4b70f44b5d6358b607fe1d4d3693352658e6b136e

                                          SHA512

                                          12564763725dad7ea8d9a11aa3904a5110f3036f54a1ce3a679095769d11c6ee50e2df2742a7f71a3a1e9ae9378862f7107e0ef59bc8b2a5abadf29f4defe134

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          da66b098341793360ebb3efa2d5c6ce3

                                          SHA1

                                          8baf16cafc49ce86ae9382134d44add7a4533631

                                          SHA256

                                          46982a9c3aa6bc495a1980e6ed6c3381c03c057af4e737abc02839adf1c143e5

                                          SHA512

                                          9d58099ff85fe52d14e12f8a6fa59cf5d9ce082fe2657457896d3eaa14d7a4b17885f999a526ea50a18efb54bf796c597d4b0e5746c5c915b3e5273b2e1fae66

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581e8f.TMP

                                          Filesize

                                          706B

                                          MD5

                                          ba28842c8f788a2439524fe06d83d3e7

                                          SHA1

                                          b94dba1c77a9a3e03e877ca470ba2198fd6a43b0

                                          SHA256

                                          41f0614c3b6fa32df16d410ebabbe4b5fa68ba4e3b02267286d31ff42cc2428b

                                          SHA512

                                          35f2688f80cc4f79c3a995f41162b08f1e856493702074fa74917ec472ada881b1f9a32b278e5813b07960e39d65b4766f4e47ca4e876377b9865ec5249adc7f

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          206702161f94c5cd39fadd03f4014d98

                                          SHA1

                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                          SHA256

                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                          SHA512

                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          46295cac801e5d4857d09837238a6394

                                          SHA1

                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                          SHA256

                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                          SHA512

                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          10KB

                                          MD5

                                          169779dbdbfb188bd14022c71f61ba1b

                                          SHA1

                                          8f89f3b1d889ae1293a147a030aff06998ded354

                                          SHA256

                                          862f0c95a902fa67820386825526e03145c5d449f0adef171e7dfa3a0a3b9f39

                                          SHA512

                                          23f16ff607b5f535600744a992b6fa3607b322ca6ef0343271d23aa49e58b130220b23375bff12ab8f50896058d271fc4f1e3173969291f9a91f87bcab44ef36

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          10KB

                                          MD5

                                          a686d7e1cc52c067da3d07e46532cb1f

                                          SHA1

                                          2e145a2128f0c86e97498434399b1453f3f6475f

                                          SHA256

                                          9db145d08ba2dede2ea11a5a0b56125ac7cbeb2407a207ed09878a8e3610f9c1

                                          SHA512

                                          373261671a17e3f4dc5bc54bc8cf1e9e93d89f774e453d60c667b21656fac7f97a0be0acb55d271c53bafa96fe1aa9406b929382be4ff4f11bd57d268345e5d5

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          404408db4a2416fbde4ed2a705e609ce

                                          SHA1

                                          2ac8ebc9e8085054cf68a84c711d4b9e163dcc41

                                          SHA256

                                          939f2731097d442ac927d5ee07f87d81e9ad4f70689f8c620a19cf0f7fa0dd17

                                          SHA512

                                          cd280d966732e15bd5f8c649856f3db3eb56d6ff849f19b8e3659a6a847b7b43f1a183347772a08256a3291e2f3c0a260c46355076710edce2f3087173e74535

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          640506ce623dae7c3999c790f5c74483

                                          SHA1

                                          07675e3597ed7b0fe331720c82efeceea543ebf5

                                          SHA256

                                          8c0bcaeeecc265baddfab9c21f7c8b38ddc3e7081eb2772ca5df446bfae741d8

                                          SHA512

                                          f638e7230a947de90a788b17d01f9af8f7b6b6e9c435405b428cdfbfddad449ed649592d6ff647be179804e0d09c361886a9f19cbe0faa62d3415edc719b381f

                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dll

                                          Filesize

                                          2.1MB

                                          MD5

                                          c97f23b52087cfa97985f784ea83498f

                                          SHA1

                                          d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

                                          SHA256

                                          e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

                                          SHA512

                                          ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe

                                          Filesize

                                          827KB

                                          MD5

                                          ba506f8678f4d9fbb99dda4beacdb7f3

                                          SHA1

                                          2eb97ba4a0c8197287c192d7e5d10e52be06eaa8

                                          SHA256

                                          293cbe499c9225cd140993e77c42f76a2f06ef0b59739659b3c1bab727d5750f

                                          SHA512

                                          5ae2dee8a048f49bd09ca2353e6cdcefc9e7d4b3727d2e30d581a1163b7398910feb33ab8f463ffe4482bb109ce8d635411b1010e62d294d253b2f476d4ba485

                                        • C:\Users\Admin\Downloads\16adb7a4-d788-4b96-8cdd-b5e01a9b54e2.tmp

                                          Filesize

                                          1.6MB

                                          MD5

                                          aaa0815a139a84b11e846705e05bc814

                                          SHA1

                                          77d07cc005e031a6782f6ab7d44a30e035f68fe7

                                          SHA256

                                          284ff705a6cd2a91a146dc23e70967e12e6ef18a01dd9013cfe05a2b16fbae68

                                          SHA512

                                          24d083eadc2036d4419aead6c9fd0cac1ad093a6c587695b681c1c0f9e6de31cf01efc53984aeac04e9e6e137f5b883e085206b4f14e21c5692e07bef138b156

                                        • C:\Users\Admin\Downloads\NinjaUI-Setup-v2.0.exe:Zone.Identifier

                                          Filesize

                                          60B

                                          MD5

                                          f82e923383422bf2c5dc039bbb88efd6

                                          SHA1

                                          bcadc2f5c50c4530d20cc452ce68b5263d33a768

                                          SHA256

                                          1ef29ab910859be907ae4e419e92eea9e2782f6e24653e193423f597dbf67fde

                                          SHA512

                                          bbd3e024278fe97f6d61fcc4a694f447a9a733cb17e93146bf43d5d5fedbc5ff74de4f25d0b24bc955390d13e9ee8a6e6bee956ce2435c5d390984eef608471b

                                        • memory/1500-537-0x00000000067B0000-0x00000000069C2000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/1500-562-0x0000000009390000-0x000000000939A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1500-563-0x000000000A1A0000-0x000000000A1B2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1500-586-0x000000000A240000-0x000000000A2B6000-memory.dmp

                                          Filesize

                                          472KB

                                        • memory/1500-587-0x000000000A2E0000-0x000000000A2FE000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/1500-532-0x0000000005B60000-0x0000000005BF2000-memory.dmp

                                          Filesize

                                          584KB

                                        • memory/1500-533-0x0000000005C00000-0x0000000005C0A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1500-531-0x0000000006200000-0x00000000067A6000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/1500-530-0x0000000000FE0000-0x00000000010B4000-memory.dmp

                                          Filesize

                                          848KB

                                        • memory/2312-604-0x000001795D960000-0x000001795DB72000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/2312-609-0x0000017960770000-0x0000017960792000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/2312-608-0x0000017960020000-0x00000179600D2000-memory.dmp

                                          Filesize

                                          712KB

                                        • memory/2312-606-0x000001795FF40000-0x000001795FF5A000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/2312-601-0x0000017942FD0000-0x0000017943096000-memory.dmp

                                          Filesize

                                          792KB