hxxps://www[.]downloadpirate[.]com/?s=clip+studio

Analysis

max time kernel
569s
max time network
569s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.downloadpirate.com/?s=clip+studio

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
244	CSP_221w_setup.exe
112	CSP_221w_setup.exe
5068	ISBEW64.exe
1672	ISBEW64.exe
4196	ISBEW64.exe
4924	ISBEW64.exe
2080	ISBEW64.exe
4532	ISBEW64.exe
3300	CLIPStudioPaint.exe
4452	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
2520	ISBEW64.exe
2140	ISBEW64.exe
1720	ISBEW64.exe
528	ISBEW64.exe
2516	ISBEW64.exe
2420	ISBEW64.exe

Loads dropped DLL 18 IoCs

pid	Process
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
84	discord.com
85	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_221w_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_221w_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_221w_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_221w_setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
4864	msedge.exe
4864	msedge.exe
1448	identity_helper.exe
1448	identity_helper.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4484	7zG.exe
Token: 35	4484	7zG.exe
Token: SeSecurityPrivilege	4484	7zG.exe
Token: SeSecurityPrivilege	4484	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
244	CSP_221w_setup.exe
112	CSP_221w_setup.exe
5068	ISBEW64.exe
1672	ISBEW64.exe
4196	ISBEW64.exe
4924	ISBEW64.exe
2080	ISBEW64.exe
4532	ISBEW64.exe
112	CSP_221w_setup.exe
112	CSP_221w_setup.exe
4452	CSP_221w_setup.exe
4564	CSP_221w_setup.exe
2520	ISBEW64.exe
2140	ISBEW64.exe
1720	ISBEW64.exe
528	ISBEW64.exe
2516	ISBEW64.exe
2420	ISBEW64.exe
4564	CSP_221w_setup.exe
4564	CSP_221w_setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2304	4864	msedge.exe	82
PID 4864 wrote to memory of 2304	4864	msedge.exe	82
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 4904	4864	msedge.exe	83
PID 4864 wrote to memory of 436	4864	msedge.exe	84
PID 4864 wrote to memory of 436	4864	msedge.exe	84
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85
PID 4864 wrote to memory of 228	4864	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.downloadpirate.com/?s=clip+studio
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c0d946f8,0x7ff8c0d94708,0x7ff8c0d94718
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7632 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12626034126900856894,12185867688142314199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
  2⤵
  PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10299:144:7zEvent7014
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe
"C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:244
- C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\CSP_221w_setup.exe
  C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\CSP_221w_setup.exe -package:"C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\CSP_221w_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2ADCD147-4968-45CE-A053-AD7525F7AD86}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A361CBE-CE7F-400A-8E13-B331E5E219F2}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0828719B-01C6-41AC-B9FE-7A4E8A0E4B0F}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4196
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8A3A500-C904-404F-8C39-95727533F006}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9CE1D5C0-A3D2-47D8-8B89-7FE339290141}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2080
- - C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{26078F2E-C1F0-4468-AAA8-62CC44393417}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4532

C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\Crack\CLIPStudioPaint.exe
"C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\Crack\CLIPStudioPaint.exe"
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\926f21b0771342bab76bfaa3e59a9866 /t 2632 /p 112
1⤵
PID:2756

C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe
"C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4452
- C:\Users\Admin\AppData\Local\Temp\{1A0C702C-91DA-45DC-9C85-EA26DF0D64CB}\CSP_221w_setup.exe
  C:\Users\Admin\AppData\Local\Temp\{1A0C702C-91DA-45DC-9C85-EA26DF0D64CB}\CSP_221w_setup.exe -package:"C:\Users\Admin\Downloads\Clip Studio Paint EX 2.2.1\CSP_221w_setup.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{1A0C702C-91DA-45DC-9C85-EA26DF0D64CB}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{1A0C702C-91DA-45DC-9C85-EA26DF0D64CB}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{1A0C702C-91DA-45DC-9C85-EA26DF0D64CB}\Disk1\CSP_221w_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56EB48C5-0306-47C5-825D-E1F786FB3674}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B0C11BC-6954-4BC2-A24F-4538DC0671D0}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B11E28D-DA54-4526-9AC2-A3434A09FB60}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77D42228-2C62-4696-9FD0-9BB05DB376B3}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0EAF89E3-051E-4191-8045-7DEBE875638D}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8453D38A-540F-4289-BD4B-FC45465EF9A8}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\141f473e-2209-4cd9-995e-16a0cff98668.tmp

Filesize
6KB

MD5
2ea348a6de72f2e5369e08b0534768d6

SHA1
c4c8f140c41e8034c85666d9c70d91e0846390db

SHA256
201371d0d4eb65fea6d4ccac645ea952103f0afec9d451ae3a350b87a8cfdb3d

SHA512
c62757a823106be6336afc43442dd8c0401e192203dd60d6364c3ba107e01ed2d27d4465812720ee388e8d19c64d5b554f505ddd59d09c2973dff6dc3ea0fb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000072

Filesize
103KB

MD5
b49bf67a210cb1e6253a2e7af985fd51

SHA1
6104015f2d4a8f5f63e4ad055d46d622b425ea57

SHA256
b5daf1d1c26a18a2eead87099d5a5e85b3dca643bd70627383bc0fda1d8f308f

SHA512
80e763836415ba20fe1815931fabe9d9cce12486eb803c6771e369e2489db9d89c4a9189f3afde62a891e7e9238e8d4b1f4fdcf08c0d5f19a2b1c2f47922c697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e210089a3265372d4aaf70c2ff765923

SHA1
7593ec7c8ccd2d0cb52d197f90e833b76678752c

SHA256
31fd8b827b6a584a76761b065a69a5bea60fc62fdc2c037b23809141440a8048

SHA512
160099579016d0eb560f3940beb3929f693eccb8fba3f6d705c060ba791d7c3a23682a23784c5b7079ecf8c19775f95d940b4abcdfa6c1859dc9a85bcfa19955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
0d362b752539e472456e85f76ecdeebd

SHA1
79ebaed7e9c91cb27dd0002abad5ac3cadaa94e5

SHA256
707dac40ac1d8b97cc5ce11801f59dabcf5e9cc8976d7a2213da8111fcb930b6

SHA512
0ed6f6704f958a37fb056b1c41f596bb80fac8a1d41f2b2b1bc8f7233785c0301dc9d75d15d6fee08e0a27f3da441ce21a1bb242d398cd2476a0ecbb8158f543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cc8ff4890c51e5e4a79f068353666f1c

SHA1
8137eacb33e4ad16c17411e311e88dca41a0fca2

SHA256
5e72416213b8b49815f2caa3edfd67ea7081259c70201726eb1b3c2c4229a8f3

SHA512
f242422a154787a5c4adc9eaa878b32dee9c1d281f577d240f158c2efd17bb815614427168274326d07841fb0048903cfe20b4a995d32148a69fe65b7365e5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
840953e37f24e452ab5c415a5527420d

SHA1
f0b9b823e9d10f2c1c2324290769c6387eb9d59f

SHA256
78245e615525c9dc6d51debdeb485ba2e3e5f457a712f0fcb74c7616514f869c

SHA512
5aa8f9e679188805d1ae5d0c20e3511d55291f798f96e35e5302df5e21898c2ac8b17671b39fa585944fc93e99a6d6309a29174e50fd0a9d29cf6a68bbec4b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f7e435a9973e2e3af096aa5a5ceffe8

SHA1
c68cb93187b97dfb066b7d553f3e2f82fd84eb31

SHA256
549afb8477147a3b81673f389b2283bd5a2deaca6a23314710fea5ba6887fb26

SHA512
67a767a4a633f0e9d6593e40595303b8bae73701efaa4fbde3bff95826d6fcf776ebeb9bdc2a6ff7a1352ec09775de43f7388ce2c7202793af9faacec3770e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5bc893cef2fd78ac7cf3fc7c8a3bc7b5

SHA1
c196dd99734d3a325e463d13b20cbec2f1dd6cd0

SHA256
679a1c464e01df85bd5b0f67bd7b079504746bc11bbfd3926f0eeb38dcdc1cf6

SHA512
574da51fb1fbeea31eff90853eafe0b2e7452816d2bcaf187dce79b20a88b4455a32aed154bc085ab1383a26fc63ce1688a6861943666a491a56b191d05153c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35ef62d32a87aa7c8e1a6ab82c7762fb

SHA1
658b16d9c3697e18957988e906a676a5c9268aeb

SHA256
af72c1f873f612679b92b9db048d502f19d7fa6d0d4ae5555cbbd3d89b92c1ab

SHA512
45700bfb852b0fe2c3f8d28078982cd9126fd955e08113a96707ac336291c316767d73d3aa4670d9978f200d125846980725dabdd8adf7540c6e4a61c0d92379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7d8a97f9b5e17819029c2255cddfd88c

SHA1
44326b48b276bcb509d18fac957594722cf25622

SHA256
5540491ce9743cc2f22990a8139cc36fb53eb56f7965a7364c8a757bee8350bb

SHA512
db52778be95109673f55c701b91a5d0accae90fec3a287e97b94b372fab16d84ee847f450c4a0495b7a74a1a2dc6aa0dee0de23196d6498485ff111ca58d7f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
61854a72a492f4efc92c6776d15f32db

SHA1
68703b1f7fa74d3251c003c662269d87e33a9ecf

SHA256
618c7366c878f10d1aa7f461f7582c71b7427f452a5023d28936531f0e5d4cdc

SHA512
76a26aebbd7a756e1511b3855a756a8ea37852bbacf201f4ae3cc0c91b9bb8eaae300ba47531ba123a5cad0ee78b3bd1ad62630434c9fd7cbf5e52dbccbdd6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
08ba06862b03c99f3a769dbaa3fa807f

SHA1
b3b2a3384ccde77e165838af184f75da432bf083

SHA256
6a71f381fda03548372ae6fe49a1817f6152fe63ce1d875b18c326cd1b403190

SHA512
8ecd70af6919e1ef137512a459df9b0c55e1c83ab0efcfe568668407bd8712fcac493299cbd665cca688e2f7adce4a384a3e2e82da763907ba9dff9a39c2f969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
715898a4009b4a01fc95912cab3d40cc

SHA1
c7f45c1b822ae25e0cb66490ab503f654a908c77

SHA256
943cd59da1d4d7252219e1604f67ff30db37a328fb86a598606ca27684a471b6

SHA512
2e3975c8178b15b4d6442401e56f06d87e56f80eebf3ceb8b7a0c72bab5aea470d24bbaee7bb03068fa3853e41916d31f6299091cfe12107fd6d31918b1900a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9b71baa9a77622badf631ce3f3021c51

SHA1
37d0f1a80659c4e70d95bbf08afd14f782a73bf3

SHA256
968cb4b8b5621708c243f97a75a041d1e0f633671d2d4247e213c960b0c2a0e3

SHA512
c842057f357df745978d2baa46dfd2d3b0987ad8ff89894640ab08d6e089ec8cba190c8bd0a0f7a2801584bc4d61ac938c63f650d4039fead8d2b14a0cebaf9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b1cd5f932bedf1b64325a0345616b87

SHA1
4063c0eb2d5aba4c4e13ba04a356b786bc7debb4

SHA256
863d97e3ca07708ab9f1b783b84a5e998593cdb6327f41a57955b0dd7bb7763f

SHA512
48d7fe6c008c522502b382419e3698a2f0a4583d8a8f580f7b69109439247cade32919bb4e4ae9c26f4f17fc4d62ea6fbd4dd40837ba54bc8a6fb2dc85d6b22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
050af40c40e2c0fb455ab0de2f7fb061

SHA1
dfbbf82cfdbc94ca17a516caa86cc63d21369ded

SHA256
900fd7e839ff3e5eb0f20966f3addaf7c44ace4d2cf82c4c5a1210f174ecf727

SHA512
c52bb25652a66ceccbaea4ad81e0f2f09e40a0d468f465fa90a92321526ded57e0be262f66ad7fc2370dc99994fe576942cb4dd9fee5af9004a9adb983d54f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5999f5046182eafb4d044912446f493

SHA1
3784b8ceb744096f604e32792a2d85e3378f3c2c

SHA256
73f598c3fc21fed6f25a3f0fd2c887b1df679e53aec74767afa5a94d55bac4d6

SHA512
e20dee9d75a9e96e24a4b7dda88f06bb3d20bcec7bfe272f305d03db4dedba90f2f5b714df462aeb6601bd4274ef9e1658b5c5483a4a8ae61f6f78b593259e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581047.TMP

Filesize
1KB

MD5
8ec36b3d26ec2448ee1ce0b86f1db728

SHA1
c0b2eb085059621d357e511adab43c3cc4f0e745

SHA256
6c13a4699ba06751c198ab53ab47213d8cea7c76118c8dab2c2bfe31a0801bfd

SHA512
c8d4a6003bf49bd4c768c5ee41df437db2f3882ab69397d645d7ab7c066cabdf534cd44663b4bd696857b9f51f2c4c12ea2a527380438ce1b151dc2cdd2753b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2d984f7199f7fc1e5ec6bc396b3663a

SHA1
a434be4d7729e674910a89627748ec5a29a3f47c

SHA256
06e1ceca6c0491608dbf538118e6b3b10a6ba99d88f84ee318bb2e3304bcf15b

SHA512
99206a46dcf35c617148d51d54e87c878bdec8c65113299c3f06ca1297dcb5edde1201bcfea3bbdc3ae26c7ee4e40ecb5a487052dc66b80c40acd7c5f27d34bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dbc4d32b73748eb6466d54e8091bbd5c

SHA1
1b2aabe9c0637d75b86a7fe9f735ee459edce759

SHA256
36f168c94551d9cc6b9772cac9b266ab312a70f3dcf03c256247dd64dd823b32

SHA512
0240ecf1fb2500c03420c05b064e930912af128dd07c9baaefc8f9566048516f614d6f44e19a2803dd444cd1e17bd84c34d12672135a84d82e8ca97107212fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44abc8b8a5bce14b42c9f5e3eba56cc1

SHA1
6cbfb0866e6440bcf833590e83f4cc0c1bc20fc4

SHA256
fcc410ffbe071deadcb1bb57da429fb4029b45f0f51f59c4691b32195646ad87

SHA512
3d12002338cd1a64916b42275170d63fcee4c1cbb77cc2f4968dbe7d0bab0a99b8a5958311bf20e7e4d4eaffd1f2906b77d3afce801cf852b79fe19f5cee200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe0065df080a80333c646ae851f36897

SHA1
e068a9f7b7e8ed642c9daed5b13033ce66c38811

SHA256
30a3a28c930b7f60983cc63af92e70484a2e846adba621bde8d765cfe7466aac

SHA512
3b33b9f79beb947a0df60a4f0d74763e505ed3d86e32a5f09b1d27319a1ff0a6028f393c86744a062a8591a04c9f9200ddce8872c7c7d13b783c52466f0153e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9bf1cd6d5ac8470cf8f114418c7a904f

SHA1
ab8c12e9bd247f6930a6f505b501d30b35c4e1f0

SHA256
8a722699374da1d2bcddab3e097853339e53f0bf6436941f5a62cb68f61c7dfa

SHA512
feb0892ebb1420d6f2558cd4cef1acc975f0154f5f69ff6e458efcb87179e18277215127a48144907d27ac6e0afbc6e7801e2d8a7324624ae4e4d5e7160c99c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\InstallshieldSupportModule.dll

Filesize
184KB

MD5
a65d3f22e82802871d3f698fc1016f21

SHA1
dc17fe50a1b1821f5f251114897faeb889457398

SHA256
2a27b247c1387082036bcd83fb20dbef9d923b0ffa56573c093d0b71edf6d57b

SHA512
08054d4ccbf3c1f6c40e338c273908ac3250a23399328ed645a7bfd79fa28293db59718d8114316a2263345347d03f772b390980c24ef78acced69d92030a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isres_0x0409.dll

Filesize
1.8MB

MD5
47883e42b1859329eba55075290a2c5a

SHA1
7cd7c1a82aa8a74db7926129e3844cefdf79376b

SHA256
ead0b66d81c87d26cf530ec5833d04d11782aa01adc9420ad939f492e2ce016c

SHA512
adc92de860d2f09013ce03a13af941e38ba569e89b53cedfb7fb25abe3d3654c173e70cc86407646df13cb7da14557e788ea2d2ce6370c01f885d73e6115048c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isuser_0x0409.dll

Filesize
356KB

MD5
c81b5e793fa21b31197c172b41861786

SHA1
ad0d7341aa32dc46cd4527b2678d85d2a12e7147

SHA256
8d489f364507c339a78b88a2d1dffa24d04d9932425d6e3654c1e0b6696c1e6e

SHA512
df2bd7b181c784f87131d8fbf2acba4810db1b28d40db00fff7999a3d0262a8d6c2b15cea3f18161f6793e4c5ddd50ac4ef4dec06b783d9141015cd7fe7f6c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A017DA34-22EC-441F-AAA9-0697F70B570C}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\isrt.dll

Filesize
430KB

MD5
e9208322f81fc26beaaa5a73cafda4a2

SHA1
11863afbef0456bf0e8c8bfab1cffad0356f80cb

SHA256
0fe47b313616738f2d0864d17d4c7ba1fd0778c8f95d741989d597fe23d6cc7c

SHA512
a32193f7ba02faa959de9949c332c716949af674b353a43e1dce846747492eaa818963c28afcaf837e757f93aa98a7f244177a5afd204ad6b54d6006e522ec68

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\CSP_221w_setup.exe

Filesize
945KB

MD5
407de055f83d1d5b2aa1c9b7f779951a

SHA1
18ecc0b2c1686f43f7f6d6b6ae1872157c15ab7f

SHA256
0bad6d2a163af16e8f8c46485bc6b95bf29a9cc0316e1eee16e0501d4a88b979

SHA512
6408bd71a5508f07b33b844e87397e6814bf5deb4025894827aa52155a316cfd4b2a4314edd39138c143ab1619729bf35133a6cd320c630700602ac95005e919

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0404.ini

Filesize
10KB

MD5
cd658d92df1ad180483136cd6960e7f6

SHA1
0d2808f19c659312372386276bb8dec386b2b638

SHA256
5d31e009a36325032ab1521d2b1ca1a5be89bb969d1948d4fe99c387b1055db1

SHA512
84540ddb853c9dcf49c2abe931601884f744c341d33f2f615f9d3290c41ead9d0709e0882358d5326b87fa25adf61ea1ff7a2b9bad52bfaab18b31d08047da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0407.ini

Filesize
25KB

MD5
1f71deaf7e3c298f4c4112db5e7ac029

SHA1
2d653e79c55e31cd00af51313a7b07aed123ab04

SHA256
b4d2bf8ddeee1e2acc5dfaa14ac602a69f52195c38eab4660408fd879ad41a56

SHA512
e0c0fe70904f768ebd191cd8aae285a7e851ff5e5ee3cbe5b78a708b6f378db33f499291eb89ee268fd3b3a694abaf6826162571aba74a6837f65c95a8078666

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x040a.ini

Filesize
25KB

MD5
b216bc7b827622578e60b0b37ce9c4c0

SHA1
18eb706aa172440c783382fb317dcb2ef7d04e2a

SHA256
4e42d96cf24224d3ed43e7e14227b96fde3b43235636480f8861db0b048ffddf

SHA512
e4211ee47bccf98369b7760502cc04e7c036e7ee8eb8a29143519c35cf5295f9984ee8de1fc8d7e93352119f9cf5fcb3412b7e3749b1540fd38af7d996ab0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x040c.ini

Filesize
26KB

MD5
9a10eddf9169f9508688eace7b9e7797

SHA1
fe256fc1dd6a26478a7d06712d789d3f0db431d5

SHA256
d31b120f79c2fb8cd6f3fd7ede220a30ca3bb84e4d3c8b05c1bcc833734d13cf

SHA512
c3d5534e5edd819c03198ec19ab17bd90f29b33bd2f35a7f26e09ec4d59750065c4c3820efa2b6c8862e2fc00a0cf64fa928abeb62a3688b399eeb275de3ae5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0411.ini

Filesize
14KB

MD5
b807ce7552e96dc1928775956b9f422c

SHA1
d25122157365130bebae6497617d28cd86e8c638

SHA256
3f0778538202a35483c084fb0b109f693a9853f64d6452daa5c92ac75620aadc

SHA512
bb06ca5784e77ceb15331c5c6a9abad27364b1c5b800f229cd7b6d955fb120cbd7879c299508b606760f714b17a4a50aba333ccf6da7fb9bcd88b50772f64f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0412.ini

Filesize
14KB

MD5
59b2e4a2d3898f3e4f49186ff150e26c

SHA1
42f49643ef257d3ba2817af5731a165b42c42bfd

SHA256
9416c7b55d1fd9dc06f20e1e3ebbac1357217113833553d49586e339360529c7

SHA512
e6601b583567291088f1c522adf38dbc3408855463429354c7ceee2a46459c76daffc3db1f770e4979a59b88cea43599f88eb9b4dd170cf337008039775dff62

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0416.ini

Filesize
23KB

MD5
eb6dae1391cac22014afd6ccf4c2c333

SHA1
0476104dff6077de57ed24d43b2d4f8a74b6ad3e

SHA256
af54db26c9464b7a610d7eb73f06f36b43ac51e879ac4d21a1c70eb4524a2b24

SHA512
d40a5478056ff3a59e06dc779166baf144eb0db33819180fc6ac47808f49a2249158d8e5cf106c654ce42ab71b6f6f16c3b9777a6b445b1297f741affe09f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x041e.ini

Filesize
22KB

MD5
733f697e11797f50f950b08701a0c1ec

SHA1
e24d6f9064dfa404739485647a5bd8c6b7165579

SHA256
372dc097b80442810781d777cdd23296a0558be58b3418f4ea088cbcd7f661b2

SHA512
edba839537d63713d6dd708384296d4b6d995dacd9d01813063810e230deafc166baddb2c987442f7985b01a283454a7f5fa4076ebc276fca03c95d175091fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\0x0421.ini

Filesize
24KB

MD5
94afe5b2ac909992f6b7e3c629815d7d

SHA1
f6cea0560818c77d9de5447cc0d5e24da12e52bf

SHA256
af34e34cb979dae26a2ed08673e0ea20fcdb5d1f7ee9acf42f93afe16a64521c

SHA512
5acb1c761a392b96588c5c223e25497a80a7ac7cf8d80e5efb55bdb225544e8adbaafd1ae1f51bc076a29e7d7bf229ac57c8728b969f68b15678f1ccf8445826

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\ISSetup.dll

Filesize
1.6MB

MD5
5cdde5ef3d9213487b85387234c15d6e

SHA1
239ac4468a893b4395915ae21d3b6845c19099ec

SHA256
d8a99b6714a2fe6abd69dfd65dd1a868a87b7197952a0e5b090c9a4821bbf969

SHA512
85fcae4cf4b59066cde0cb07a0048952a5cc6485373bc07b194fe60c39e3e89b9815f3e9bffac734e12ba18f143a804fe8085e354bd5e06cef7d5d03fc0d338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\data1.hdr

Filesize
521KB

MD5
661e20f85a3acf1880c91fa8bce8e5de

SHA1
1064cbe6a1cb4fb2e390ee186a24e9078f6edc1e

SHA256
e8a065a77d25455941198a51390a79aae7797fdcc9d521fc76deda8db3c12304

SHA512
97f0f0966c7ba12c3b0fadaf32a5cebfb8e74ce1041d8b575e486707cd0c9bb04e8840673b8106f96d32de6e51aab1f43a4c0572d42eab7fca86120969e9dfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\layout.bin

Filesize
848B

MD5
a60e895ab88f4b33ac8f46031f083956

SHA1
e61ca5e47972f6f5ba83283160f973a1203a5c72

SHA256
988a9d22c777be27145f839f6f51a204a731f25ba12d188eb7468a372bd8ecb9

SHA512
d8fba721a364c5bbfea93cc88dbdacaf80af573558d9d704147b55026389a1cfbf6f1aea2cf1b4520ce59e29de0ffee05a9c71a89375e3a7a8c516c2df7c84ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\Disk1\setup.inx

Filesize
263KB

MD5
b8cfa9610ca6b8498814f7c5d3d3ff29

SHA1
ecb355b8110850359e789b01276c67868a6fdb74

SHA256
7ed6ee16411c860855b5ef8e6672f8cbe68b04f4c844924c1f675bb2873c2341

SHA512
9e7ad885e444b7f9218ff96e32eae3d613c8a341e66d24a01fede972554c51ee736610937b534acef854c1aaa33a53966fddc3035cdaa46524f7ae4c62ac5c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3925081-883D-429A-B3E9-2A8AA5677D7E}\setup.ini

Filesize
2KB

MD5
fc8a0ac43218330f118424a64f5f0cd0

SHA1
36ec4fb5f86e521ad67519f2eb6195981ab4ac5d

SHA256
ea239b8e11fd28a85387e9b7a5324a60fd29fdbf113aa9f89f62096b6bef101e

SHA512
fb6d3aca0781e3c9c2a174abd9f4ba6de2536cff28fc3905c3cb9f19a9d5ff637066acbd19560579b1d73f43b92b0cb695f81d3f0853e3548759f539d67108b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\ISB6E7C.tmp

Filesize
182KB

MD5
cb279e894409aef5f9410d7d8d113c54

SHA1
300c199084e171880bb206a5f5c11c7a5b15744f

SHA256
e984815636a4f457069b13e5d2ab02ddbbc692e26dedba4d74bb9c9172a89232

SHA512
a58962ee7d9499da216c1f6d93ce27ae4b759ca605469fd19ae48ae926cda909d5d3762345f7304132d9c1eb3407797bb21498dc2bc10b0eb6fee5a87657126b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\cor6E6A.tmp

Filesize
63KB

MD5
09d38ceca6a012f4ce5b54f03db9b21a

SHA1
01fcb72f22205e406ff9a48c5b98d7b7457d7d98

SHA256
f6d7bc8ca6550662166f34407968c7d3669613e50e98a4e40bec1589e74ff5d1

SHA512
8c73ca3af53a9baf1b9801f87a8ff759da9b40637a86567c6cc10ab491accb446b40c8966807bd06d52eb57384e2d6a4886510de338019cfd7ef966b45315ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\dotnetinstaller.exe

Filesize
27KB

MD5
d87f3f761278d84bdb18560c2a22ddda

SHA1
d27adac09353f77a609f7f6e202a991e42f79f20

SHA256
3764ba7792bb5e391a54e86e8df3dbc19f79f2d798fb9ff1830c0b411e1e7d32

SHA512
1755580a7d5c6853ce3b86a485d24d1330ed1a958ddfd40d4e62b4b8f2bd36cf52dcd49ffebf1e8f1bd6f9db94b37369140c01757c53ef9fd1eeac845a0cf547

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\dotnetinstaller.exe.config

Filesize
146B

MD5
db722945ab9c024ce55e469644393824

SHA1
191782b3b4c7bd21fabb3d5b655b7f2dec2f4f56

SHA256
c7e5bdc4b79f7f8c68c5f09c0c055e97fb8c62fe1b5d469b3527ab6b767c8df2

SHA512
40503c28296ceb68428e327ac79326579c067511638263a477534b8e33341f24e2944077accdabb947981980f91604b71b6715a1488181b9c48515ab81271ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\Str6E8D.tmp

Filesize
8KB

MD5
39c5edd9f48e9aac5998759b7d94e0cf

SHA1
8576a119564823514e76b18120d5d2991f6dc902

SHA256
34f1639e8db83c8e9f09202758e591723a837de28fe215cb0f43317a25f4f487

SHA512
b2158566dd8d8720d2c57b75f781434bd087e58b89614871c7aaf5ad3bcb30938302ce9c7b8e236ffc4590b6f6afd062808b744ca39955ae1253a43cca7825e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E01AA5E8-9F15-4367-A1B1-95084709FC24}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\def6E8F.tmp

Filesize
1KB

MD5
0abafe3f69d053494405061de2629c82

SHA1
e414b6f1e9eb416b9895012d24110b844f9f56d1

SHA256
8075162db275eb52f5d691b15fc0d970cb007f5bece33ce5db509edf51c1f020

SHA512
63448f2bef338ea44f3bf9ef35e594ef94b4259f3b2595d77a836e872129b879cef912e23cf48421babf1208275e21da1fabfdc494958bcfcd391c78308eaa27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
b9cfba30ccf2270b21d4ed4916c967ad

SHA1
d8e3d0d2f36f56916f088a3d9446db2fac00a8b7

SHA256
192a01c02cacada4a06a88402878972628cf6ef3512f8af190a0114130edf909

SHA512
87dda84de528b236dee60b48eaacb9bafd7ef746e96940da12a05fbafa8bc592b64e5481769dc77717595de09a0f5690de5d4e88627f4d0a72af216ee02d8307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
9KB

MD5
c537de54286805fc3ed12a3ad61867bc

SHA1
1d84aa00ff76e5291d065c6f67e862a9fd923eec

SHA256
f14aacf73cbc8ad8fd33f41464a4bd328289c9e2e2447a1e4e3825212c248287

SHA512
07dc6148abbf794e85fcf1d167ed0857c5911b88733d2b94dae2c81a6090512f60998cf9f7af5557dd4bada5496aae9f4692c961bb265fdb10a2a2fe6a23a475

Download Submit
memory/112-1141-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/112-1090-0x00000000052F0000-0x00000000054B7000-memory.dmp

Filesize
1.8MB

Download
memory/112-1083-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4564-1258-0x00000000051C0000-0x0000000005387000-memory.dmp

Filesize
1.8MB

Download
memory/4564-1299-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download