Analysis Overview
Threat Level: Known bad
The file https://modesoft.org/license-Key-Activator was found to be: Known bad.
Malicious Activity Summary
Stealc
Stealc family
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Browser Information Discovery
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:19
Reported
2024-10-26 05:22
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Stealc
Stealc family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2368 set thread context of 3472 | N/A | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe |
| PID 6004 set thread context of 932 | N/A | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\Installer\lib\LicenseSupportDiagnostic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\Installer\Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\Installer\Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Installer\lib\LicenseSupportDiagnostic.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://modesoft.org/license-Key-Activator
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa57e046f8,0x7ffa57e04708,0x7ffa57e04718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5188 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\Installer\Installer.exe
"C:\Users\Admin\Documents\Installer\Installer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command " # Add exclusion path $path = 'C:\' Add-MpPreference -ExclusionPath $path "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe'"
C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe
"C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe"
C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe
"C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe"
C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe
"C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 296
C:\Users\Admin\Documents\Installer\Installer.exe
"C:\Users\Admin\Documents\Installer\Installer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command " # Add exclusion path $path = 'C:\' Add-MpPreference -ExclusionPath $path "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe'"
C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe
"C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe"
C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe
"C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe"
C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe
"C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe"
C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe
"C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe"
C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe
"C:\Users\Admin\AppData\Roaming\QFLXJCE2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6004 -ip 6004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 312
C:\Users\Admin\Documents\Installer\lib\LicenseSupportDiagnostic.exe
"C:\Users\Admin\Documents\Installer\lib\LicenseSupportDiagnostic.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14412310237655825660,2679770793205889433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3864055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modesoft.org | udp |
| US | 172.67.216.160:443 | modesoft.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | softnks.com | udp |
| US | 172.67.213.129:443 | softnks.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hdkrjdbjs.top | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 172.67.191.67:443 | hdkrjdbjs.top | tcp |
| US | 172.67.191.67:443 | hdkrjdbjs.top | tcp |
| US | 8.8.8.8:53 | 67.191.67.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makubamajareko.top | udp |
| US | 172.67.130.218:443 | makubamajareko.top | tcp |
| US | 8.8.8.8:53 | isplaycatalogmpmicrosoft.top | udp |
| US | 8.8.8.8:53 | 218.130.67.172.in-addr.arpa | udp |
| US | 104.21.1.42:443 | isplaycatalogmpmicrosoft.top | tcp |
| US | 8.8.8.8:53 | 42.1.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ffz34.lol | udp |
| US | 172.67.156.133:443 | ffz34.lol | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 172.67.156.133:443 | ffz34.lol | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 172.67.130.218:443 | makubamajareko.top | tcp |
| US | 104.21.1.42:443 | isplaycatalogmpmicrosoft.top | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.156.133:443 | ffz34.lol | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 34d2c4f40f47672ecdf6f66fea242f4a |
| SHA1 | 4bcad62542aeb44cae38a907d8b5a8604115ada2 |
| SHA256 | b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33 |
| SHA512 | 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6 |
\??\pipe\LOCAL\crashpad_624_IQXLXLCEABGAYBBP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8749e21d9d0a17dac32d5aa2027f7a75 |
| SHA1 | a5d555f8b035c7938a4a864e89218c0402ab7cde |
| SHA256 | 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304 |
| SHA512 | c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | df40e76dc1dbc4fcc13854c075a3be9e |
| SHA1 | 7f31a9a7adf8ffca8cf408c3e245daada57d7a60 |
| SHA256 | adad2147a2b4243bd1c1da85558c063ec54baab0659c33060bd26b3c567109f8 |
| SHA512 | 297b41949dd75c83b89a6e6bd77cb16b2eba735eb368f7ede30347b9214a10476a9fa6f89b88ec06aa78bc6b993ea83062b52e2824f2a8a2dd19d85f9f592681 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f31fea28bbc845a734304d3a25816395 |
| SHA1 | b8b719fe0be88ca7cbe335b363fda1d862df7b6b |
| SHA256 | a8500e5a3ac30d730de3308df7e71dfee8166d82927b425c2a771c311e9b8f91 |
| SHA512 | 725254b4a6f664c74d0641064b24ca998f4831d9f99d33ff1e36918c7cbee3dc9ec81405526491b45f5decb4769eb1c79dd7fe80d2525a38bf5d24e07092868a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 53672d5ddb033287b41384bd81f33922 |
| SHA1 | e4ee0a88a5c481253e490d6617b0d919b37157f5 |
| SHA256 | 67dbb04e05f8ecb3206a2e792055ffb092651a75c34eab4d8f0de363f0b33738 |
| SHA512 | f2ad4865b65621fbc4f648cafb07452fec79c1c0996322a9a41274ef0dbcbd8bf86e81b4832e488c1677ff5a62edced4bdfd1204c6a8ce3005cb48810dd33b76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 12187fa90b9a31341411d0c88adfa497 |
| SHA1 | 81c21da2da968b1fc32586e80f15ce1501ca8507 |
| SHA256 | 909da67d66505b059e19e4f818b78848dfd01b5de364e11df9e31a97fc4bbba9 |
| SHA512 | 7806f768986abb1617e8c8a2e336c093dc38842735b059fba2f186376a21f461e57f37edc3ecb0d0195079f83f78090b579415f031d35e5d207e52f4499eda96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ca89aaec2c53613c0bbc8483a3b9b221 |
| SHA1 | e761acc48c4581a69fc9fba8f246c96cf336d426 |
| SHA256 | 62f064ebff96722b98d1b4cf85e2865571ffc6a8111db3f623204d7c78c819f6 |
| SHA512 | 451c4e12151c21eb98c303087acb85d1460306d73cce331d61f00ad1ce8b2d3ea23b660cab1928dfe94d8cae802e07c4fd806c8151a4b1542f187e26d8d52cc8 |
memory/4544-123-0x000001F637CC0000-0x000001F637CC8000-memory.dmp
memory/5548-124-0x000001DA138B0000-0x000001DA138D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywjdxht2.4xh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Roaming\DK3B0AU9.exe
| MD5 | 60d757fa7d5278292a7a25032018ccd8 |
| SHA1 | 71a8a1143f77f7d037252f040db06a480437b7dc |
| SHA256 | 2e4bff77cb169dd0509b64f33041b57744e06322ea412162ab6dcfa49420d3ce |
| SHA512 | 3faa1f8b0fa9223d2519e3198f1e3759e3733cf7d41c1a0b62b629cc92d2853d93f47755e0f68873775ca6603844fbb53ef7fd2dd3bb7cc8e232f303355d549d |
memory/3472-163-0x0000000000400000-0x0000000000662000-memory.dmp
memory/3472-165-0x0000000000400000-0x0000000000662000-memory.dmp
memory/3472-181-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 100a5c48c17a0f36913d76c6d3cf7487 |
| SHA1 | be56dc322734496ecc245ca15c87efd4657c2c8e |
| SHA256 | 8ef938327ddcbae1c62d1bafceea9f1b70ee7dfbbb2802f6bad0e47f748e0018 |
| SHA512 | deb220b7661240a3fa1f0d537b491b496170d07c084aaafa16341b7bef4b34bf4ff2fe015cdd2c1804e085dd3562dfbe8c7c6fda9d625e4ab7c7704f8900f428 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 5933dba7ac3a27af2baff3e557d7cb61 |
| SHA1 | 01fb96d7435e01bccfbfb5d1d38ec2a10c590ab8 |
| SHA256 | 00dda774e18b65211f7023deddb31b044bda14caba24298c1d41e8b5e2d17b33 |
| SHA512 | eb4cebaa854a296da77f4b9de2ac095e458b5ae3755c5aca150428671ba47a0a8cc4cbcd8f0fa6b4d192e11d38e55f9fa5db1cdd7f9814c2bca96d24a031ecae |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6794115ef7639a13f35a0197206d8762 |
| SHA1 | fe4dfff6b17186e7814807e08f9bb082390dfa62 |
| SHA256 | a28163dadc481596ec295376c2c181d45543ddbaffe24e23b9777b6b3cd52d78 |
| SHA512 | 01f7c0a739620e100e9760c1cac223d734b8a74f5dec7d6efecd5c8b5b7af98f7ab36ab6a6e9b34fd354a645385c0730ee246b97f14a2b0ee7abd082ad093778 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Installer.exe.log
| MD5 | 66a0a4aa01208ed3d53a5e131a8d030a |
| SHA1 | ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1 |
| SHA256 | f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8 |
| SHA512 | 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7281f4d7d7f3c148e070cb6d560ad57 |
| SHA1 | 8d538f0c46559a60a3a479254a4128faa3c5fc3f |
| SHA256 | 3b10bd49be8448fee004c87a50cf2d88a16e34de3edac876977511307e237704 |
| SHA512 | 708e310e209e60d5786a5d5c2ee963c83ca216c2f4f72dcf40fa324b0d9afb1526e7f66d6a5fd96fcb1362e5a663ef6ec77b7ae3ceb5153bf68d6b95e095b90e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
| MD5 | 575ca8c6700b96d0fbe4adb1da1f4edb |
| SHA1 | ce09085cce717240440f843dac6cfc0fbb40d354 |
| SHA256 | 168122a219719693174755b52dd38f9ae21a92e0edf279473a20137ec4b83c78 |
| SHA512 | 02e919a3f9b1bb57df4fd58614d01a9e164fea3b2934ef0f280f0c4f189e81089fcaa5612695ea78c6c073386050e30e896845d585092d7289cd235d641cdb7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
| MD5 | 28e098f281fe283d7cb227793de9b6cd |
| SHA1 | 9e35281362093a6a38902bf84fdd65811d97e366 |
| SHA256 | e5611b704c5e7d2ed4a1ac46547fb7d8dc511978367e0459799eb0d0a785ad28 |
| SHA512 | 770e1f1a71520a59cedb24918528372df5177460f88a35baf3761eada894ea82ca08aef0eb4ff5eb7d14850548d3bb19feaf67a121bd6cbb05e7a7fa47847a82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 2ff71e9abb6c22dd0c07e471ad139c74 |
| SHA1 | c8bac019be478de0bbae5bb908bd19983d93bc07 |
| SHA256 | ab76bc892ee34a454871da57ee2a8329a31762691987d028e8c89fcc753adfab |
| SHA512 | 0ed52a32f0b40f06cc739fc7b75b51878e1f24794001fddc7734f699c0b5b7ec4903b60d02554a1f359f5f5c6635dffbaaa60cb1fcbdef29ac493ea73be66d5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | ee1e8416ed97e34b7b741b7047ff7d64 |
| SHA1 | d12d4e24ca04221612a4eaf56a8fa70c6c8ba004 |
| SHA256 | 8d46af00f412bc7ac6ba90854e5e933fdbc1b1d020e62ec2a2a3cc3ce9799268 |
| SHA512 | 48273cf7db9852de7edb662a22a6590b0a7e254e25a9ae416e53adb36d45af50bfe5b349d777e4a4029f75256c35aba8236722255220d5a060c1ecf8a5166b67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 9babaf83119fcf43e343619ea4b19570 |
| SHA1 | e8d7ebec638a9e040c56876571d75ade56ef4162 |
| SHA256 | 4a979e39be150380ee99ca698b5a2b035471602f70585acf863d2d0275008f9f |
| SHA512 | b923e9787cddf3043da32936710fa1b3f0ccf86d7c69cff591282a6b4d3cecde1827f0c5d60479fb46225784041bc91eff46747e80e4afeb7e20a20c8c7cd109 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | b86c4f543fec0f21ca34a300f1e6c068 |
| SHA1 | e0eb1b979efadae87a510fff2f9f179023f9bc95 |
| SHA256 | 1f4a72cc7e17332006b32a94e578c65dea0666e5941a86f5ec0dba78feeb964a |
| SHA512 | 3b6b1f64235c661418c91e8b8d0ec7e8cf9530e3b951918d20aede77a4cc5f617e6505b1b241096131d9b229d4002e069423621a481686e15784a069f4ea4e93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | d7a33d8054baf7263a358a5acce84254 |
| SHA1 | 3f59b25182295ef253eb073265b858b10fc602fe |
| SHA256 | 48b0eabe2daf893594eb5c2bfcadcd4f504ae1e6656bfc22996297a4f1ac7005 |
| SHA512 | 779e6b837888b5e24550183a6bdc69abe369d2535fb65ac078a6a4c703e9e4877ea52dd175adea0d3b1e0d55f44f27a6b52779542ef16de16c33340981425936 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | a817711a1d7a32149f5dd463954ddb30 |
| SHA1 | 08c9d017b75781e0dfacfd416bba262233a46115 |
| SHA256 | 5feba95b465b299a3f8fa61d6d8de94cb50cc68d60d4d3f5a3ad19c6438d28b1 |
| SHA512 | ac6c1d5c7baa679004d332546baf4279e196ee1eea6750e19bbb553bcce603837a9d425a757f92060bd05e07dad6ac3b17392f08cc7ccbee82c53d3556e9f50a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 54a66c0525b7939dc2541059c4849f8b |
| SHA1 | 028ee9e81b68796a88c9f106e6afd64d9a461b5f |
| SHA256 | 6c4ea777fec8cf4ebed1ecd7fde660a6ffd7ac0dfbb0c5e889621d5d4371d07a |
| SHA512 | 6f344db225cd9070c26f876d49e57605e3eb154d068e6486d0c0f2e7e008caf5165c64f495ff227983067019a63d547834ab6be7a8f10a21c0763e3167ec008d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c209ea3902af6d57cc16d1f9790e900b |
| SHA1 | 728982f6a4b9e100e0f5cda4841f04682a31b7f3 |
| SHA256 | 8758068500aae8b8ea471378950e1aa0b1ee353b81ff24e73c7f00a61f7bf24f |
| SHA512 | a5452f49a927d55c12b8f13b2f22cab5ad5e2233d875f13885f07dcc61a46e4f3abc28129ab4b2d192dbb9e0f1f1be3232563605309244d60b33d3f993788e2c |