Analysis
-
max time kernel
115s -
max time network
214s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-11-2024 22:08
Static task
static1
General
-
Target
kreo q zi.7z
-
Size
922KB
-
MD5
ec516db688f94e98d5141f4bade557e9
-
SHA1
198ffbae5eed415ac673f5e371774759f1a53de1
-
SHA256
282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
-
SHA512
ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
-
SSDEEP
24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU
Malware Config
Extracted
quasar
1.4.1
Office04
hola435-24858.portmap.host:24858
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x002800000004506d-2.dat family_quasar behavioral1/memory/4656-5-0x0000000000F90000-0x00000000012B4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 2 IoCs
pid Process 4656 kreo q zi.exe 4816 Client.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B9B7566-9AF9-11EF-96B2-FED1C665BDC9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752317200927351" chrome.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings Client.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 16 IoCs
pid Process 6044 notepad.exe 7744 NOTEPAD.EXE 5356 NOTEPAD.EXE 8168 NOTEPAD.EXE 7196 NOTEPAD.EXE 7816 NOTEPAD.EXE 7952 NOTEPAD.EXE 7636 NOTEPAD.EXE 8048 NOTEPAD.EXE 8020 NOTEPAD.EXE 5420 NOTEPAD.EXE 5672 notepad.exe 8092 NOTEPAD.EXE 7188 NOTEPAD.EXE 900 NOTEPAD.EXE 6820 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3144 schtasks.exe 4900 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 5580 POWERPNT.EXE 5352 vlc.exe 6620 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3020 chrome.exe 3020 chrome.exe 236 mspaint.exe 236 mspaint.exe 5400 mspaint.exe 5400 mspaint.exe 6000 mspaint.exe 6000 mspaint.exe 5652 msedge.exe 5652 msedge.exe 5632 msedge.exe 5632 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5352 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 5632 msedge.exe 5632 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3820 7zFM.exe Token: 35 3820 7zFM.exe Token: SeSecurityPrivilege 3820 7zFM.exe Token: SeDebugPrivilege 4656 kreo q zi.exe Token: SeDebugPrivilege 4816 Client.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: SeShutdownPrivilege 3020 chrome.exe Token: SeCreatePagefilePrivilege 3020 chrome.exe Token: 33 4248 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3820 7zFM.exe 3820 7zFM.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3832 wmplayer.exe 2340 iexplore.exe 5632 msedge.exe 5632 msedge.exe 5352 vlc.exe 5352 vlc.exe 5352 vlc.exe 5632 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 3020 chrome.exe 5352 vlc.exe 5352 vlc.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 4816 Client.exe 752 OpenWith.exe 4656 OpenWith.exe 236 mspaint.exe 236 mspaint.exe 236 mspaint.exe 236 mspaint.exe 2340 iexplore.exe 2340 iexplore.exe 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 5400 mspaint.exe 5400 mspaint.exe 5400 mspaint.exe 5400 mspaint.exe 5580 POWERPNT.EXE 5716 OpenWith.exe 5580 POWERPNT.EXE 5580 POWERPNT.EXE 5580 POWERPNT.EXE 5932 OpenWith.exe 5160 OpenWith.exe 5324 OpenWith.exe 5352 vlc.exe 6000 mspaint.exe 6000 mspaint.exe 6000 mspaint.exe 6000 mspaint.exe 6036 OpenWith.exe 6620 WINWORD.EXE 6620 WINWORD.EXE 6620 WINWORD.EXE 6620 WINWORD.EXE 6620 WINWORD.EXE 6620 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3144 4656 kreo q zi.exe 92 PID 4656 wrote to memory of 3144 4656 kreo q zi.exe 92 PID 4656 wrote to memory of 4816 4656 kreo q zi.exe 94 PID 4656 wrote to memory of 4816 4656 kreo q zi.exe 94 PID 4816 wrote to memory of 4900 4816 Client.exe 95 PID 4816 wrote to memory of 4900 4816 Client.exe 95 PID 3020 wrote to memory of 3612 3020 chrome.exe 99 PID 3020 wrote to memory of 3612 3020 chrome.exe 99 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 3220 3020 chrome.exe 100 PID 3020 wrote to memory of 856 3020 chrome.exe 101 PID 3020 wrote to memory of 856 3020 chrome.exe 101 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 PID 3020 wrote to memory of 3496 3020 chrome.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3820
-
C:\Users\Admin\Desktop\kreo q zi.exe"C:\Users\Admin\Desktop\kreo q zi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3144
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4900
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\CompressResolve.dib"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:236
-
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Roaming\CompressTest.ttc3⤵PID:5084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DebugCopy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FormatTest.vbe"3⤵PID:1872
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\JoinExit.wmf"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5400
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureRestore.pps" /ou ""3⤵PID:5520
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureSwitch.ppsm" /ou ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5580
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\MergeUnprotect.ps1"3⤵
- Opens file in notepad (likely ransom note)
PID:5672
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\SendInstall.rm"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\StopLimit.mhtml3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5632 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff805a746f8,0x7ff805a74708,0x7ff805a747184⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:24⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:14⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵PID:5232
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\SubmitOptimize.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:5524
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\SwitchBackup.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6000
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\UndoDismount.au"3⤵PID:5360
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\WatchGroup.dotm"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6620
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\CompressResolve.dib"3⤵PID:5496
-
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Roaming\CompressTest.ttc3⤵PID:6188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵PID:6236
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6236 CREDAT:17410 /prefetch:24⤵PID:7068
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DebugCopy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FormatTest.vbe"3⤵PID:6500
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\JoinExit.wmf"3⤵PID:6692
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureRestore.pps" /ou ""3⤵PID:6760
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureSwitch.ppsm" /ou ""3⤵PID:5956
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\MergeUnprotect.ps1"3⤵
- Opens file in notepad (likely ransom note)
PID:6044
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\SendInstall.rm"3⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\StopLimit.mhtml3⤵PID:6724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x108,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a747184⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:24⤵PID:6852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:34⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:84⤵PID:6976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵PID:6860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵PID:6644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:14⤵PID:7632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:14⤵PID:7792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:84⤵PID:7400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:84⤵PID:7852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:14⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵PID:7408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:14⤵PID:8340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:14⤵PID:8348
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\SubmitOptimize.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6156
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\SwitchBackup.bmp"3⤵PID:6288
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\UndoDismount.au"3⤵PID:5156
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\WatchGroup.dotm"3⤵PID:6548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x64.log.html3⤵PID:7540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xc8,0x12c,0x130,0x108,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a747184⤵PID:7568
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt3⤵
- Opens file in notepad (likely ransom note)
PID:7636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x86.log.html3⤵PID:7676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a747184⤵PID:7700
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x86.log-MSI_vc_red.msi.txt3⤵
- Opens file in notepad (likely ransom note)
PID:7744
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:7816
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:8048
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:8092
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:5356
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:7952
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:8020
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:8168
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:7188
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:900
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log3⤵
- Opens file in notepad (likely ransom note)
PID:5420
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:7196
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log3⤵
- Opens file in notepad (likely ransom note)
PID:6820
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff811b0cc40,0x7ff811b0cc4c,0x7ff811b0cc582⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:3220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2396 /prefetch:32⤵PID:856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2428 /prefetch:82⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:4668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:1404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:12⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3692,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4724 /prefetch:82⤵PID:1080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4532 /prefetch:82⤵PID:236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:82⤵PID:4708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4572 /prefetch:82⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:3600 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff71fda4698,0x7ff71fda46a4,0x7ff71fda46b03⤵
- Drops file in Windows directory
PID:1916
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4424,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4440 /prefetch:12⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3280,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4052 /prefetch:82⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4580,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5420,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4016,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:7944
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4641⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:752
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3832 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
PID:2820
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:2180
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5716
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5932
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5160
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5324
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6544
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5812
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5820
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5340
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5856
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6076
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1616
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5244
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7008
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7448
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:8980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:9096
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:8272
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:9196
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:8208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5e7f30ea0d4abadc537ad833327d33750
SHA13d251a1aba0a1b91fa5f13f8b800b5915fe3267a
SHA2564a72fe98ba64c84956c9198f0e57ef0c3bd7252fc1ee90ebd4b95d3d2c0bf060
SHA512b010f3138775819f691d4e3f47dc4bae798a3c32432f47d12e16a286897e04764cf68a79d70d71e476a1ff1cacc72698652e5b3fa80211fef6b2ef9452bc0602
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD51de8e9a83c4383b33d5a6f5d5083dd2b
SHA1c95612528e5e530fe6129bae1a77345cd079e066
SHA256ee6a4a1faf8a8ceecbd3403905335a36bf66630307dda31181ad7183e2c46ccb
SHA512384e2deede23034652b3cc1432c4d9c53ada07d5dd29147162ce7715f61f96276e172d230b3f854f256765e8dcf278924408899b645424b564d2678cfc6ac31e
-
Filesize
649B
MD5a06bd7899313bd6d7d80245bc1f3489f
SHA1a379bc36e7991a0c47fcfd388f7e6d3062fe682b
SHA2560bac12b361d9a780ebb2a37c7bd9cee699ff9076bc3f33664c4191aeb3782dac
SHA51280fec1aaa95cacc67d0cc5a8db0a2341889870a8996c90916b7f8929f7839b84585ed5dfec77fc5492acc217881cee3bd609c05b8c75268d9a3be8ae5497f1d9
-
Filesize
120B
MD570197b581103e441f1da6418908f8852
SHA1cd0b59216748444414f25b56655c10fc976878dc
SHA25675517a05f42246767568236bc535eb7b0290874fdbac9a8c5d40c09650d1f9a7
SHA512105aa4561205cde07a8860c75b350fd9a6ed4798a036bfef03a3741b86334ce959f1c85ddf33270d90d491b33e8dcdf301e1dd40dbee541a0266b85d3b1105fc
-
Filesize
936B
MD55125503aca0c33bbf5372e1dd5dbe4a1
SHA11978cfe490dc1c2bc19b9e8a19b743b57de1b77f
SHA256d38f8516e759065b866bbe7a232bf572e90b87a6ee9eeac0491b687278718ea8
SHA5124bc7008cff4469ed6889a5b75e15751ca0cd1a962d927adff77a0336ab674d11812781b0a271a35cfc0d305d723537ac4d94c39e7b1a9987f28e897a516558e1
-
Filesize
5KB
MD54a18e3a48a96e68fb11f2a267fe74aa3
SHA12071a236eb6c480984f26f654d70dfc0838039a9
SHA25640e52d13997a58d43b822c98b14f158a3876f6844f547383d1057ed587a91386
SHA5127ef1f5fae9ead9409bd8bd537b20126637c86849fa2cc278e1cb590efeaf2b2caef029ac3813de56859db7f916d6665661e4d2ac116b474d3b34fdb8fe5c6d27
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f5b877c0c783fc45e801c14da934fcbe
SHA10fef52c24ec9f99d0ee427388dd3673533a616a2
SHA25663117f6e10818c0ce00e965ae680090e81af45d47416a336deccfbd98e3dadc3
SHA512b75b2df15212a87757aad8014f400fe3551ebe48b42017ca870b973326a4bfa9fe0c10d522c57a6e5915e5b7784906d4a975cf61ebc17b45445bbae8ae3e91ed
-
Filesize
691B
MD5ce4bdc0165d6baf2af641205fbc46789
SHA1326a20cd2268c18947b39fff5e0677333b455508
SHA2568f9d4124178dffd8fb7aac08220a290d5e5cb050248f0735a1097ba0c42a84a1
SHA51281df1d6139a74b85dd16722e9ebb36d025cd4dbd56593db8e6a30cd870ce5d76ea1972aefe39fd85bd28e09a7b6a4067016da4b60736f08be9c32fceaa09b0fc
-
Filesize
691B
MD5047b0646f1871e1fcfcb4c075520afd1
SHA193fca3e62c614d5fbe4f0cdaf6f28c2825541e9a
SHA2569f36fe604d2293b8a6944f70a21db5e68200de1bd92859de647367367c341c2f
SHA51233860c7f06cbf5b95a65565d47c3485e8f27a9e96986c18dd802c8993e6c5b5f42d1652faac338e56e17d384bc231e97d7d2fbb6db11b4dd2e6effee4e895c89
-
Filesize
10KB
MD5bff8bbdce35ab73b9515effd7aba30cc
SHA1bb45438eebf55432cac539845f8ee9986a0ec3f3
SHA25624cae338854ddfa17527e6fe86f523941bd0978b6a86481e0384df6c4ff19a41
SHA51276074fe861ee5418908f8ae8001fa42cd8635692de6fe6bd2d58d45b768993ba3bec0e38e0d8f2b451f5b4e04da3bb5ab421d01bf5f444d2f328419b4a40ff21
-
Filesize
10KB
MD53174b799bc2055dd135a625322b76d26
SHA1fe288ae266049487d8f551af55b76e0487aacbdb
SHA256fdb22554d184ae5ccc31d4964fb2c9ed10d92f1002c0421fdb3601ec0ead6007
SHA5128f3fbd1d30a7a642ef85178e2e15186c7d239fb50a51ce02a5b640efabaf1468aeb0020d70a4f7b287df76c41c1d0ef14dd086a06a90fa2eb08a253bf12269c4
-
Filesize
9KB
MD565bd48cac619208dc4b280bfb5c20ecc
SHA1554aa7070619780d72052b7fc5ae91b10cc6f3b3
SHA256b37bd9a8579c1d87516ae8fc4d40a7cf788c70c8c82116792ae2d290c77c66d3
SHA512c09b647d8b12ddd241d16ed18969d42543bbbb29494d875b7628b02c3562895ebd70c593194c7923ab4a6dd717f16d6b7778dac82cc8049e1f7bcd856bf42fa6
-
Filesize
9KB
MD5876a1b186f071f08066245ff45d1120a
SHA1377ba1bed1d31ee25ae6d33a9f50820662be8940
SHA256f0758567610c01a37f3f2968e6c128e97e2e62cbd342912a952ae3abefef2f20
SHA5125ac3c525660062518cd650e1f7e8b4f64ca75e1b0722c94f7183e95cd6ba4ad520040414e05a8e075771e87508e45034aa9929a293852ab0adeab12d1cdc8aca
-
Filesize
9KB
MD57edcb01eb51b266fcc2ceb50197fb365
SHA18f1d5b689305b1f353b5712dd0f963dfed144efd
SHA256359d082e52dd2177e08d1e61b81d69af6be50702b8a0c6f597a214661ef71603
SHA51265997945d0ba64867297029c75c505ad2339b43ce9665836af9e618ce884341b04849a6f0aa69db018bd2f5469f5174b69ad06462ce15e8c2f1baff141d99d52
-
Filesize
9KB
MD5da61b8fc060d3c4595946695b39e8589
SHA10db564bf283dc008f73b0168d0db1c8315b5aa80
SHA256fb6a9ad785972e23c15b337b9d038e1f14b08d9dfac18f6e3460e648e16b9222
SHA512b52ee82fd87476a155767637892d9416ea11c02b0a8dc6b798e24f191add182813ed5804c91091d25ddac48f8f8b797f6a79738403c455018d994dbf83464789
-
Filesize
10KB
MD5543d3307852a4286f764b054e8de492b
SHA1e37431d7d442662614bbc288859bf5c16ecc2121
SHA256efbee8655698540e2e4f48234989c9e13a491a9685098104130cb751f6f91b3d
SHA512dd41d61022c790dc5d60f9373cc97ac47c18ee75cfc233d153c9ac9116d5bf4ed89131d234e28ca35e89b68847e77beb2aacccfb3a54a3b32fa70061ea67c361
-
Filesize
10KB
MD595e018f71864e5a39d49250977c8569d
SHA1c4e5c017ca1758fad08990073d664c1354df3934
SHA256b9f5f5aeb119891ad84a33f248e01512eda15cd5d68086efe439c67df6a4075b
SHA512dd9289452c77ff7a330ed373eb5377b91e664531a4e4ae75ddd1f54b9f900f8d6015fa430d8b3263df0a0303866893614bc56a38bd383ff36df4a63b552b7c3f
-
Filesize
10KB
MD5a88e7fdb770496c1034705eda1485596
SHA1a86c7d3e993c4c50ce44cc50a7f0c714d9c3c500
SHA256d1f405c7e2e5aeee9f2ab8a6b2fdd1b3002b2ef02d285921fe108b9adfbfecef
SHA5125af783eec5780b2973b3c8442b56044129326f02403f88fef766863166ea6ea6b19b54115d9748435a0b355d731ac5d00274fa97da84b2af92d208ae31aee706
-
Filesize
10KB
MD57d7342763db87fb549171994cd4ca651
SHA1a9a33dbc592558f07717ce553c17c5d03edffb24
SHA2560571ffeb022325e1cc7a5c83d741ba6d032b57fb680da56b720eaf3e546257f2
SHA51295868cf076a5152a7bb3d55753f212351be7442564121839e30b52af6cb2dd1c39145298f9ffd3b924a1766d1d195d3d3b7655385bd00d2fbfa1cf755120cf3d
-
Filesize
10KB
MD5eae6dc67fe69da1e3ac50656a21b01a4
SHA1bf637b48a324c7d4d32bb7fdea7faa7b9b3d3b1d
SHA256ff25e3c46028439bc8b2cd99d8cdcb4dc69c3dc51833b399b92b50430b4633b5
SHA512a35b400eb7b90bcbb1f27af55ce9e1025b9e929ba93a5a863c9647bdc4fbaa43c4508d1a750ee4b9b98f397b85708d7eb9adb4e0e1475969ea05bcd48d449139
-
Filesize
10KB
MD5e10596b0a2b61cfd587d4fcf01d3f4fd
SHA137b1720f107ceec6b8ca6dc4d7c8b2e80694b7d0
SHA256a89a2ce15547660e1ca81c57c6d5074f43c96b529445c418d3678c909c357ba5
SHA5129e418eab0e25fe82411846c7a999e30559424a4b9a61b6e0ac6478a8d97b3ad4bdbc8f431fe5113d363b5751bff55ece719c6685b872e9ecb97e5e030103fc62
-
Filesize
15KB
MD5eca0a91f01f956c02299d008be40bbb6
SHA11e13cb21b97f0ff998132116ab484cc007dcd7d5
SHA2568c887c0233a8100153da878510804ffe8f3aae83d4bac176e095cdf44628e674
SHA512eff6aad87d7e4ba42f528d2d28e9881de2442fc7b498aab17a68fee2f5fd5d9696b1c16e8f7eaba5c5ea67076f1a7feaa8d60925099fce07f02448510642391a
-
Filesize
232KB
MD5aaa3c54176b3ece0e1bf31bdf35c3145
SHA150d2cd41490a329d404edb5733f93ef90194a5b5
SHA256fbeabab9d35b1c0c8d5f0aa376eb844924d0467aabab0dffc77f5ead849addcf
SHA512c6f7206c0e77118ea55c944664a34d9fefb43802627a84d45ce6e9f36a76eec296a4ebc909b8d6b2043b6a0a689747112503ebf72016df1cff59f6cd91b001b8
-
Filesize
232KB
MD556c6089453b246e1ce12181804b8c49c
SHA1680e94c5c3dd5cceaa92d1aeaeacab8ac3f8923d
SHA2560c1c6e6bf4a88ee877f74ab855b092c34ca885723586af576e197f87a6f5980b
SHA512ed0d22d288ecc6989f69ef80a10660ad3406cd2606ccd9b53719cff5256478f6d4779005825647e2de23e50185313b476f7f612b60facda6645897462a811da5
-
Filesize
152B
MD53a64c98dc7daad5ad686b126bc41fc2b
SHA163ac1632e77c36bec84bdb0155f299040a409119
SHA256d485dae02e838f24b027b13ea300898a64b8773c27cc95f9e3bfb49beebe694b
SHA5123f2d5146750452c323e87296384e8492e2d43fcfc89d570f5a091973a05bb9593390014480258115ce784e586c17fa3a30ef19668006d75b4675b9f469d9dea9
-
Filesize
152B
MD56752881d65e75771ec1bcad0c25fc5cf
SHA19fc9c7e4cced40b2b42a87485cc181b1eff6f41b
SHA2566e3837a43f1a40b3f87500a437e71ffe5880a8a0ec7bfd1e6aaf1ddd30677cbd
SHA512bedbfce436aad2d02bd6a8d7d338c628bc330dadfc521554de188991f80ea389f01784f1f7ad29bc5b12ac7c1ee022450260d472ee97f23c6672079366fd3b32
-
Filesize
152B
MD5e87625b4a77de67df5a963bf1f1b9f24
SHA1727c79941debbd77b12d0a016164bae1dd3f127c
SHA25607ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e
SHA512000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b
-
Filesize
152B
MD55d9c9a841c4d3c390d06a3cc8d508ae6
SHA1052145bf6c75ab8d907fc83b33ef0af2173a313f
SHA256915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d
SHA5128243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31f72edb-a55f-45dd-88d8-8b51ae157ee3.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD58ce82dddd55b3a90eed2eb296fd46f27
SHA1a89e5d8ff102b9495835d1edabd674e9142b08d2
SHA256c5e10b0ff51b6d2a14823a5019996911db04fdc8faf98bf3c463a3c2ec7469ae
SHA5121cf0d0eaab489e914790db43d689555b718de2ff74116a4446349b7a70f82e4716f8b1cf06977dcbe1e8a904855be68e01f1b5f1024eed8833a99fcebfd0b117
-
Filesize
6KB
MD5eda2dbde6c417857f25ee2058c974065
SHA19c461fc1034f5ccc2af7c4654c086fdb36b516f5
SHA256080d6c7bfe4782ab12c7cb7651910804421384502000741865e16b9710750d19
SHA5121fa6f620e45a32c167a0caa8b12926378d9a249dece7472c81f22623ab22b8a0c8e06b08dd854c9f514a7c037147db9592eda38fc59d5334c00e06012bef8f43
-
Filesize
4KB
MD5c8f2ab16317eadc44966286e716f3356
SHA1d91c7c131a8ac6a9454628e054106b463100cdab
SHA25629fb1edc8e7a12aba4511941aac39962ff4298d64ea8b4d041a1f55e59986e15
SHA512c5cbadbd253d50822630d5809e67d4213d8a0d03e49b043f8e07e1eaab8a10837b9882db86b0de28598806cf75bde7c3290ade2c86ec3117ec215cd8f4ba399f
-
Filesize
6KB
MD5f77894b95498f83759b05c926db4c0c0
SHA1b705220a9c59dfb3e8ea4124c57e5523ed06f7c9
SHA256ade7f04b31bee4bdd37266f7fdd9d2f68d6bc2851a1ab105ddcac74f68108511
SHA51237915df71b757baab3b85dd38eee58eff36a27434ca4f4ee15c3e590d13a80a54de480b3025fbf5c8e998f727bd0ac00b5d76c50467405b4a202862280f36124
-
Filesize
5KB
MD5c9d2f6438da9d01af0c15818aa34839a
SHA19deb0d53d3197fef5a6067f6acc0bbce9c637772
SHA2567954bf03e1a612f65674fd34265d94e5c45263ce6a4b40223d2b6e223dd8454b
SHA512bf5f6763c98486fa78d1223138106b818e9b402cb4d8b4102243d69f598a960c30a2c1b9b584c6540e0a88fe6cd46387b72b65d0ccb742bd2beeedb92222c0f7
-
Filesize
6KB
MD5e18e159bb895831305e19cbecc5ff032
SHA107870e3643bcac557d26e5b3f0cd122830ce4f17
SHA2561cdcd3a430f4e962f5b79f29cc8788902127189faeb1c7c65c379250035d2007
SHA512b7ee7f0f70ecdf0c9c2c3bcd0d82e339cc39d9650406d1b2681282f4db843365ff92d99279f1d9a918ec08dffab17cf0e8d0945b3bc4be539a53a5626f13ae9f
-
Filesize
24KB
MD5137094a3453899bc0bc86df52edd9186
SHA166bc2c2b45b63826bb233156bab8ce31c593ba99
SHA25672d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44
SHA512f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada
-
Filesize
24KB
MD5794620ec1e79ac9bc9a27ebbeecb08ac
SHA1cf365eeeb64a25fe763ac078edfa5ab9c321d789
SHA256b3356f0ddc460c6b00366420f51c6bb83c286362f073e7943a1271b4a2c3e58d
SHA512613096da233853fd5116a0b94d2bcce62ae83900a23d3e64e4b0b9ad315a173eda178a288611e37c37d6b9e2a5af3af14b25c36c70eac78149846822fb3d012a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD506c545848b613d3e7acc253d7350bce8
SHA14dea75d127428ad335aab8f7d8f58c3e21017525
SHA256a3c1b49590361f46896c676109a4b74784b190d113f26a9fe1cb666975a06599
SHA512015e0320b705d234676528a4ba430cde0cd4ab44d03f9d52497db33f6316ddd3ad49fd4673e2278724e369b37e273cb0374513cd9611b9cc69a3848ef445e3f6
-
Filesize
10KB
MD56d79d24a33fd5f70dba69880bb45bad6
SHA1bed1a6ae58b0602b37c3ca793cee4ae28a2397e8
SHA25602e143b122d87a5755ae1344e25be85227b157a84959741673824f988557fb0d
SHA512dba1234ad959dceacc32db4eaa8584200dfad4c8c6bfcac94108fbeb20ce95b87bcaad1111d1eef519e8602a0ac2658fc2c30455159f4ad865175687abb92e02
-
Filesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
Filesize
40B
MD56a3a60a3f78299444aacaa89710a64b6
SHA12a052bf5cf54f980475085eef459d94c3ce5ef55
SHA25661597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f
SHA512c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4
-
Filesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD59ba7eec1a0ef66b2a1d77f9d4a4f9148
SHA1c2fb078357abba1d256ffa997d175b0145b342c2
SHA2564d60190954afc2dabdb90eaddb764c444681dbbd9abe09264270ae94d3b01b8f
SHA512dbe21461443f1fba56375e6b8ce679ca5687be2fc70eda4c3adf4865d31cff8823d280f39bb8e9ad517a3295cd851eb582f0caf8fa54c8768517cf78e0808758
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F45C47E-4D3B-496F-8338-96241893DA79
Filesize174KB
MD52ca8eab8b94c85dd227c240523ca5a4c
SHA1bae3df058ba3fc0691b4a30f107685f33bf84cf2
SHA25630fec4f893f2b9ceb0e80075c1a06296c456085b8324f37caee89d8fdc310230
SHA5129b5a62efa10f63309667601485e25cceb619c7aa1ea97ccba52ed9c069cb2533c40d2993f352c51db016524a4204f57e21c39844e8fe1ef7ed2be799af3e9dd9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5c12d9afc7d3cab604390ec3caba1e9b8
SHA1d21bd1cbb679cb18176b34c6334ed8312bb6f808
SHA25668c1c8bc4661ae8cef4892015589c32c2d555b950fb86f5d9cd9ed1a2e3e7c6a
SHA512e18d9f2b96e76102583fdf1a28541e90d31f21a39d1019e002c7d61fd764f800eebf2dfc002686e7ec73a3739a5d3caa6a5ee1f5aca5dbb36c1b960754a62a68
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5fa7eed51df213c96be21ce7dff5faf72
SHA105a45d88b15652d5c9e96c4aa3efeed64555db99
SHA2561dd61269a99bcdcf5045d2b075e70facbad663543095242c3abf9be1526febdb
SHA512f0be83cb177e8cd44e9cf69e209ecce84c048d6f3be285270b5e0aed6734490c970e7a525ee2b8c4505842a3825dac4131d12199e3d8f147ae6e4f8d816253f3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5a0669a91fda9685fcf408aa61d65670c
SHA1198e40953f2f7c63a1f56365710912efd9cc925a
SHA2565ceeef62ff0eb9c39f102d7f831ad88448c52777325b2ac809cad7dfabbead15
SHA512f0b8c9fc4c05dfb08dc0feede8e73af58a63a8ef8b1cb8b7818b4f63c575b318f2f4b289dca5e11240043b950134f3578a66983a0e7935fbb1a76aa88d79ab41
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD5a77d7b36b82f2d854c32f6d332cc70be
SHA1d6f782d9cd0a507c61f99e2999f804da4ba3d163
SHA256b6c69c1d92803ef753cfa832fcdc7319226e04058a5ce34d3d3e9c0e9914f36a
SHA5126943e356b162196dd5f1999e70be256f6f5b9e66988c6f0af25fd4e7015906297ee352bf7f2e655654a88eb8a13becf64ae2fa069400007c7d6580307475b3fd
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MLCJZEP1\microsoft.windows[1].xml
Filesize97B
MD5aa62b4fd04cd733971e64f76e26da9d5
SHA1de13193a8ae2bbd9b6c0caa29ba6f2de0209b61d
SHA25618f34a370d6a5beeeca1c341e834a0e72d0629556b3e318100a3a674913bed3c
SHA5122a9bfb8679e34c2a42b99461e815aaa44d2064fa10274c017b106f738029316d0af20a482743e1e100f140b04e53beff679a6c264f3500e56a22fce415b14d5c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0953e579-3b34-4ccf-8a95-c6b6f2c9f44e}\Apps.ft
Filesize1KB
MD56c78adbcc2f3ba7a2ad306983176414c
SHA1484787d9aef671594b4d91b6c7d2d5c215f46260
SHA2568f2abe81c4d834b96b5e39b504949cd04aef23e290309b413f501b396efd381a
SHA51269bb126822ee7008d30135f7c216bf364e8e70ec5ca09cff58671d3c29081f467719bedb172cc14962aeeef22c34fb7e4c4a6aed26c26691a4cfef3816138c69
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0953e579-3b34-4ccf-8a95-c6b6f2c9f44e}\Apps.index
Filesize879KB
MD55e4ec42046e35b20c1b8d97c17926572
SHA1d0f371a97b676240bd90f9fa1a0b14f97f9b1016
SHA2566a8c0c8cc58a866d0b874926f0ff1e2034a60bb18a2c584dd7f100be49c0febc
SHA512d8bc115f3e0632aa6df6d1ca949e53a5724eff26c9d42d90686df0aea777a00b6c3d1738adf7807c7c752f5f702c4bce1bee158d1f9e765a0148c960ea0113af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{dc1a9cbe-c4f4-42d5-bd29-d3ab508dd04f}\0.0.filtertrie.intermediate.txt
Filesize1KB
MD58609241ac301971b563b8864447f5fbc
SHA181b1e9382f7012f2441efcec40a5aabf46f34397
SHA25694d0c4ea1f705b557a8dd983931ecab83f4d19e691669f2723781d406d38a282
SHA512e536d2ae24ee17df34e28bcd1220f20901ec9b19a6f69b0c87f82a6535c813737681496927d9bea0b90e33b7c8236c77790a55d9a8514f5084ed3ad16d71c554
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\apps.csg
Filesize444B
MD55475132f1c603298967f332dc9ffb864
SHA14749174f29f34c7d75979c25f31d79774a49ea46
SHA2560b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA51254433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\apps.schema
Filesize150B
MD51659677c45c49a78f33551da43494005
SHA1ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA2565af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appsconversions.txt
Filesize1.4MB
MD52bef0e21ceb249ffb5f123c1e5bd0292
SHA186877a464a0739114e45242b9d427e368ebcc02c
SHA2568b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307
SHA512f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appsglobals.txt
Filesize343KB
MD5931b27b3ec2c5e9f29439fba87ec0dc9
SHA1dd5e78f004c55bbebcd1d66786efc5ca4575c9b4
SHA256541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e
SHA5124ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appssynonyms.txt
Filesize237KB
MD506a69ad411292eca66697dc17898e653
SHA1fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d
SHA2562aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1
SHA512ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{0148f9ba-60fa-40cb-ac2e-6ae381bdb26c}\0.1.filtertrie.intermediate.txt
Filesize5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{0148f9ba-60fa-40cb-ac2e-6ae381bdb26c}\0.2.filtertrie.intermediate.txt
Filesize5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133752318719665808.txt
Filesize3KB
MD56c7c5879f1c75b60ca6fe7048fdf88b6
SHA1e3faf0e19132003dfc8617a40933f760ec6b64c4
SHA2565391afca6e19b795f4790c36b762d967859b8dcab7f34f40cd3e9d02fb8ab74c
SHA51223a865f4b8d9b04b85d85c7e81a24ca6e28b12ad74acc9256ac564b437adeb0c64cb5fdfc723dde91f38a6c9363e63350791eba9d9217d67b9b387ea8ec209bb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
Filesize689KB
MD52dee0ab82c5db228dee2de2fe0d82eb3
SHA1c6231ad00bd775537fb422a86bfe2b5754e9b91d
SHA2560e01a47917642eac553b6d0feb6e97b398f7af84c5ffc74ba35ca66d7a341d39
SHA512c46ae09aab1f240ba384044ef46240a4cb02b6144b0403d690ff7ddcf79acc67da345c98254ef5436a4008fb419c889af43489fedf86e8ba822128365f30763f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize2KB
MD5767b4debf46e2dcb8ca28c07294057c5
SHA1a2a51bee91d17bc954da1d87cae9bec094ca976f
SHA2565c0ae6308bc6c268748f4ef5184d9ac193b18a6a62e297a7cece6ed438c20e4a
SHA512975e38c31499ffcc032da2bde9ebe0b23f49a09a3ed2e20fce1e8d66cce2ed92e06a5a0f23a4b8bbd78fe18a577239ce5ced0a8e852de7139a0bdf68b242fe3c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize2KB
MD5659b2d1d69ac048565f10c3d60820c14
SHA1592e3faa7aa94098fd3f4a9e5598a7ab91722467
SHA2563678ea3676b95c9b009ce3268f631f98ab2c9b85f3cd37adb4a414e14df0849b
SHA5120057c9d83e3e11fb1cac20783101f2bfebacbf25fdd8601f4e6fe6ee043f404917a2b7401153e292e768ffbbbd96ea8e2909c4be3372a8237b03cf53df39984d
-
Filesize
90B
MD5eb357a32fa98b8a098bcbe03580b0479
SHA1151f10748dde74ff80b83f291ec957b2103c99f8
SHA25696f064b1aaad486de3eed97967c826a3dad4e9580b156678b30111c970b8286f
SHA512ffc324e9e1dae07e439afe324d5d0c74c15bd485d8e9c55758dacb6e6d360d08bb9298ce6a1df21260391ab12ef7ae95c3b12fc5a4b5bcf7f2726d52cf5dce03
-
Filesize
90B
MD5ec6bbdaa414e14d65700e8d21e70cabb
SHA1b325989fa1335058c489ddf9ab6e881b1a8bd79e
SHA2560fed7dbff7d61df7a58fc998d208bc7c02e432ae53ac7af9c44be129135163bd
SHA512d716ac4182da15b41974397eb7e74142c4c71ec7c62356bf31c0f219300999bbcd14cefabd286f1e9b9c3584d6630d7ce10c456bd90ee283f2d1edc5795a77f2
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
255KB
MD565828dc7be8ba1ce61ad7142252acc54
SHA1538b186eaf960a076474a64f508b6c47b7699dd3
SHA256849e2e915aa61e2f831e54f337a745a5946467d539ccbd0214b4742f4e7e94ff
SHA5128c129f26f77b4e73bf02de8f9a9f432bb7e632ee4abad560a331c2a12da9ef5840d737bfc1ce24fdcbb7ef39f30f98a00dd17f42c51216f37d0d237145b8de15
-
Filesize
537KB
MD51c12315c862a745a647dad546eb4267e
SHA1b3fa11a511a634eec92b051d04f8c1f0e84b3fd6
SHA2564e2e93ebac4ad3f8690b020040d1ae3f8e7905ab7286fc25671e07aa0282cac0
SHA512ca8916694d42bac0ad38b453849958e524e9eed2343ebaa10df7a8acd13df5977f91a4f2773f1e57900ef044cfa7af8a94b3e2dce734d7a467dbb192408bc240
-
Filesize
625KB
MD5f93364eec6c4ffa5768de545a2c34f07
SHA1166398552f6b7f4509732e148f93e207dd60420b
SHA256296b915148b29751e68687ae37d3fafd9ffddf458c48eb059a964d8f2291e899
SHA5124f0965b4c5f543b857d9a44c7a125ddd3e8b74837a0fdd80c1fdc841bf22fc4ce4adb83aca8aa65a64f8ae6d764fa7b45b58556f44cfce92bfac43762a3bc5f4
-
Filesize
19KB
MD5e3c64173b2f4aa7ab72e1396a9514bd8
SHA1774e52f7e74b90e6a520359840b0ca54b3085d88
SHA25616c08547239e5b969041ab201eb55a3e30ead400433e926257331cb945dff094
SHA5127ed618578c6517ed967fb3521fd4dbed9cdfb7f7982b2b8437804786833207d246e4fcd7b85a669c305be3b823832d2628105f01e2cf30b494172a17fc48576d
-
Filesize
24KB
MD5c47e3430af813df8b02e1cb4829dd94b
SHA135f1f1a18aa4fd2336a4ea9c6005dbe70013c7fc
SHA256f2db1e60533f0d108d5fb1004904c1f2e8557d4493f3b251a1b3055f8f1507a3
SHA5126f8904e658eb7d04c6880f7cc3ec63fcfe31ef2c3a768f4ecf40b115314f23774daee66dce9c55faf0ad31075a3ac27c8967fd341c23c953ca28bdc120997287
-
Filesize
300KB
MD50ebc45aa0e67cc435d0745438371f948
SHA15584210c4a8b04f9c78f703734387391d6b5b347
SHA2563744bfa286cfcff46e51e6a68823a23f55416cd6619156b5929fed1f7778f1c7
SHA51231761037c723c515c1a9a404e235fe0b412222cb239b86162d17763565d0ccb010397376fb9b61b38a6aebdd5e6857fd8383045f924af8a83f2c9b9af6b81407
-
Filesize
1KB
MD53295ec3eadbaae0d008567434d32e2ee
SHA12dd90f49daed5d0d5bf011ff29b5cefbe8ccacec
SHA256c595bc2cd5e0658cd1e956d283c6828b1853e387d62dfcae0a18ea3efebeeeb6
SHA512caa4b1a3e31a1dc4222c233124f7b3e915b0785471a671103548b0522101a82ed019776e0db138bfacda92345745239f48209ea084c01f9c258bc54dacb5b572
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx
Filesize1.7MB
MD5c5a07069ad7e82f3aeb099f346c4ff62
SHA139a58834fd8a25aed63fb83f0c00712afc3bd2f5
SHA256eb7806d9dc3d2abf82a061709bcd9db8dd98fa060e66daf6820d1fa81bb5b845
SHA512343fb8bffa01801eed7289a513564b55b0045ff3d0a842a819cece416c53c2398d0a0d9b55397bf2ead5393638085ab6ab83ecb2c701f532bd55c0fed4c98eec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx
Filesize768KB
MD5bbacb56bbffa78cd4a21a9a6b331d84a
SHA15a854fb2fdfb3bd38dde1ac7c832ba0ffd46f4f1
SHA256bd9de870d21c8a5336adc759ebfb740e105764810dd4b5b88bca6213c9133cd7
SHA51259d798652e181582593b44015803a13f9838ee1c5971d2992f968d314cdb80b77a9869344d9d1fd26c2d8afc4574dd9145e795dcfda706e6cf1b49cab6402c7b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx
Filesize721KB
MD58ebd58005daf9c4ec15ac2530d3a4a30
SHA1d11b9f2b85f20eb3db28c4d9c9fdd909848e3e05
SHA256d3ab94fdc32b10903ad444f6f3518f93c3d7348fb945168dd8140c74bb7d7e26
SHA51200a3a6f8a8d10f4bad87c3beae299d0e28931593ef0fb4145711b1d164a3351a8ef131da0f26aab9c3eb7ac214b69e1f03cb52e0e1ea95eb444664d5b0b998e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900720[[fn=Integral]].thmx
Filesize3.3MB
MD5ad1c52db4c29726b3a2d28dda1110f76
SHA146a0656c55202a4adfaac7e98e9e1340c4a1fd55
SHA2567973c1386416c251569acc3cdbfe04da848262a9a2da998f915e000bfd6b52b3
SHA51295c3f09611f977eb3f146c9844d7b96af3e8123cf3393884cd10efe7c250f446a565edafed1cf1fa6dcac4d7eadafacad134d2a75a8cfb74462f62f5ea8b7400
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900722[[fn=Ion Boardroom]].thmx
Filesize1.5MB
MD5407acaacdd935b4c82a2d4af73d07744
SHA1e7ab195df6f9bfd7676c34503e337194dc7631dd
SHA256ed85105c65f81ec015215b76ecbd46bee4caaa17ad716393dfd15d5dcd57a3e4
SHA51203d30e2357319a8153d242eee035ddfda718ce93e00c0d99ecf82c1387d1fe1a436111e13ad1ce67214c87cf4709d68ff452c041772a43cb242786ed4090370a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900743[[fn=Organic]].thmx
Filesize8.3MB
MD5476cf35ed8367eb98237b6428266d6d8
SHA137b320d5109d5fb41044f329187cfecaa8de2a9c
SHA25671739bea66f1dee0789a7675add098123ec0e8e45eb74d707f6412b28fcbae81
SHA5127280c51f2dc97871c8b959a971445e1ce1499d108204c025043a0b44e9a9d6ac03e1326bbe652ef2ef900bc6f3f5566a32dba5aa2eea6a84f1585323e9c9cae0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900769[[fn=Retrospect]].thmx
Filesize1.5MB
MD5126269588dec71f54d53b563106d0500
SHA1e4e27b005a9728617832f0f2645980cc2ce6ec52
SHA2560c11107c6cf799125db9352e2f3a0d2b9ed5d55cbbeaed66d79464058598d94b
SHA512667f9ca3929926397ed5b43df4859b8c52973f2603405763308d931c32c4da831a144ed7041096afc7cdd291b2978622ded5dd4c16c6bfb0f18235e05b212e5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457452[[fn=Celestial]].thmx
Filesize3.1MB
MD55978107c3cb2a4a8427e643d0a5587eb
SHA1a3a865b6d128e7c9c5821df03b9edfe136f53d17
SHA256ddceaec2a8e652b60cfa4d5d4c7895d70ad25a214d70de884302c8fe18f53910
SHA512d9e0b9d52665f4c1e4b6cc32e6deba4c0cbc9309728415ac9588ddd84cad47a90567192d24bf7ff2f5dd7836a559f396b5015abf3e085abc9b813ff365388d65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx
Filesize759KB
MD5b30d2ef0fc261aece90b62e9c5597379
SHA14893c5b9be04ecbb19ee45ffce33ca56c7894fe3
SHA256bb170d6de4ee8466f56c93dc26e47ee8a229b9c4842ea8dd0d9ccc71bc8e2976
SHA5122e728408c20c3c23c84a1c22db28f0943aaa960b4436f8c77570448d5bea9b8d53d95f7562883fa4f9b282dfe2fd07251eeefde5481e49f99b8fedb66aaaab68
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx
Filesize903KB
MD597eec245165f2296139ef8d4d43bbb66
SHA10d91b68ccb6063eb342cfced4f21a1ce4115c209
SHA2563c5cf7bdb27592791adf4e7c5a09dde4658e10ed8f47845064db1153be69487c
SHA5128594c49cab6ff8385b1d6e174431dafb0e947a8d7d3f200e622ae8260c793906e17aa3e6550d4775573858ea1243ccbf7132973cd1cf7a72c3587b9691535ff8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx
Filesize944KB
MD5f03ab824395a8f1f1c4f92763e5c5cad
SHA1a6e021918c3ceffb6490222d37eceed1fc435d52
SHA256d96f7a63a912ca058fb140138c41dcb3af16638ba40820016af78df5d07faedd
SHA5120241146b63c938f11045fb9df5360f63ef05b9b3dd1272a3e3e329a1bfec5a4a645d5472461de9c06cfe4adb991fe96c58f0357249806c341999c033cd88a7af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033923[[fn=Depth]].thmx
Filesize2.2MB
MD52aecc99b664f840799028a20703c3e21
SHA10018eab0ce4900220607f4f80b506aa2f7f89c17
SHA256df93f14304e35e460eec7f8464ae2c2b0bffa84d860d4857f41e0f07a3f023e3
SHA512e0bd3a86c7af6b7202e8fba42bca27fbb17a21ac94a685a38c8a45f5ae35f350ae18d6b107f553dc95774fae47f8bd8926f76ddd840bb7eb8e51e5cf2269aa1c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx
Filesize837KB
MD59a0b4cb63dd4e749ee4258f897ff42ee
SHA1bd0f90aad36c7db69a57179b9702b13d8c83aabf
SHA2569c5471cd01c213e94e699e12331194370d8e3f4fc37776caacdcf7ccb8949a2e
SHA512407ab455623fd3911e6b00cf0a23333979d7e29e7dfb0a759a3ff162b12894c843c51eff6e1f99bb721851abb122052ed7f141053ff4f5d955d7842b3600aa44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401375[[fn=Madison]].thmx
Filesize2.3MB
MD5960696af7bbdf3a98f282fd51a641797
SHA1d884a5875c64c8f3b011e0754bea633acacefbe6
SHA256cbfac1ee697ab73485822088e25cedb92d495b0b9423464cebac2fe3989212fc
SHA5129000dd85a0b2ebf5be41d6c9785d69462d4d1b097d49cf2a57a432ab5d784bb9c95ecf1eb9f7ccc88d0ce47c580014e038d7a716fd1f8c094d2e6a1a42f3f0a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD56ecbc692693f1c8df250fcec7a890c31
SHA1775952dbf47859f9d17eb5328e1c55c6a2b7edea
SHA25619808a83a4a7448fd136e8301d47cb02453bc1ff285f92f19b7ca487cdec8ee2
SHA5127963cacad2ec30d3fd0946c996f4ba828b0adb82cf95a7041e7407c009974146dbbc7addfb7175750627aa14a1ed31bc0859dec54f91023642ac0f5b31858a12
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5d3e6d96a3b22a333ac98dcfdbd76eeb9
SHA15e618ea452a36ea65e555798d37ae27d1fe30e46
SHA2562acd4944b10c1d26dec1fd305b638b20d80ad02b6504d219a1ca693f29d91063
SHA512ff9f6f250d1dc17e87ff485459982d5c560655bd797d6a6cf26d5be71510898c9f1d972b763c1b18d4e7563781fad173cfa8059c21ffd9e6f2bd56d3f2eca7f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD52bee56722dc576170e300b45c8e646ce
SHA151283423bbba26c99e246b5836c1018dfc14e7ae
SHA25636dceb4fcf44139fbc501172136cf1294709d1179f65d49094de8425ba98c197
SHA5123ae54040af89c78f7d41a84f67e413c138fc8aa1ef186199a2b0b9afa25e3181f9c3b22d3b97e4b160c558649bd247afce9c2965c7cc5d43a7c2eb4b372ef334
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5a30df8f2f5717434a5699b1e629e5e9f
SHA1a153e57bbd94121dddcf34fb2f111fa7dc012efb
SHA25629b5a7449745f16e1a7e0554c22a77f1127802cc1339ebd57b35f593de610d3e
SHA5127ef2aeb8dc84d75e54d1916aa25432d754bccb9db45a4c9945cf57b90e440edc7a6ecba7082b49d00aeb3696b59165efb4247bcdb08524cdb33d2e3d466ef27f
-
Filesize
94KB
MD57b37c4f352a44c8246bf685258f75045
SHA1817dacb245334f10de0297e69c98b4c9470f083e
SHA256ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e
SHA5121e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02
-
Filesize
3.1MB
MD528ac02fc40c8f1c2a8989ee3c09a1372
SHA1b182758b62a1482142c0fce4be78c786e08b7025
SHA2560fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b
SHA5122cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767
-
Filesize
6KB
MD51ad8d4cb7d60513ee609cb193da00472
SHA1855ebbde7a0ab4e0e13a54f100a93a1911a588e5
SHA256a52cbf59db0d67b2feae10e8bc0dbebc86da12d69f74347b46620c415c91a7b4
SHA5128aaf8f8b2c2c8f0c11b02960c09098dfc84170090c05d40da592858abb4cd2ce3769b5648cc9c34a0b6d6daee3da68a659ef7a3c19745e2b16933a6cdeaba1ac
-
Filesize
7KB
MD5d4ceeefc28c9ac783dbbdbe2a3d67939
SHA1ab6c33c555e4d4bca89f7083187fdb267c3eaae9
SHA2561677ee40041da49042570b6d75cf58e1bad2871f13dfa6e63d57c073f578286a
SHA512a596e1b7a5328669e7a78d85688d5271eb83eb4df01e728cd6eaf8c19f4ee9889b7a18def75583f0367e8e85c1b855a7230b98930d53a741ab99d05bb4ef342d
-
Filesize
9KB
MD581e471d4abec25c2653ad71378f46434
SHA1c669f38feac618724e99a2f22203eb1ba41d11d9
SHA2560175010a5ea712dc9e81b9d974e3cdc8d63a43ce4e6e0cafeb3b28c3057968cd
SHA512e74de324d6f75a21337c8c30ca7db9665f4936661cdd15de96e321f0c0663a9556874f2f1b854462d4d2aaedbc3b9bc89e91fc33854280d00a07aa52b208fd81
-
Filesize
4KB
MD5969a5d4b95735ed53c71578eba70dacf
SHA1578dba2d58ac42b20382b8b93123d712df88ab9a
SHA256a27d85b8f57b33d91dc93dbde37b44d1b787047f244b3991bf9cb200747e6769
SHA512a7adb1adbc141951d79dabf861e20f579b3a1517bb00b1f195dfdc3c81c7a761269d2dba2b39a5c2d40ff94121dac14172536a1bf7f0ed4c61b2dda7c6aaf2b8