dcrat | hxxps://mega[.]nz/file/iN9RXLaA#-p17M5OrKTA9uh2TWvKrD9IhOKXBK-AQl4spSERybEA

Analysis

max time kernel
586s
max time network
584s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/iN9RXLaA#-p17M5OrKTA9uh2TWvKrD9IhOKXBK-AQl4spSERybEA

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\", \"C:\\Windows\\SchCache\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\", \"C:\\Windows\\SchCache\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\", \"C:\\Windows\\SchCache\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\dllhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\", \"C:\\Windows\\SchCache\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\msedge.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\", \"C:\\Windows\\SchCache\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\dllhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\msedge.exe\", \"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\""	mscontainerWindll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5620	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5340	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5224	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5364	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	3328	schtasks.exe	151
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3328	schtasks.exe	151

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mscontainerWindll.exe

Executes dropped EXE 6 IoCs

pid	Process
4800	winrar-x64-701.exe
2184	loader.exe
4984	mscontainerWindll.exe
3824	msedge.exe
3440	mscontainerWindll.exe
5240	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\dllhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Multimedia Platform\\msedge.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\SchCache\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\SchCache\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Multimedia Platform\\msedge.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\OfficeClickToRun.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\WmiPrvSE.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\dllhost.exe\""	mscontainerWindll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
229	raw.githubusercontent.com
194	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8BC5D271BDFF4CCFA8A1114EA65B8AB3.TMP	csc.exe
File created	\??\c:\Windows\System32\ewkptm.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2184	loader.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\msedge.exe	mscontainerWindll.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\dllhost.exe	mscontainerWindll.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\WmiPrvSE.exe	mscontainerWindll.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe	mscontainerWindll.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\msedge.exe	mscontainerWindll.exe
File created	C:\Program Files\Windows Multimedia Platform\61a52ddc9dd915	mscontainerWindll.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\5940a34987c991	mscontainerWindll.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\24dbde2999530e	mscontainerWindll.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\e6c9b481da804f	mscontainerWindll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\fontdrvhost.exe	mscontainerWindll.exe
File created	C:\Windows\SchCache\5b884080fd4f94	mscontainerWindll.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1900	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756441574796589"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	loader.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	mscontainerWindll.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 584604.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1900	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5192	schtasks.exe
5620	schtasks.exe
2896	schtasks.exe
2116	schtasks.exe
1804	schtasks.exe
2504	schtasks.exe
4132	schtasks.exe
5300	schtasks.exe
5340	schtasks.exe
5224	schtasks.exe
2920	schtasks.exe
5088	schtasks.exe
5144	schtasks.exe
5364	schtasks.exe
3244	schtasks.exe
5592	schtasks.exe
2964	schtasks.exe
552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
3552	msedge.exe
3552	msedge.exe
2996	identity_helper.exe
2996	identity_helper.exe
5232	msedge.exe
5232	msedge.exe
4128	msedge.exe
4128	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
2184	loader.exe
2184	loader.exe
5368	chrome.exe
5368	chrome.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe
4984	mscontainerWindll.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2864	7zFM.exe
3824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4444	AUDIODG.EXE
Token: SeRestorePrivilege	2864	7zFM.exe
Token: 35	2864	7zFM.exe
Token: SeSecurityPrivilege	2864	7zFM.exe
Token: SeSecurityPrivilege	2864	7zFM.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeDebugPrivilege	4984	mscontainerWindll.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeDebugPrivilege	3824	msedge.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe
Token: SeShutdownPrivilege	5368	chrome.exe
Token: SeCreatePagefilePrivilege	5368	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
2864	7zFM.exe
2864	7zFM.exe
2864	7zFM.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
5368	chrome.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
5368	chrome.exe
5368	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4800	winrar-x64-701.exe
4800	winrar-x64-701.exe
4800	winrar-x64-701.exe
2184	loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3680	3552	msedge.exe	82
PID 3552 wrote to memory of 3680	3552	msedge.exe	82
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 1776	3552	msedge.exe	83
PID 3552 wrote to memory of 2936	3552	msedge.exe	84
PID 3552 wrote to memory of 2936	3552	msedge.exe	84
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85
PID 3552 wrote to memory of 3992	3552	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/iN9RXLaA#-p17M5OrKTA9uh2TWvKrD9IhOKXBK-AQl4spSERybEA
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfeac46f8,0x7ffdfeac4708,0x7ffdfeac4718
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12808199766410549161,11764809337170228022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x460
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5984

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f49495103caa450e9d4989464f067548 /t 1112 /p 4800
1⤵
PID:2784

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\NIXWARE PASTA.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2864

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5884
  - - C:\bridgeHypercomComponentHost\mscontainerWindll.exe
      "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xznf3j5\4xznf3j5.cmdline"
        5⤵
        Drops file in System32 directory
        
        PID:5672
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7001.tmp" "c:\Windows\System32\CSC8BC5D271BDFF4CCFA8A1114EA65B8AB3.TMP"
        6⤵
        
        PID:5212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t12038UQvz.bat"
        5⤵
        
        PID:4736
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4116
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
      - C:\Program Files\Windows Multimedia Platform\msedge.exe
        
        "C:\Program Files\Windows Multimedia Platform\msedge.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdeda3cc40,0x7ffdeda3cc4c,0x7ffdeda3cc58
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5056,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5404,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4600,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1124,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5520,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5548,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5580,i,18145988031287697585,8612986662008961180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 7 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 5 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3836

C:\Users\Admin\Downloads\dnSpy-netframework\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-netframework\dnSpy.exe" C:\Users\Admin\Downloads\dnSpy-netframework\loader.exe
1⤵
PID:460

C:\Users\Admin\Desktop\axion\axion.exe
"C:\Users\Admin\Desktop\axion\axion.exe"
1⤵
PID:2132

C:\bridgeHypercomComponentHost\mscontainerWindll.exe
C:\bridgeHypercomComponentHost\mscontainerWindll.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\Desktop\axion\axion.exe
"C:\Users\Admin\Desktop\axion\axion.exe"
1⤵
PID:1408

C:\Users\Admin\Desktop\axion\axion.exe
"C:\Users\Admin\Desktop\axion\axion.exe"
1⤵
PID:3108

C:\Program Files\Windows Multimedia Platform\msedge.exe
"C:\Program Files\Windows Multimedia Platform\msedge.exe"
1⤵
- Executes dropped EXE
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
78084061c9919c41ef97e21c70431e38

SHA1
a239c1298f60189691ac7aeedd2d2e3c79a6e0b2

SHA256
4cc50be5a6576c0cd82cb449eff18547fdc6520752900384808229e6d8f577c3

SHA512
f4e7ddaff1e5598d9ec4fa599c5c0801ba4598931cacbc3c1fd1963956100df08e074d2b253cac5e0bb8cd239122beea4f04c08b69808b5f4c7e7a9c3698ca93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bb80e8778efe207de5c0f4de01601c60

SHA1
bd5bd0111c9a34a36a05ccc744cf675b31bdd8e3

SHA256
0fec62791ceb530ae07fb38535a93264dd658e852e4b072030f8b9d3833a9f96

SHA512
066214c29684980ef322cbdb31a3afa194d2522bd42869aa2b68ad51c345e78be77effe3dc62645eed93e712c60c5b252ba210ebfb9e3e5bfe73d21042d71425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cb7f249ab0657de5989eee66bf800e39

SHA1
fcb968081a3f7db5f5f5284788348189c5cc1da0

SHA256
fb901372173b2c117477814a50fa7b665743fa1479b33aa804df31f171c21947

SHA512
6169148c8782823b3404c4f9a6e40d708594893a97dc5e30c72f625d95bd967072bcf7de9db417d566e12592aec86dc36617f121fb8b01348da13ad62ea19f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
771a2bdeeff79ba1041843013936eb5a

SHA1
9c47148563d7b4282a56e2e3eb6ac89e0aa695cb

SHA256
2b7b31f46edb7bc9bb9388c7120b932fbe20bab3f33864a1226b43767b49e30d

SHA512
ade3282324a126c4268e8c3b1934bc59510617cea6d851ec661ba122c82b8411a62249425bb055026bef8c371c638283c5fb5d4fe0730a41731763b7d35617f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
51a2f275b98a79c68eb0c2be5cd8b2bc

SHA1
bc6056a9babb19832c8a0612a8288dcd30100aa4

SHA256
a3f323d91c4d1d132d703c7257cf3096f2fdfc15c296a8d0362069d0d980bc70

SHA512
fe96cc78ea6dad7a53b8f49cf3aedaf89b16655c97454721e473aca6dda57f78937a98d4243cb1313f1b54f789a3278d77dd294061b0e4da02a3a20c1762e638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2a40534b732b549dde32677c3884d1c

SHA1
e9c05ebd6e293d244382e1bde7cd312d35764dcd

SHA256
f870e122afed153e29b7da1d45c099795bb371b0e064fa74addf4221b5aa6aff

SHA512
b99c84fa9319c6d9df2aeeeb19c6434941abe5c0bdbe49133d611f6fcca29faa09e9e20aff6e4d0f322bc6644590ceb1639751038c289a1dada3fb0fc8c40c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dfd6c8fe895056ba42891a7045dac8f0

SHA1
7ef32f1fa12ff089a108e1aa288062ce9a16778f

SHA256
7fea49d794ce31e9bd9b59e7cf3f1747bca9955ec038f69211bd444c6ee9b042

SHA512
6014904c58ba77f1fa2ce5d7cef05afb3a227e34f71a6567bfb4846008361a7027671cb3f042c79aaac2f9ceac2a5dcd17dfbd08dfeadfefdcc594f99130077e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
00c2be09f7ee7220041fe4e4be3f3c9e

SHA1
983602f665906658abc009faa7717ad152c1ea4a

SHA256
1a26f215e3cf3c6957ae7a4f8ec66c5b33a9b58002ed064b87e82f54713960be

SHA512
abdcbb54354e15efdbf4fff8f7992565857d346d6fc62a2679a4f91a5e9173e8fbc65e4a0d22252dbc2d548fa156dd05cb3e58b25443bad5dbe5765daf67b09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2f29a6397c3cad02b93b820f097ad10

SHA1
410d98e58b79013ae5a9da8c4f01f5e275375059

SHA256
212e86a1d5b81dac7b4e4fd9860c8779068e9342c5a6caa27baacaf14e0f1b34

SHA512
a6ca7ea0a4ab070a04da007da4bbefe9579c7c2a4b51b24d73172fa4a8235aed1dda0950b268604c826cb6e14cccf260f5585b695f717e41814764c1d43b96b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
895957c9debc64fb8b5a5e435a0c4d13

SHA1
04a84c765102ee06b44b344e3880b79df5c80a9f

SHA256
721f2c9212b9b5d265a5171486c920f8cf9601138fedc64d9d69ff23b199dfcb

SHA512
70ac09c9cedc30a424dc490f57dbb1cf85ef65161d68d4b1d8c4ace2bbbd3973ee4fe71337f63db3d53c9c8a26808ddc2f72c3e658e1765e6f763a917f19b6b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7f60bd654ab0de408622f0ac6d65a1f2

SHA1
2e99562fc650a54b9667c94c4b01c543b098b1e1

SHA256
1ef9a56592fe784569d17917c99cd3425d69d6be0cb9d5c5bfda59c615be4ba2

SHA512
93b2ec390f10e4d67617d755cbbd3d9d2eb12daa22be7ed11bad61259b7b63bce6a9ce8563866597a9768022b66ae83ac9d9bea2d80f639476f9b17115a0b2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
330ee3f1b82ad7f5989378df538c7d18

SHA1
c1fe725025f994e59082ce35a90a73d88a28ec5e

SHA256
cd9785cec482709e0a146b93250cad0060402367ccca3ae82f6e7ad21daff242

SHA512
13d37ca338a41d716ab2d701117eae94913cb8666180dedefe00337409604f24d6c230386140af50432d29e99439f33122007afcdc43d4a1759428337a7fa5af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
afd5c87d8b45270e0d02cc10c37308ff

SHA1
e686d87c2df26ae1e7e878ccbe192963b7c566f2

SHA256
245dd9f5be14a4afa8083e4d3d7c63cbf311ceea0b2c361d766b341a4b06e330

SHA512
ce838657e4498f49204abbdb8137b0f21baf677cd479b78b4e86fd668785cd65ad3b200d898d3cc18a29a5d0fe3acce69306d60dc2dd7a4248efb54a5330b638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a84f31861f3a5c83424204e6b6fc5043

SHA1
801f66e7c8974ae68032ed397fcd5bf40947c5bf

SHA256
dedd9d9e7df72fa6b501bca1872a2f18d910d8aac9907946e97b986b2b280869

SHA512
c7ab88b2a059f26259c4a39773b20e48afea8cc948a697296f76e98a0910ab2c9ad6d6c1a24409297a6aed4dc0fec9caedcfa4efe1e3d6303cb76d8fe15ec448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7633feba52af266ef55d9c298abf382c

SHA1
211f00d9280bf30ca38d5b4f0b97ff4854131e03

SHA256
8892a72863bb648c10f76206348290ac4c58778085be74cd82f36f80ce1074af

SHA512
f241995667357448d1a6b0aa68b1b67c4af3a7bdb0c182e72c4cd31f505de170441cd4d2603f9e7d8dd5c84177bb44640c2f790415137e5b4a2449e9abfd9008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c22152745629bf4b689bffdbad9f248

SHA1
1bdbebac0a1e00403cf032aaa606aafff906afeb

SHA256
a6c181d5674781d29432999ffdae10bee8f22267e762bdd59bdb4d2e2fb21b02

SHA512
68243d0ef43821d9ea3e6879379302664892d7f0504dcad52d9b325362ad74b98d1fa749ca795bac9d270df5169db16219f9e26946a45421f5d896e9356326d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
71c50b735ed9758c922893d7f3b64e27

SHA1
506c63562530db8eda172e91305e2767069ac8ca

SHA256
d8d19ec7128b1b1cc4fc0576062e27df2c00b4a8338abd3e10823591cbb14ad2

SHA512
c48f9292e72cef5797e9a511767f26b8e85ade5e992501ded44f61c836b0f85af8630a34c48032fc3aa1e223ecf5924dba3e43d2b61dfd0b2aadeef14ec84c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
037b43b4ee07204858ec4049aa84f75d

SHA1
837c378d65d889be47aae3b50dd8ca4aaa559923

SHA256
115bf7a3c1f640f413f3f9225eaa49c6e420601b2809f65e7db1fec7dc7d899d

SHA512
c01b493e65412c142e05c003f8f4da9e1a7611aa3a35eea40f2bdf41d978d5f6b182175853b1793fc30b10e4bc3182f97c7ee26623945fd59f94dd562d56f8db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e949a12921f8f116ad43dc0e152218a

SHA1
4fe7890021e2da0f9564e1ca690809853903fa3c

SHA256
8725a8df830b5e96388f0c6bfd412aede15ef01c414b281cd0f890399ef82647

SHA512
61bed4d5b093172eef2eef012972587b89ae5f21fff3b2c2fb2bb386c17de0c4de015b22473b0465c554f2da80413a5250aea983a0ed772eef3acd131b8c950d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
44e15a32432120882fe47e8670ca1beb

SHA1
f731dd43d21b2a2e8b7886f5e533e4ab6898dd16

SHA256
3d735e19eb91bc9ba73c2be86277e139fce72c18dd571b33bcbe7c8f928a569b

SHA512
57cd2b364b4d58cc82caccefb6ada7af905761ecf9eb00971b5b550c7d02797b7d57b7f59edecf11bdffcd555e6126965147f2d60ce67e6e38139c33512413da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8bb4c5dbd7095ba8e3d9d122ffec7583

SHA1
c6d3789c376edf686b9d211efe872e5f6f0392d2

SHA256
2ab4eebdaf424949f9114a1137ac8edef339eb0fe0dd18c77e9c8ea6d13a8cb0

SHA512
b27818974c8d4f7b419e3dba4080d460533ac09954f06c8b7fd89d35201df397d7b9e9bfe2a8fbab8e7306a9d2d72b59c3686ae3c4019fe06186ccd9cc1cf0a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e76d5466bd0a7dfa0ff593b022860efe

SHA1
34fa5080b667f1fd51a989ba0880a407346809f7

SHA256
a7db165402b1e6c651aca219b60788a25d76db4c2d8fa969d2c01cd21c1f9738

SHA512
4806e6caebba748e47c319a7a35c389d900d7ca5b45519698e4dc409eb37db82bb23ca295bb0fb580e5e88b74c55c55eedb9d33fbe768d636df1ff7d9141c6cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0eaa120734f1ef050e71891a985c5733

SHA1
56990f041ebdb2690897a7ee71bdb34df96836ac

SHA256
b5ca0c88472a6b54538493f4ed639287064e44966c509596476ccf3a45eead13

SHA512
fd525a6b849e9f5806775ebf2c8a906cecb9e9c8e8ca5fd8e26e6976d35dad862932709dd5b5cee85e0955c73a4a9d358486828b2d0f4ecd16a35268ca4d4190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
14f7f6e77209698c3c0aaef66f1b08b4

SHA1
99a17f48701712a61cd7130985d866c763eea3cf

SHA256
464a2d37c0d9c7a98d129166b3ca7618a7cf8dc9104f274a754c0dbc6224adb0

SHA512
007f08cf2beabeeefed27b30d1de60555b5338cfe7f338975882dc81d0e284a2ab7b5f9d24ffbbae3afbcf5b5659fab8588879e0fef49fb60e502fdc386176f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fa64382cf9ce206fb0a75ec0f53a5c30

SHA1
d0b31e981a87809dfdd985db6e62332d7ed26038

SHA256
186c98bdc6936719962cc6489c8d581e9483890c822604af2125bb48c60611a7

SHA512
c6bfb2add9229e5e79a75496c7d6dd9e7e5ee9a243d5a0c9ec5539cba2313583f3e91ba2a3daa3a94929cfe3e1087a4a42146299a04c789dfa3cdf179581bf69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c26c0a8c94f097e56180c1a4c8e5a9c2

SHA1
b298c79cefa969958a7b3ef503bff5707c6cfd4b

SHA256
2cbbeda46b0a42c66bb8a999a2c8f884db52ea76c229bbd520f86ce7b3653a5a

SHA512
f1dc1129dec0578c53bd40a0dca06ed86e2df69925631b1cde07b138f7fee02519b9c69d401dcfd34b5cb262bf97eca51e64234928e305c33c235420e1eaf120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
41a77b29429717a70041b03db706561b

SHA1
2f78410bbe73598b08be0b6ae0bfdae4a572b4bb

SHA256
e0664310b7e443a22baf85f2df652b33043c766d7b88659c864dd2fad15b53b5

SHA512
73d922cf0c5fb3670de52e7d8c26097b965fd78625b0f65c92d8838d9ffd026e2be515544e304cac9cbfa199609946673300c9115c8761a07029f2283d3dcbc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5fcea365a14bbf3f7cd1a9b11429dc50

SHA1
5045f5eb79e6b0d49ecf6be217979fece21087b1

SHA256
5df6d50b1bbd33315edeff53b86779a5eeebb530cfba43c67faa19a21b0a044e

SHA512
c55f0e882e135d72044489a60eda1577053bdc5faae424c2832ace57ea6ca225a7090431574d34a5b600af05fb90db71958feb7dac7a9f8ae435476ea5b013d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e289b9eb1acaba47c7e7ab3b21cb367

SHA1
463b742f38b660506b41580b77b01d867592d767

SHA256
5bd74f4c4363b96a412a735a3e5c992dde7aa03955bedb77f6da2f23fbd40858

SHA512
5dfdfbafb65f3548076e6d54fd58e68439c9ee1f975a30610e56826ad08758286950d4c7ddfced7f16feb798d4775de28e43b2781f6139df1539a67cd24b5661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d4527bcc30beb927538f194c86b56f00

SHA1
5eeaf3bed04166b75baf56ea07ce498255067c8f

SHA256
7266828f6699f2e160be9ffbd1088e6dd9a52af6a30bfb4a7ef0d18d4b4ff0f1

SHA512
feab99822db386aa13841c8882c8103501b0a0839bf552465050d965f32a6faec84668d99944b9d118239ca73342542479c567819413346146fba3ae3e3a6253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1fbbc4410d4d82807e17f53564d40aeb

SHA1
55f8d140e400bbb44d94242bd2480d389cdaa277

SHA256
2fecdd4eb19b8f9788a163cba2d315bbbc1a118bed7a0ae85404cd6bfb025a7a

SHA512
f0180eff1bfdc1d50c3766ad5970ef40973fc54c1e55fad8427976f66bd825dda1fa145124cd42da007342dae47780f4cd019dc83f9856a26356de199990dda9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1c8aa54c82879c905c814e69399c20bd

SHA1
977450537e35004b39c03f9c5de763d991de390c

SHA256
499ea595ea9f6681af8101e219dec39374bfda79f6555143e59875dce525bf7c

SHA512
62d8b8ba51bb0860a701cb4aafaaaa88a236070c58bb3f5d13988ea92008ae5a5075f97fc46a339a791e5375b7ec614daa39be8dbf0a2b2fa2ebe68dc5a15356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a9f5bba479a78759bcc631b5b13dd4b5

SHA1
120abda1c997e2aca830e16fddb72b4f67d34d1c

SHA256
0b6b3c1be1a0a580173affe395fb47083f113c769f71c9daa2bc88d096b5cec4

SHA512
22de372d95b6bafcdbcbce4fd27ae2503e45547636793a985896638a1fdd8228b2c30c3ff316af3ebb8809059a87fa0d38ae3e924cd1b0f7842f720bc360d5fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
64f21fa59dd0934ec6cacbd94c44462d

SHA1
4c5a49abb2a9ea1d34d598622cc6ce1ea69564ba

SHA256
d59a09beefa8218e023f09e2285206169ddd0f0847e33c2111c372f9c3015397

SHA512
8d3943a574f23a12c1b502fede21881a9d985710b6f079ee2dd112a639c859b9aaf37e6a5bb00d3919d8f06cc2a39b58f1cdadf035c4f2a30a819e27167d59e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
59b3b315776d6530f3c5598d4bae50cc

SHA1
3af5090af338e753aac49f1a60953a5852f7fe12

SHA256
8c4597ee482e0e7ccdb55156a57d8d072ac73e49b2e0df4d25787a4106cd9d19

SHA512
9902b14515156d24f45de4495dcb8fc7927ccf8768c3568a96c2f0ae4af777e0e38d377cd99bd9285b49cedbb505d8d25a0f345552f101e92b610d3e3f4a46f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d430280e-e38a-4787-b37d-efe96858f801.tmp

Filesize
11KB

MD5
10b7957b39af35c343a84740c6f061ae

SHA1
c25c1e94e5fe933914dc1ca3f0a10ee054710a45

SHA256
6ab62e7a87044b4346f5f90a8cf52315919d7ab72d4a7f1f99404e7892032d78

SHA512
60a209c2b9eb9a91d480cece582d8901cbdc7f11559e4160b1cf57b16c85b2242c765b5053e86f8d667a06cffa379391602ba2bf269dc10fc7ac812d9eaf22f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ec6a2b1e-9f21-4a16-b299-b888a45b2e47.tmp

Filesize
11KB

MD5
2745d0996e5143f90b575a4ab75a1ad2

SHA1
3d10e1b55bf42b3ff8ab66b450e226bea81d6614

SHA256
8d35dc7a31a29cb11eb1de30b1ac9eea02be17ec0ce4f5e7213c89264aec5a15

SHA512
a5b0964363aa191d23dcc55e09a308bb849fbf9691b69e97ba763ff235a8e4fed0a230eebe4a2f620bad4101ed10383ec40d95ecde1b6706648521923ec14edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
13abf0c7f517f873312f4adc5cd15c06

SHA1
267ad8a343c0726c04abf144024109f09f13426a

SHA256
291598f0cd9a333054afc270eb3c412f515061c988662291fb03dfabd8347c8b

SHA512
67580670802b12a8937c0451b41f381b76e0a5cbbd6b68d03b2e25d9b060d7492766e1a1eeacde8d08e500f411823f900c579e1000043cd717c4aefe7ed3b3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
dd19fa0e337347fc7793e4c1a7e7c1f0

SHA1
4638396df68860b58e9eb1125a34b2155f966d9f

SHA256
1e713fd6432d5f0c2b9771b0bcd4599bc65c6d5e5ff758d3fadccaa16d567299

SHA512
4e6efa9f18ecdf983edad29ff5575166c95ac083fb4de7e87b9ee350c6d6ecab4c54e3fd46aa3a0a87f288e6be94e07a1c6edc237a46f1cc865f69d7eb996e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c2fa89dc43226b1bdde2199fcbaa6641

SHA1
be4357bfa84ba24facad909e43fb5d5d863819eb

SHA256
de4d6ea32bff4075e0c72a8c68438b669c518710a71615b5d37b6bcf22034d62

SHA512
b452ce5497b020dede3778f880af76e08ec198641fc2c6d2101ffe7bf9b6216f3700a0fd16bb4bdd52d3fdce5997ae8f479fcabc9e8510fb60e84ff060ae2735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5fd099bfce8fb6493e60671c25f9b434

SHA1
8f052fc4010b7e38b10e54153c675d2dc997c452

SHA256
6584c5affda0e22609a12e22387938bf20f593529720dcc94431756c31474eb9

SHA512
ad8dd4981d0f67a8b2fe9df3f63fba2eb22bf6b4941e27689caaefc5736b6dee334b64725e35ac2bb9dcabe29fd760b4afe6d9d275e3eec25ee241a5cac504da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
86c75ec19c17a2752c25d11dd650a43a

SHA1
8cded2cd796cd5900175df18ddbe1cdb380251ca

SHA256
7823102e7648a6f230f4232b7dfe2025e8be8101c2c539ce5d82c99d2315727f

SHA512
3aca0d371a5429e96c4a4fad5e2ebf32ab4305bb78c3a0b4ec0290c72512b6f6fb20829829f040176e768b5d207c4e9384827793517f7c715a28c1f57254568c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
07049f249fef01bb26c56cd214fe4d1b

SHA1
fb9a5d29f0f0265fa9c2d9af6b3d84a1fa78f5a3

SHA256
c8d90ac8993d4772d9345c4bf7237485348607040c1569b2a82c131d3dd520b6

SHA512
d22f9efa9f6399804eef42ada52d6e6769b45fb8c0032896284deefd2fc9992aa96a037304ff7ee57dc98a8c61b97e28fe6dca46b5cd95d9cca442a9878a5861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
466B

MD5
e3cec2b4903bbb444699af0ab8c28aec

SHA1
13e392bb0f4e1c5df2097d56337bddca0699ec0b

SHA256
f86a3054a0e1f31d0a1b79604d14ca932ec54770846e9a7338256cbb0816481f

SHA512
d12cc0e204f1fdd162a7e584a5221a0fe2e81a4af72057ded5b41900a9e726ad3751baa07cdcd04c3710f318eb4764ace16410089ceed8b83050465b9052c056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
906B

MD5
5d722c584efde927225815373df31d5f

SHA1
cfb5202259dd652fcca550748ba8d2589bd87a16

SHA256
3333f65dc959ba5bcfb61885fcacccf7295178d2756a3229ba340478b85b387a

SHA512
ae0042f67183231a9ceba988ead2be51f3b8e0138e9d1fb6bf1d0c7e47eac699ae0561bb5f9822c13cb59615733522ea23163a9901707cd375ad16a9bb3624fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
9ec6a261158f41136fcb58d343dba8c6

SHA1
d828e6fd469aeebbc4264bdef5a898d81d517c71

SHA256
32316ea12e8d9764ed918e19cc9000fc389acd59e008e047487fdf191c63ee2e

SHA512
06e6a0da6c52ec5e35f7dc5429d2e4d9f80ccf68ca639eea1bd984c37f8700d5fee2d51169505a3336c1c721915a7ebc3cd3153e285fda4cff7b7dd099818afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe896b9aec3df161057c52b46e191cf6

SHA1
9dad9005b2bc59d24c5cd6c124ad72fef16e76c4

SHA256
8e2998d13045f173edeb7a34ae12aa8edd15610af5a8a7acf70bb13c26e2145f

SHA512
99c26a5df9b18db1ae8b4f95883947f53b784fbe6627ef58e8d79f87592f188e6edf7ff5eded49b898bcf3d1eae420f84dcb3c64d7d6910c8515130852dd94ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56b0de36f896138035f4a84909de492c

SHA1
766bfbb45291eba12064ad471009ce93eabab54e

SHA256
1beee9e0c7d3b87fd3d7d5121a99b9625df10f650c3d6397466329b531dbdeed

SHA512
975902737978045736351eb23d35a949755383988d6976ed11a8db1e86b0ed93a36dd3f7cfbe0faac433575ec0f583f471ef528bac6d42666186c2ae0224270b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6d59d01c3a63252443d6e670faef0632

SHA1
c22b0166c33657e18da67f17c169d06fde0c87b7

SHA256
66d466c41185efff1a598aca17eda4a31a054c7497ac3ab1678ac78def800112

SHA512
9cfaf9e2145c76141a262d0863b54cc28e21b962eb4b9b475063ed90ded805646f283b0dc2bc2f50140455e1f2277c2e27762cbdecff38c33e771293e21f6f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8331795f24d7432b959f06ae4b95e17a

SHA1
cad0799884bc9b5d49bd5f187b5cd72353776050

SHA256
079e55a4cf3c773a81025c958f2353673ec364de6987d6b74c2478916db3a594

SHA512
e318d04b2c8113cf3554e49399230ba4e86e6144e151e651850f960d72a195c646faa0a1b13be7a7c42d0441827ca9bf9425944ad5b568a2defed69f6820ef71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4367dcccf6e0c3b7a13eb34f69db49b3

SHA1
691c8bf58a9aaf250b415326be1f6b0a3c6580ab

SHA256
e9e1ba186c21818f437a4311fa7281110d14f1458b86c47ffbdf86f1b7fcba3f

SHA512
e68c0b746fb7df189afa79d6ecbbb659564d8e7f43768c62ad28a693e05f9dd4fdc50b5d3ab953cfafa2d45a44feb2fd21edb66b5b38fa5841d0b8db11d2e5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6374440ec399d93c8e2587f3fa91e395

SHA1
0172ada771a0ac84f692d9414aff692c003f4e9a

SHA256
65b2794ccd9c8ff385c61201312ded278e0ff95b35515b405212ffd756fea097

SHA512
cb97b23a991f16f6fcee14389b172827149521aa4057e085660fc278eb7c7219a00b35ba24b61b112469d7331da2d8a375cf5b305fb75118f388d051b5bf123e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ee68ee03c13585285c3fd6a48f1f0820

SHA1
5e69f3596b9f5d635b29ad5e6fbb73fe4745318e

SHA256
f09ec0c3630dce8789fae29d8f39eb9f758a07c78f54cc72d7cb7dca44939cef

SHA512
d56d94bf0ec464215253b254ff5e687d535740add088026647d86db6898ffc3957118a711676da5ef707b366e8cef468bbb4679cae745de539af162a0f0cd82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
014412ce21433fa5a032389840c95a4e

SHA1
f26de5de8d56d7f8ec459df0898ffd39e3bff5d3

SHA256
b85e198d1496aaa4616b245383ec7a36d7a0c101fe0f613833683ef8e51a0134

SHA512
39afd339df4fb3c54d8a4d02ee312c5efb01e7ec2836709162b0250406277b063facc75aca3277975b532c6d0dfecb83f69d3e046b33cc711ae5609574e7045d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580d97.TMP

Filesize
48B

MD5
88170a6ef3b71f03350896562d72ec31

SHA1
e2ae79291ccf5e60f726a42ad2824d248cbf57a4

SHA256
9b5293ad0f4d077d1a68bcc34317c2d168b1eed2564a34e7ec49203a2ae74615

SHA512
686d52d237ab6169d3376f5af1bcf03ac0ddf70b60d6f4b40d7954e52c0e6534f655d4e9dd0e1627ec40180b1ae1f6887f0000fbb95e7a02bcf4026cbdcbda1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
32c170a712da56de401e374f7dea94b6

SHA1
719082055dff5ec243184152feca7588a1d0db20

SHA256
1e37f0187c7f3675cd27b86b236627dbd96721894d327c767b238bf9f98a2769

SHA512
1320c60531fafc2626f4b3edb4066278a62fd28a772c4dfd60b81630166c1350fc3fa0b35a6b20f43d75c06254eea3e543d2bcd91524f0e7aa091931c80bb2a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
e0eb7c0e21354229469cc6d9ded28e1f

SHA1
a78d70e0e6f56c5068f7db0316aea0fa5ce09a03

SHA256
b622890543e01e5de486826ace71e561f123ed84d209e5e88e6acfb9b34b8318

SHA512
6c0afcac53b5a53d94c0d0aaa22d617986bf7235f2e8eb9075405e17fc8585548b4ad0ecc71930dcf76b9252c92d79ecc84097de1fe253c24de14eccd5d2d4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
7545913b52add1ff90cf638a546a77dd

SHA1
89b9d5efbabe23425f845d6b4766615ef5faf722

SHA256
cfc80ef8f8272fc70c4b10e36f6bc10931d9da694e59f044617c542208a1b8e3

SHA512
3416c274851232b3d739dc98b6bf353e1ce3bf223ccdcab8c4df6fbedba6fbf191561f84ff7ed8b8381ae1f2869f5b106b5c7c243a87bb3080f11e27dc71663b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5889dc.TMP

Filesize
203B

MD5
f071792cde3b55c76cb0312e1109ffe0

SHA1
8c7f8223469015dc1dd5d33a683cc9be10dd58b4

SHA256
8827d6667e54e293cec8cbce60b766a83863607ad55795caea364421f5e7366b

SHA512
93c48fa1d49410ffc98ff1d76ad049887b9f8d95f9c4f0b7b899fcbd0c887f2146218912fcad8c8f395442e7dbe92627dba68bdedfd6e97b42dbb186ea68c8d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54ffe9f39fd9b92f26ee8e26367e7c73

SHA1
81422d18c28ac5753ab49eb32668bef5d1c087fb

SHA256
6ebac32791e3f9519ddf6f2829b3da764e79313f09f1b1586ea3a951c748a6e1

SHA512
ff34038b942dc0747d83b78a4579bce550d6e6bd9afd787f43b3cd5a0e85d472069c13563a7cb51aaf7bf260e051d9442da8c80eb5bb013ac64387af1d1e8d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4782b27161b34bb3100a20672a76be58

SHA1
f893b8b6e1e9d28f3c34bdcc2a2a846f0800fb4f

SHA256
7073d507bbbe07b8512bcda6749a1e9d3086f1033724590930260596319f765b

SHA512
130b88db9103f8e4c8cf20f3252f9ca59271aa988a3311107d791bb3954a85830e4752f2192b062958cc8be03fa8ebb0d1e84a21dfde24c8c88b8b20f14e0bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
176e7c0f56d74deaa2a2549620cd9a6f

SHA1
0cff4c39725b039260587cede2776c14dee90608

SHA256
946d3dadc2d2acbc565ecd6a322c4cc117acac83df482e5849b08f2cdc94fa9d

SHA512
ed8cee331fa34955e873c173b56c12b20ee65beb61e87c6e7f1e08235313e10d91aeea9d9eb00bd00930ea2c177b2c4a5dd27f7186a62ba7d2694c51f4b6396c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea11f30a2e98b700f5dedea7bcba34f7

SHA1
7b19fb9735aad4b22742fc0734f2baace31f5e79

SHA256
e9c64c3d271de26be42e7e82a24864cd54f5f9abd009f9cdc1ef99c3ab68a926

SHA512
0f62d313cfdf32c94d6dd1ba4724fa7f559e24f33014322b53994f3411149a44ed0585b4006df4b11b2b1e400f870c7ebca76bb543245974a340abf8fdaf05f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c278800-1519-4a24-99c8-3297b5346092.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7001.tmp

Filesize
1KB

MD5
e6ab72c84aa97ca631b726ed5275184c

SHA1
54f433172d314198b0ebf3605c946da632abf9db

SHA256
7bf930ac010c4fa2257a9ca7efe482fd28c4abf58b3a56251245ad348eb42624

SHA512
575422a09e7d4f8ce8f72b77952acb3e8e98969ba6b0796184577154943c7325ad8dd008439a3d4395934083ef95e8ef5cd32ba121bf6156fca52e2e4eb85bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\alZfMP4DPo

Filesize
116KB

MD5
6e45c32da13db55c64b8f1f1ff736157

SHA1
ce9d94eb6927249c9f1482bd3cb7d36a42276481

SHA256
189ed401cfc694008cafee5506b0c5cb707661b4ac3b1f8bd1a2f43ce1d53aaf

SHA512
19232d166456d72335c0896a0b7d8ae0dcbb5257186ac5148163425e413a6f1a6cfa34edbb7fdbd588ca3c18f38059470b76dbf865d7944b3e5609ff1eee309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5368_1201998334\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5368_1201998334\dc4e7c01-8dcf-42ec-9574-945bce35c00c.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\t12038UQvz.bat

Filesize
183B

MD5
9e13e391ae85fc82742c633a62e0f7a7

SHA1
4839c1cdc341cca4252d0328c5854d9f0b55fe06

SHA256
7b4a8b4c01571948225be7f3d20aac166fce4632a34b5ebcf9052ab18bbddc50

SHA512
a5b7f84935fe971829025cf3ff76793e49463c0d3b086d4f50e3f0d967deece627060837c15973d8fa7a6e618219dbfcb8228eacf6699a8c424ba8826518effb

Download Submit
C:\Users\Admin\Desktop\loader.exe

Filesize
3.2MB

MD5
8faa9e2bbcb1f98cb3971b94f9feda41

SHA1
ab03732cdbc58c752057f2dd3c39e164e222476f

SHA256
026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

SHA512
5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

Download Submit
C:\Users\Admin\Downloads\NIXWARE PASTA.rar

Filesize
2.7MB

MD5
2b2957e283af18531e63cab123079d3e

SHA1
a9f5c70f85becca9b7ca60ff6389ca3d023f858c

SHA256
bb107d0ce375bd8c74e1c57a4ee0e67ce80a3e8de84944048bde248d81f7ee51

SHA512
16c36326eb62ae3acb2e731de1b84844ff574a41b88d04ef8d185eb05bccc9f8dd67a5343960d41ca8e85f984e35fb9da3d6c5a1a26bec35d748fc45fca79dd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 584604.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\axion.zip.crdownload

Filesize
14.1MB

MD5
69226704d9f57db05a4c3c967215f302

SHA1
2aafea4e5fbc639550e4eb45b60aaddfd5198932

SHA256
f007d259d7c60776842229ffb1ed9b0500a449cba39f7da3e035b22eb23034fe

SHA512
2b7381ca285b065854ef9dd05093c9061aa198e98dcff6e8fba981a7816690a1198273ce6ff77cf2bb482affd77167935f331ae487eb803c6e7bb4ac3886f5b5

Download Submit
C:\Users\Admin\Downloads\dnSpy-netframework.zip.crdownload

Filesize
22.6MB

MD5
096930828824f6763291279a34778eac

SHA1
439f401712125220b05ba544d97f80f6dec43628

SHA256
99c4bbc73d82c3d0d79f4d50ac08e86c569495a330f770ad2272fbe3843066d3

SHA512
586148b152d7f692929294a1fb2bf942e989c757a9fe596e90b4c97f79ac000e4a404d628f0f4eccf916ea30e4471c86e0d558b1a0dc7f0052be38b9aff3cb9d

Download Submit
C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat

Filesize
108B

MD5
836fc705ac99bb9e9c32457cd334e13e

SHA1
ebbb2cfd6a3260e482447d1c7871391ea8c75551

SHA256
e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

SHA512
ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

Download Submit
C:\bridgeHypercomComponentHost\mscontainerWindll.exe

Filesize
1.9MB

MD5
5a7bf976e09d1835a65809093075a1bc

SHA1
d2de32c02c3d6e79f185b6b5f91e95144ae5a033

SHA256
20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

SHA512
60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

Download Submit
C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe

Filesize
246B

MD5
a672021e4678a1cee46a924baa63411c

SHA1
c4c27bf73768a3cc97d070e3d560e4f45affe9b4

SHA256
65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

SHA512
ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xznf3j5\4xznf3j5.0.cs

Filesize
402B

MD5
409fe15ac7fc93c39fd88f78a236ba48

SHA1
ae2c287cf9ace2dd30a603fa08e38787c5611bb2

SHA256
5007cc6feaa862722c23207d7b6a41695bf4ff24fffa4d0a48fb6447eb21cbbb

SHA512
b786511fb8d59025eb8f229ef5a4ae90515595d38a3602524fa36c22602674811e6c65a363d17bbc10fd6cb239f335402ffc633ff4c02c920f9e8182a8839b18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xznf3j5\4xznf3j5.cmdline

Filesize
235B

MD5
c6a80b68383a5d8cf973f66b162b6c07

SHA1
2d9349e0afe771defad79ecc83dcb287081d228b

SHA256
6631080272e58ee9008039ecb3095437d329e99a76b4fec68dea560493298d29

SHA512
580a1cedd14d9de36bf50f48f843ede39d954d29b9e252c2366b0bfd0c73aba8bd8029597f6f56ab5e76ff70f04dbc645619974932d31c9f3305ebdfca7293e2

Download Submit
\??\c:\Windows\System32\CSC8BC5D271BDFF4CCFA8A1114EA65B8AB3.TMP

Filesize
1KB

MD5
be99f41194f5159cc131a1a4353a0e0a

SHA1
f24e3bf06e777b4de8d072166cff693e43f2295c

SHA256
564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

SHA512
51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

Download Submit
memory/460-1596-0x00000177A3100000-0x00000177A3140000-memory.dmp

Filesize
256KB

Download
memory/460-1643-0x00000177A4330000-0x00000177A43AC000-memory.dmp

Filesize
496KB

Download
memory/460-1590-0x000001767F600000-0x000001767F60C000-memory.dmp

Filesize
48KB

Download
memory/460-1592-0x000001767F620000-0x000001767F628000-memory.dmp

Filesize
32KB

Download
memory/460-1593-0x00000177A3040000-0x00000177A3054000-memory.dmp

Filesize
80KB

Download
memory/460-1591-0x000001767F610000-0x000001767F618000-memory.dmp

Filesize
32KB

Download
memory/460-1594-0x00000177A3090000-0x00000177A30C0000-memory.dmp

Filesize
192KB

Download
memory/460-1589-0x00000177A2EA0000-0x00000177A2EBC000-memory.dmp

Filesize
112KB

Download
memory/460-1595-0x00000177A39D0000-0x00000177A3B98000-memory.dmp

Filesize
1.8MB

Download
memory/460-1588-0x000001767DD30000-0x000001767DD3E000-memory.dmp

Filesize
56KB

Download
memory/460-1587-0x00000177A2E70000-0x00000177A2E92000-memory.dmp

Filesize
136KB

Download
memory/460-1586-0x000001767F640000-0x000001767F656000-memory.dmp

Filesize
88KB

Download
memory/460-1585-0x00000177A3720000-0x00000177A39CA000-memory.dmp

Filesize
2.7MB

Download
memory/460-1583-0x00000177A31D0000-0x00000177A346A000-memory.dmp

Filesize
2.6MB

Download
memory/460-1600-0x00000177A34C0000-0x00000177A350A000-memory.dmp

Filesize
296KB

Download
memory/460-1599-0x00000177A3140000-0x00000177A317E000-memory.dmp

Filesize
248KB

Download
memory/460-1598-0x00000177A3560000-0x00000177A35F6000-memory.dmp

Filesize
600KB

Download
memory/460-1597-0x00000177A3470000-0x00000177A34B2000-memory.dmp

Filesize
264KB

Download
memory/460-1601-0x00000177A3CD0000-0x00000177A3DFC000-memory.dmp

Filesize
1.2MB

Download
memory/460-1603-0x00000177A3060000-0x00000177A307A000-memory.dmp

Filesize
104KB

Download
memory/460-1602-0x00000177A2920000-0x00000177A2930000-memory.dmp

Filesize
64KB

Download
memory/460-1605-0x00000177A30C0000-0x00000177A30DA000-memory.dmp

Filesize
104KB

Download
memory/460-1604-0x00000177A3510000-0x00000177A355A000-memory.dmp

Filesize
296KB

Download
memory/460-1606-0x00000177A3600000-0x00000177A362E000-memory.dmp

Filesize
184KB

Download
memory/460-1607-0x00000177A2A70000-0x00000177A2A78000-memory.dmp

Filesize
32KB

Download
memory/460-1608-0x00000177A2B40000-0x00000177A2B4A000-memory.dmp

Filesize
40KB

Download
memory/460-1609-0x00000177A30E0000-0x00000177A30E8000-memory.dmp

Filesize
32KB

Download
memory/460-1610-0x00000177A2EC0000-0x00000177A2EC8000-memory.dmp

Filesize
32KB

Download
memory/460-1611-0x00000177A3020000-0x00000177A3028000-memory.dmp

Filesize
32KB

Download
memory/460-1612-0x00000177A3660000-0x00000177A3684000-memory.dmp

Filesize
144KB

Download
memory/460-1613-0x00000177A3690000-0x00000177A36AC000-memory.dmp

Filesize
112KB

Download
memory/460-1614-0x00000177A3BA0000-0x00000177A3BDA000-memory.dmp

Filesize
232KB

Download
memory/460-1615-0x00000177A3FB0000-0x00000177A4156000-memory.dmp

Filesize
1.6MB

Download
memory/460-1616-0x00000177A3030000-0x00000177A3038000-memory.dmp

Filesize
32KB

Download
memory/460-1617-0x00000177A3080000-0x00000177A3088000-memory.dmp

Filesize
32KB

Download
memory/460-1618-0x00000177A43F0000-0x00000177A4680000-memory.dmp

Filesize
2.6MB

Download
memory/460-1619-0x00000177A36B0000-0x00000177A36C4000-memory.dmp

Filesize
80KB

Download
memory/460-1620-0x00000177A30F0000-0x00000177A30F8000-memory.dmp

Filesize
32KB

Download
memory/460-1621-0x00000177A36D0000-0x00000177A36E4000-memory.dmp

Filesize
80KB

Download
memory/460-1622-0x00000177A36F0000-0x00000177A3718000-memory.dmp

Filesize
160KB

Download
memory/460-1623-0x00000177A3C50000-0x00000177A3CB2000-memory.dmp

Filesize
392KB

Download
memory/460-1624-0x00000177A3BE0000-0x00000177A3BF6000-memory.dmp

Filesize
88KB

Download
memory/460-1625-0x00000177A3C00000-0x00000177A3C20000-memory.dmp

Filesize
128KB

Download
memory/460-1626-0x00000177A4BB0000-0x00000177A50DC000-memory.dmp

Filesize
5.2MB

Download
memory/460-1627-0x00000177A31C0000-0x00000177A31C8000-memory.dmp

Filesize
32KB

Download
memory/460-1628-0x00000177A3630000-0x00000177A3638000-memory.dmp

Filesize
32KB

Download
memory/460-1631-0x00000177A50E0000-0x00000177A558E000-memory.dmp

Filesize
4.7MB

Download
memory/460-1630-0x00000177A3C20000-0x00000177A3C40000-memory.dmp

Filesize
128KB

Download
memory/460-1629-0x00000177A3E90000-0x00000177A3F1E000-memory.dmp

Filesize
568KB

Download
memory/460-1632-0x00000177A3640000-0x00000177A3648000-memory.dmp

Filesize
32KB

Download
memory/460-1633-0x00000177A3650000-0x00000177A3658000-memory.dmp

Filesize
32KB

Download
memory/460-1634-0x00000177A3E30000-0x00000177A3E54000-memory.dmp

Filesize
144KB

Download
memory/460-1635-0x00000177A3E60000-0x00000177A3E76000-memory.dmp

Filesize
88KB

Download
memory/460-1636-0x00000177A4160000-0x00000177A41E6000-memory.dmp

Filesize
536KB

Download
memory/460-1637-0x00000177A3F20000-0x00000177A3F3E000-memory.dmp

Filesize
120KB

Download
memory/460-1638-0x00000177A3F40000-0x00000177A3F64000-memory.dmp

Filesize
144KB

Download
memory/460-1639-0x00000177A4290000-0x00000177A4326000-memory.dmp

Filesize
600KB

Download
memory/460-1641-0x00000177A3C40000-0x00000177A3C4E000-memory.dmp

Filesize
56KB

Download
memory/460-1642-0x00000177A3CC0000-0x00000177A3CC8000-memory.dmp

Filesize
32KB

Download
memory/460-1584-0x000001767DCF0000-0x000001767DCFA000-memory.dmp

Filesize
40KB

Download
memory/460-1646-0x00000177A3E10000-0x00000177A3E18000-memory.dmp

Filesize
32KB

Download
memory/460-1647-0x00000177A41F0000-0x00000177A4228000-memory.dmp

Filesize
224KB

Download
memory/460-1648-0x00000177A4260000-0x00000177A427C000-memory.dmp

Filesize
112KB

Download
memory/460-1649-0x00000177A7D90000-0x00000177A7E4A000-memory.dmp

Filesize
744KB

Download
memory/460-1650-0x00000177A43B0000-0x00000177A43B8000-memory.dmp

Filesize
32KB

Download
memory/460-1652-0x00000177A4BA0000-0x00000177A4BA8000-memory.dmp

Filesize
32KB

Download
memory/460-1653-0x00000177A9C00000-0x00000177A9C08000-memory.dmp

Filesize
32KB

Download
memory/460-1654-0x00000177A9BF0000-0x00000177A9BF8000-memory.dmp

Filesize
32KB

Download
memory/460-1656-0x00000177A9C10000-0x00000177A9C1E000-memory.dmp

Filesize
56KB

Download
memory/460-1655-0x00000177A9C30000-0x00000177A9C3A000-memory.dmp

Filesize
40KB

Download
memory/460-1658-0x00000177A9E60000-0x00000177A9F20000-memory.dmp

Filesize
768KB

Download
memory/460-1663-0x00000177A9C20000-0x00000177A9C2A000-memory.dmp

Filesize
40KB

Download
memory/460-1665-0x00000177A4B90000-0x00000177A4B98000-memory.dmp

Filesize
32KB

Download
memory/460-1664-0x00000177A9C40000-0x00000177A9C48000-memory.dmp

Filesize
32KB

Download
memory/460-1662-0x00000177A9C80000-0x00000177A9C92000-memory.dmp

Filesize
72KB

Download
memory/460-1661-0x00000177A9C60000-0x00000177A9C72000-memory.dmp

Filesize
72KB

Download
memory/460-1660-0x00000177AA230000-0x00000177AA334000-memory.dmp

Filesize
1.0MB

Download
memory/460-1659-0x00000177AA020000-0x00000177AA112000-memory.dmp

Filesize
968KB

Download
memory/460-1657-0x00000177A9CF0000-0x00000177A9DA0000-memory.dmp

Filesize
704KB

Download
memory/460-1582-0x00000177A2ED0000-0x00000177A2F2E000-memory.dmp

Filesize
376KB

Download
memory/460-1581-0x00000177A2A80000-0x00000177A2ACA000-memory.dmp

Filesize
296KB

Download
memory/460-1580-0x000001767DCC0000-0x000001767DCCA000-memory.dmp

Filesize
40KB

Download
memory/460-1579-0x00000177A2870000-0x00000177A28CA000-memory.dmp

Filesize
360KB

Download
memory/460-1578-0x00000177A2830000-0x00000177A2866000-memory.dmp

Filesize
216KB

Download
memory/460-1577-0x00000177A2B50000-0x00000177A2C6E000-memory.dmp

Filesize
1.1MB

Download
memory/460-1576-0x00000177A2930000-0x00000177A2A22000-memory.dmp

Filesize
968KB

Download
memory/460-1575-0x000001767D510000-0x000001767D88C000-memory.dmp

Filesize
3.5MB

Download
memory/1408-1846-0x00007FFDD6EE0000-0x00007FFDD83F9000-memory.dmp

Filesize
21.1MB

Download
memory/1408-1851-0x00000312BC950000-0x00000312BC99E000-memory.dmp

Filesize
312KB

Download
memory/1408-1850-0x000002D221CB0000-0x000002D221CB8000-memory.dmp

Filesize
32KB

Download
memory/2132-1796-0x00007FFE0B330000-0x00007FFE0B332000-memory.dmp

Filesize
8KB

Download
memory/2132-1795-0x00007FFE0B320000-0x00007FFE0B322000-memory.dmp

Filesize
8KB

Download
memory/2132-1790-0x00007FFE0D750000-0x00007FFE0D752000-memory.dmp

Filesize
8KB

Download
memory/2132-1794-0x00007FFE0C350000-0x00007FFE0C352000-memory.dmp

Filesize
8KB

Download
memory/2132-1792-0x00007FFE0D770000-0x00007FFE0D772000-memory.dmp

Filesize
8KB

Download
memory/2132-1793-0x00007FFE0C1D0000-0x00007FFE0C1D2000-memory.dmp

Filesize
8KB

Download
memory/2132-1797-0x00007FFDD6EE0000-0x00007FFDD83F9000-memory.dmp

Filesize
21.1MB

Download
memory/2132-1801-0x00000212FF4A0000-0x00000212FF4A8000-memory.dmp

Filesize
32KB

Download
memory/2132-1802-0x0000021301A10000-0x0000021301A5E000-memory.dmp

Filesize
312KB

Download
memory/2132-1791-0x00007FFE0D760000-0x00007FFE0D762000-memory.dmp

Filesize
8KB

Download
memory/2184-520-0x0000000000CB0000-0x00000000010A6000-memory.dmp

Filesize
4.0MB

Download
memory/2184-530-0x0000000000CB0000-0x00000000010A6000-memory.dmp

Filesize
4.0MB

Download
memory/3108-1869-0x00007FFE0B320000-0x00007FFE0B322000-memory.dmp

Filesize
8KB

Download
memory/3108-1875-0x00000302BC310000-0x00000302BC318000-memory.dmp

Filesize
32KB

Download
memory/3108-1864-0x00007FFE0D750000-0x00007FFE0D752000-memory.dmp

Filesize
8KB

Download
memory/3108-1865-0x00007FFE0D760000-0x00007FFE0D762000-memory.dmp

Filesize
8KB

Download
memory/3108-1866-0x00007FFE0D770000-0x00007FFE0D772000-memory.dmp

Filesize
8KB

Download
memory/3108-1871-0x00007FFDD9450000-0x00007FFDDA969000-memory.dmp

Filesize
21.1MB

Download
memory/3108-1876-0x00000302BC3B0000-0x00000302BC3FE000-memory.dmp

Filesize
312KB

Download
memory/3108-1870-0x00007FFE0B330000-0x00007FFE0B332000-memory.dmp

Filesize
8KB

Download
memory/3108-1867-0x00007FFE0C1D0000-0x00007FFE0C1D2000-memory.dmp

Filesize
8KB

Download
memory/3108-1868-0x00007FFE0C350000-0x00007FFE0C352000-memory.dmp

Filesize
8KB

Download
memory/4984-590-0x000000001C030000-0x000000001C080000-memory.dmp

Filesize
320KB

Download
memory/4984-589-0x000000001BB70000-0x000000001BB8C000-memory.dmp

Filesize
112KB

Download
memory/4984-587-0x000000001BB00000-0x000000001BB0E000-memory.dmp

Filesize
56KB

Download
memory/4984-592-0x000000001BB90000-0x000000001BBA8000-memory.dmp

Filesize
96KB

Download
memory/4984-594-0x000000001BB50000-0x000000001BB5E000-memory.dmp

Filesize
56KB

Download
memory/4984-561-0x0000000000D50000-0x0000000000F36000-memory.dmp

Filesize
1.9MB

Download
memory/4984-596-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download