njrat | hxxp://discord[.]com

Resubmissions

16-11-2024 01:20

241116-bqc7jsxaka 10

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

10^/10

njrat hacked defense_evasion discovery evasion execution persistence phishing privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

7cpanel.hackcrack.io:46143

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3900	powershell.exe
4892	powershell.exe
3144	powershell.exe
2260	powershell.exe
5496	powershell.exe
1436	powershell.exe
1336	powershell.exe
3496	powershell.exe
3144	powershell.exe
2260	powershell.exe
5496	powershell.exe
1436	powershell.exe
1336	powershell.exe
3496	powershell.exe
3900	powershell.exe
4892	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4264	netsh.exe

A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OpenBullet 2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OpenBullet 2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OpenBullet 2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OpenBullet 2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	version.exe

Executes dropped EXE 23 IoCs

pid	Process
5960	OpenBullet 2.exe
4700	Setup.exe
688	Setup.exe
5864	OpenBullet2.exe
3172	svchost.exe
388	svchost.exe
5900	OpenBullet 2.exe
2256	Setup.exe
5256	OpenBullet2.exe
5456	svchost.exe
4944	OpenBullet 2.exe
1792	Setup.exe
6124	OpenBullet2.exe
904	svchost.exe
5624	explorer.exe
4280	version.exe
5812	explorer.exe
5860	OpenBullet 2.exe
4328	Setup.exe
6112	OpenBullet2.exe
4200	svchost.exe
232	OpenBullet.exe
2896	OpenBullet.exe

Loads dropped DLL 40 IoCs

pid	Process
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
232	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe
2896	OpenBullet.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4032	cmd.exe
2652	cmd.exe
6080	cmd.exe
5728	cmd.exe
396	cmd.exe
440	cmd.exe
5860	cmd.exe
2520	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	discord.com
15	discord.com
145	discord.com
146	discord.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenBullet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenBullet.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1272	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{0C1FBEAB-A350-4E9D-B117-0F8418487C06}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4940	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
2948	msedge.exe
2948	msedge.exe
3408	identity_helper.exe
3408	identity_helper.exe
5656	msedge.exe
5656	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
5512	msedge.exe
5512	msedge.exe
1076	msedge.exe
1076	msedge.exe
3020	msedge.exe
3020	msedge.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe
5624	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4940	vlc.exe
4860	taskmgr.exe
5812	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3104	AUDIODG.EXE
Token: 33	5916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5916	AUDIODG.EXE
Token: SeRestorePrivilege	2396	7zG.exe
Token: 35	2396	7zG.exe
Token: SeSecurityPrivilege	2396	7zG.exe
Token: SeSecurityPrivilege	2396	7zG.exe
Token: SeDebugPrivilege	3172	svchost.exe
Token: SeDebugPrivilege	388	svchost.exe
Token: SeDebugPrivilege	5456	svchost.exe
Token: SeDebugPrivilege	904	svchost.exe
Token: SeDebugPrivilege	5624	explorer.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	5812	explorer.exe
Token: SeDebugPrivilege	4860	taskmgr.exe
Token: SeSystemProfilePrivilege	4860	taskmgr.exe
Token: SeCreateGlobalPrivilege	4860	taskmgr.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: SeDebugPrivilege	4200	svchost.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: SeRestorePrivilege	348	7zG.exe
Token: 35	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe
Token: SeIncBasePriorityPrivilege	5812	explorer.exe
Token: 33	5812	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4940	vlc.exe
5624	explorer.exe
5624	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 5056	2948	msedge.exe	83
PID 2948 wrote to memory of 5056	2948	msedge.exe	83
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 3232	2948	msedge.exe	84
PID 2948 wrote to memory of 4932	2948	msedge.exe	85
PID 2948 wrote to memory of 4932	2948	msedge.exe	85
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86
PID 2948 wrote to memory of 4140	2948	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://discord.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4164 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8712 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8784 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8896 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8684 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9112 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9164 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8864 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9084 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6072939198054215289,7993418106945347503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x42c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x42c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5008

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\OpenBullet2 v.0.2.4.zip"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13014:100:7zEvent22450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe
"C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5960
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:4700
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5624
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\yoh33vrj.inf
        5⤵
        
        PID:536
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4264
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe
  "C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe"
  2⤵
  - Executes dropped EXE
  PID:5864

C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe
"C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5900
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5456
- C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe
  "C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe"
  2⤵
  - Executes dropped EXE
  PID:5256

C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe
"C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4944
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1792
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe
  "C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe"
  2⤵
  - Executes dropped EXE
  PID:6124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:6080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:5728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:5860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5496

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe
"C:\Users\Admin\Downloads\OpenBullet2\OpenBullet 2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5860
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe
  "C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe"
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13567:82:7zEvent32152
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Users\Admin\Downloads\Release\OpenBullet.exe
"C:\Users\Admin\Downloads\Release\OpenBullet.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:232

C:\Users\Admin\Downloads\Release\OpenBullet.exe
"C:\Users\Admin\Downloads\Release\OpenBullet.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\95c704d2-d3e9-44af-8952-dd7fda539ad0.tmp

Filesize
14KB

MD5
b1b0bb6843059100026528b2c4fd4829

SHA1
a4955fda046838bcbce21da09ed35a7c1efecbf8

SHA256
b2c2bb3c56867e6b6fe1f7a859e03c0f6179f9e18f757c5fa0b3884f72ceba0b

SHA512
bafc29694269790f99fcfa3ff891111c941f223dd94c9e38ae8da4c6746bd914108c9cadc177db3f7676a9215cd1144b8cd975e2cadbd49c13e4c6f30e039def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009e

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000aa

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c2

Filesize
67KB

MD5
05cb4b9f101e025994f9686f3999fd43

SHA1
7450f129ea39792645b56de215eaab1d91182fbe

SHA256
07fba84e209fffc2a8eea1a88ec8c77cc92644c9050b7669b212bf1db30663b3

SHA512
9fbf0e99a1f19b362d9e7e31dc0b6f0d49177cea922d9d6acbc1b5a84d1bfce40c3a07e123b5b47ed9a531befc9a2372be3393502b5f00221d74ae23fe80efeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c5

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c6

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
8KB

MD5
3a610ced1a5495ab0a06ac10cfd862b5

SHA1
9bdbd620721207cce2beebc947a2018ecc86fb83

SHA256
057c051c26b1b5c9fb9382a2867b0f0987f2b6933a08fa41b6645d9f3aeb3784

SHA512
bbce461bb5b595dbc71d78d250c5fc9d1a5868b43cb61e1f4bd3fcb35829f68ab45281fe41566795bf7b42b1d63fb6ce96c47fa94653dfd7217128ace2cb7889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
618ed9e54d1fb8c38115e23dd046b0c1

SHA1
d65cc471f099e2b92a64c4911e990663ba7cbb14

SHA256
dcf4d4c6714083aa73b3edafdafc458649030cafb8b5fad92dde516d9c95b65c

SHA512
ff58861007d7ed79b01d2714f1f5155020088b8c8570aaac6befb587ff73f169ca6f69d4df8d9d0e0da33cc095359766e14d2f6445d5b7a01cff7d22ff0e74b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9b1c992b967133071fb2ed4e1ab6f87e

SHA1
5e5e7ce3d8cb821515d88e2c07c2f9dfdefe75c9

SHA256
b1595c2690f798ced96624d5114bcd5f4a30ebf1113d4bc63f5dbc40e4360ae7

SHA512
875ed8e96a1cb8df33255ffbeef070fb68ecb7096f8e322d94ac414138cde039ca360e9f071d37e15d469564df117fe77357a5bd617fc2b76118767b98c205e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
71ca09dc5184e74678b671d75ac518bb

SHA1
6f9226954d9be13b3e5a4a262f6dab7f5bff9fe1

SHA256
dda182db75ace7063a216a9e445dccb775e6f69dc23146cb0284a730e2dbe51a

SHA512
726a869d43a0a2d2f8bf2003dfe316a5006afec6efe25abdb8dd714c4207b1c14ddc75c7e5c729f2e3f3223bae585442f5d6a7c427b976a26c9d57f0348393e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
07b12966a8f1efbc26007dffba5f23e7

SHA1
846bab03b639afbbc431626b6ae1d34036cd3af5

SHA256
0aba324cadcd8b522cc69aa0aa219b0380c31b64e7ce0ffb37628908886b6749

SHA512
b1f6c79ddbe39b1fd51635635ea8192628c9f6f545e7bf2fa34492866edb7fac78b1c0e31aa00bc64b759f03ef9386888035dfc1bbc046b9a98f68b7e8dbc362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
7d47df9c8c73580a4b4547197c2477f9

SHA1
8a3d8c6bced087eb35dff0b54266cf2667394b53

SHA256
5d445c61517c10faf4f9078b7a883c279fe6746556924049e6b67f927bdb5bc4

SHA512
e2b7d17139533659eb1b753c414d09e94ed5de46f8278d5f9921c106a862c5e9ca40ba3ed4a3505e762cf326aa2a6c4d3ced9892ada9ab43c4a7944d4693e6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
1dc414c2ca485a3c2f9a3986ca4c603e

SHA1
7ba76314912e101444331460607af68c2412bbf5

SHA256
91081a38f0aa38956bf56f8e412866fe0540248cd4691cb9c7ca1938a459b639

SHA512
ddf32e5827d114a8e40bc6fef3a572dea61a64de7b40ac7048c261e7bd8fa7610cd28ef4377383206bb3f1b9953e64e27b9236e8fd14f7320b27edb36ba81fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
391833a7c780a9d6ea43ff35abb4e978

SHA1
8c02931b1959884eae35ddeb2a2008705733b71f

SHA256
24f4166c4c35f86c8e6eec7292aad6089b32351eb23dbca91bfbd5bf12ca7810

SHA512
cd555c62ed7167ff5047831058b50b5b945fca8179d65826980832f88f7c65d7c5358c3d5bb283ac0b16ef1005cce29a0c0c2bc2037a4ea85049fc0a18decbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
10e68c9dddb82d54d8eb74ed282279a4

SHA1
b8e5e84930b81e9316b44ee8ef9d59a70813287e

SHA256
b5db933108ad678be3dc0c63480fec034edf1202d5ef29f9df61e97c385b27b5

SHA512
6eaea85a61479a5d921af6042dd3269415888b8e2110d33728b85ddacf6b78a4785f5455a05a1e826f532047ff53e6d5cf676301f8f6c52cf516ec044c8b6b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3ace8d7cf83c2a3dada83f085a619093

SHA1
4226be2d20b650cbb3917a5b1834d54206126207

SHA256
3ce4a6d468e26f34d233a40679faa81eafeaa060539e8d11b96ae5fe1059fe16

SHA512
a810488d0b94a00a24d3ba8dc4ebe6a4a1fd01a9ebc65d5ccc64120db5f81f6bbcfafcbbf24ed49d70b6d2a19acb01228b74fd6b2caa3aa154d651310fdb5df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2f9a044e7523592b7b1cc02d5b045fb8

SHA1
7d0ef996a1ea6f7f56fe944d1aef35ab3a6935e8

SHA256
ccd84950b80307f9e88424d1b1f3997b316d0f826311aeec3688639165fb09d4

SHA512
8722da6c5eedc998dcf4a09e64a95f520c92ac1a5c50f48a4846240aa70cf5893ba40f0db41a2608300ef6f9b517380e84d4c580f3ae239175c77ba7f2c3cd96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d44f9c18790c6d384801736dcaa4c8bd

SHA1
838ce0541852ee4d4408590e4978a4dde3bdbecb

SHA256
b3779bf564f051e84a22f83ad15cac2e85667d4eb343b9ab53d435e3c19df393

SHA512
e673826fa3f1524eab5e56e929247b1412f3831b2663473736475b60b03c5bcfc5e2d086577838fadbcf47979645de9353e1fdd2a36d2949de5db27da6814557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0730b55e157f24567fe6316a81ae383e

SHA1
20a06dace97878064bb4f2b26994d1794edcbf16

SHA256
784b9e40c31d081ed75a960f39ce2ce25e0a7430d426eb4d528fc47298c8cd51

SHA512
e83f7398b8b364a19882cdc6f31c2f1b6630988e895b70666e5cf81bae39ccb4d83caee440cc38145e405de1d39338ba3bebfa734ea7fe6ba04ff5535b50b1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
8ffa48b123bc28e48bb1ab8392c909a6

SHA1
5590e696c8bf3cd1123b34b8088344286ec9ba42

SHA256
dfd48a3819a3556ea801e06e753f8612f2a827470d9e7263e9d0f74d57b5011b

SHA512
1a50ba361d8c98cfbad8c6a75e8669a5c4aa02b60449b78e08843cb0b4e73f8e20eb58399c270a6e170989994a33222d1d0cea8e350327599855af2ec60dc88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
5554d3bae05a09ac8a6cff6d8c7c3dce

SHA1
4c46f9af79c14a131b5e1f3193c54dcf3b166d15

SHA256
cad873b9810ef7d5fcb09821b48e82a3c9eb72099cf1e70fb5090aa7f3931f72

SHA512
738663d98e4d14bc7922f48451728ad217b4dc464f17a49bc4e99165f7ac301d26b3b93280a56550c160ddaa57469eeb4d108c07e540ca97b58a4b424d133f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
eee00204212560aa82aca59a451b780f

SHA1
e09d806e7f7760080d270327cd3057c9d588dc46

SHA256
aa606efa5c56f4cbd2c485d13dd3e37fc13debb734f937c0f98b7da24ea44a19

SHA512
2347a88c5d9942538c033bfb917581858a97bc80420b9fc4a51083911b7e4248ce6efc703be6596bd9ecdeff01fdcf7a4748cda9a25d31b8e4f1a1833512c5e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
59418dbbc8273ec3939e2fe0d869ab28

SHA1
434c6c2122fc43ddcbc4c1080eb4ddfd92379e35

SHA256
f6aecc52042d3b254a7afa47be29b5128ce300d46090fa3989c3ba1fed8f7d9a

SHA512
a2c82e552ffbb64ae8925bb3738011c6c27dec973a47050c1368008cf5585eb6ecc87ab693a34176035e9ca7070ab16df732d6392e21aaeea14b3d88da8f9792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d6125380e532ef3733b1a7172a7e911

SHA1
4a132cc82e8053362453ff59eaba9323f098106c

SHA256
d7db38d1af31af1854e580d9d5e1b6028a2b4070f78947274f6e22d6f8771f91

SHA512
1c2cf2c42d77336c4a99c8140989d971864ca97aee5739bbea13698b909e45086e6f5bbe4fb81453e18c31a2d6c8f20ea964fd894c025c8c1891cb7479f37ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d4fd9affcd3f10b88316a206a34700e3

SHA1
2961e5b10fc06543605d72d3b6f72297d397c2cc

SHA256
064a72b20f0394a2ddca643e6893c520bfc64bc2be7747472219bef5a2a26652

SHA512
1762248395d3ffc0a74ff24d988420f0cb7b5f53fc6e753d6057168253e0706a4a3ba8443976b3e1678a8c3e9670d8a5a869bcc8694f4a172a9d033d33a7ab1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59456c723292bffe8bb01a3f7bf976cb

SHA1
6539ddf9c68a4e6b6aa88ad6dcdbd65410f47b3b

SHA256
796b39accf6e8ca6d1a33b91696b831f56b4822ddd05c33e66513481bc97bc03

SHA512
2c92770ae4589dfaee683fa314eee2c2018753910e4712eb084ea3cbf590d881cec3d711c30b9778dff647b252eb725244c6e586f30e5e684e356e2f77b7c44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
436300b6d700f6f372c6b614389ba81b

SHA1
834392ef4b800448e673d402c8f33a778cab19c9

SHA256
1468fc741a5647261a8b0cc310260111fbe4eb111e3ddf5c8c16905cd8d361cc

SHA512
43799cd75c708c8b67cb4fab87b21d0baf2350388991d7b19a54725e9f1e87bb924f6c06d4ec85c803399ae773b4bb1425b7a85ea7c9ba0c2ca300fdca581aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
bc70827680d0e3754bc17bc89b36c60b

SHA1
36d6783056bc8307106c06932df4ec0d0817228d

SHA256
ebae88b9e12d71e1df2d9c6141175bcd76a4121c7afafbcbf47a730b6a758a46

SHA512
fff30b9e051377889f5c59a2057d283fb855efd75e9ab75aaa5c7d81e600861d53049b300d51d8871d5a3b922aee5330ab3c44b4a9c3ef8bad0fa6c3c83f6119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f799680ebcfc54ead84182af3f2a7aba

SHA1
9665902afc13a5287e01d9658d7b70532cc94d1b

SHA256
6fb63bde6a16190a8528ab02c9a9cde801d13061995e3c9d90caf1124e74d327

SHA512
ef2defeb8cefbaec34e38b5b42458f4e3554db72f19bc8dbad18031c85fe2b7dded81e2c7c9f016cc6739a7eb90dd84084f7fe441301f17cacb64bac484b522a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7646a89730259268c4ff5c1b0d3f5f40

SHA1
1d2298daf641bde89ca5e912249c73be3790513d

SHA256
a0ff8525df2fbadc67e8b2c31a5c4cd31286a191d190539a98253ca4254a919b

SHA512
c16f296a9251fa6faa9b3f86526d0981be58baec2974059f5f799b625c8c3c0bf1c9884f882aaa0a03d866c2118c68f9e0291a4ac804b8746b7fc3b0e076a575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ef4d44902ea341dbae4a80b6ee641936

SHA1
c6d4cdf62f8122cec0271e869b94e4ea3aabf149

SHA256
f5a06e3ec59aabe9438e5b0de5a5a0f6b0a2aed0bbfdd2f85f94f7d2ae04e8f3

SHA512
fcdab2f7bcaaba15be92236f7398c025fd027a158df458b81bba530d7e85dddcf30a0aa4e7bbad08734fd63026c896a705a4d01c84077f307a918b9d7e95ffa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b47582bd4a2bc0d6958e77c9e7f4e644

SHA1
5e8bd4e453fe09655faacc28ff823c4187bb817b

SHA256
9bca626380846bbda954bf7f22bd0d2e28fdf5d82da28ceab47d4c34728aaa16

SHA512
4f1806477817b7e6f072d367425e35154b0ea3e524fc0034470711cdafd6a3a9e7e341ebb361584560df49c1e675a31f8ec8b7ff010bfb5bc745e04cacafd15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
02c92adfd2fc932cc1b5c87bac249061

SHA1
701e03c842e466149c79477b72a7504df72d29e9

SHA256
a87cea9033fd18d3f45ac12364a61e3b4ac83f340e7be0073459886d6f8241c1

SHA512
e5e4adbb6fed2c4d2636b162ac3dda172ca800955f49c9c3cedb2d6eee766d76a36f80514f004f554886baec6c50401d79accae7a36e6518cc1b7f41861e4b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a1aad8832cd59c204e516f5309be517b

SHA1
9682a5d039145d0d7bc2c7b0499a079005c34766

SHA256
fdc1cd90210996adca14fc0496f93c2e9ee2f2ad422d3c59cea3b0dcdf9b9efe

SHA512
48fa9142245be168d1cac09e259b8fa7e12c09dc36e2651be85017b449b48fd3b497baff5d6c51a59938ffb255842a685f7ceaf84969d0bed2aa35fdc127d9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe64c3dd.TMP

Filesize
48B

MD5
3a2a9e51299d34775d12e3a11a76d8d4

SHA1
dae1612316093724564f0931b43703f1e24ccb76

SHA256
37dc22dc99ea48ab5046ff3e5c54338db98da00383fd79805e9bc6f581d9f03d

SHA512
56f8a90394c44fdf656ee8dfd70e65904bf13cdc88638b075f9ebc85281654850a6dc8d895f00154800a22a6c4226b755aa9a01b8bcc3b1b695f219e1a12de48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
38f4da7db263d0d7c2f0c9ca8e98c2d3

SHA1
f4d20fe935d4ce3285aa2ee2b06d180fffd846e3

SHA256
1bff9518fe8358a3104e7f0cb4655799ce52ef9185942ab3ac64efcaf16fa9b8

SHA512
6d0ac3c0f48a3866431b543c06852dd1bed06a793b2d5b8965a6e997ac8b4d93efe5aa9b22790eba21bd40d56f0878ffc6c5d7019fb9cbfb5be53ab5c3078a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91b37c15a7d9bc21c66d214331c244c7

SHA1
22810430d7383ba69226e0fde26efd1c0a83f2c5

SHA256
7b667e85bb4d152738cca26b0fbe99951e3b0b687b35815cbb2bf8db80076474

SHA512
124498b2e7851d8c52f20f786c6e1e3d45e48ae29940fdc8448d9989cd3ed70a99581ae987da8f640dfb031ee36e38a804491f0cf1275f8653cb2f5fe8cfed67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5aaa4ad3d92841b216c48d683255d6da

SHA1
7b54eb5cd94557f61d31122037ff7352d1610589

SHA256
57269b1afc88dd5d4e41d317dfe32f1997ef0086c960fa9edc0bbb413e2be8ba

SHA512
1ff480f3b8942b1e291b96fc4903cce579d05db5a7deecfb7e6f003c37a51d4e8ff44c50c6d201885846ebef9587b238498029736c8c8bdca23f8da4bb8609d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f50331b954364761abc354010a4ca4a

SHA1
91cdd1d356e3853ef929188d70160eca79df9454

SHA256
353b82db91c2bf0e2d72a83a78e5434d2726dc1a71165687550189f41ff86879

SHA512
a1932271744184d53e1d28bba90b1133104208faf8d4eba74ef15a237cb2e4ce61218db85a10ed8a93dc73f19033a057948df40c3ef267a16eb9d80bd752fe3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a2a41e05a6bf5020d1a461bd9dd861e

SHA1
45f9cbc1aba59c3e24a2842059c42d942abda505

SHA256
54669a63d3c0b1a34bb925459e9bad5dc6e9951973cb2e5301c16134dea79c1f

SHA512
e10c3fa2f2e53c34d966cff915c052e1ecd23dd04a7595f7a3646f75e444ace9da9c16bda53a304db4d857525349fc4692eff8bb51c7f3214ef3f4eaac0e5996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bae32f800b3c38868f00bc914d74fb41

SHA1
f3f0909880d884b4c6b7e24898dbfd16f70ec8ed

SHA256
297ac4601a9b1e362f8796cdcbd280f5cb2cd59180ef79e708dbe6e0363ae054

SHA512
1ca47f9b76b927f5b55d4f7ee2911928c3b9f338a0d478da99fc36db749985c3e87c02bd9727870b009566f0bfaf65a20054070628e3b2b6a259483ddd39d1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ecd453f40ba789639e4a8958a75ee3da

SHA1
d193a4ac88f46acfd119c54ca950cad0cb2732f8

SHA256
e817f5a1bbbd0d0fcf0f64c6aeb864d1ca0399ac98bbf6a04cde2006ac3ef42b

SHA512
afcf78bec4d65d3ac36ad32101711048aa77cfc5a45b2b0602945f6c49c354e037d6cf8916efcf915ca27a862628279efedc1778eec00fbfec1fca5606075fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5c29d08e04ec5352bd3c2eff51b27dad

SHA1
74d01fa2f14daf8e2c65047b5e03f49c97506b97

SHA256
0395a2b052be6848938706636570d2c0d13df38511925db12e1c290c48a0dc16

SHA512
1618394a360dd3906d214c041f9240eb3a0a9508633ed1432c6744aa9c864eae6ca6918f855cc5e6d21c1c5078b50cec6ce2f1b1ff021c857884cc324f75fcca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ad6f09f7796b946562a2a1bff2c92282

SHA1
6bbbc005222f5f57cad8b499afaa905174f18c00

SHA256
2920d28d5e627f29652a0d28eefe1e8ed4ae04b5034dde869c4869e98bb249f3

SHA512
1c044b98e6721bbb4f9fa6d6907bbb730cc422dd8736e3aef897031da6367b2f706d4a20fd7f92d306a1932a0ffd9f4f9f4b284f96eca2a8e38828c8ef85b478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
734db72c5437c530e9be628b8fdea941

SHA1
3ae1fb75c9de817723404f3fead10f7bf350d31a

SHA256
c3e22fffc04cc17a13babf16a32e79b74a667ac052106c1d4001a96cf93f84bf

SHA512
734a8893d422ff91913f6b30a012efe10997ad4714e5ada720f162ade4515f7f8efe85f32e26e11ae8436b84db73ff65441015a986d8c39f84f6635801b844f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f64bb8c33753b17bd49070a05e717a9c

SHA1
f39b9cbd2376a512247e5f69f47bccf4ec977e42

SHA256
59eafc4b558184a7d3d1e4e62f17dce9374a3f8b69b056329bec9c79e1a65acb

SHA512
468cf3327a782f0f025f589a7df62c889a4948f3fb4ae0335f572103c39fac1517bd1bbe23116e28be7bb889d18df76ff0d2e201d8b214fe0824cee20eebfd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
3c710f311a0dddd27fb22b59ff6c40d7

SHA1
35f945a2799fc030dcb672fc8492b6d88c0db535

SHA256
df0e3fbe74120b70890eefc1e8ab15a0e4037faa1e392c71236a2f348420f579

SHA512
a0608135c82f43ef7fea367d18392bc803c62692803271152fefc6cada40f87679e62b0ba4fc9ee58256f3eb1a28ef1ae1cf52dd8fa2b72aca5f4bd5415ad72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a0a699ebea07e1dd7cfd0167e287cdee

SHA1
b875afca4bdaeda65c75adc3addcf34d9e88411a

SHA256
1bfb510cf4633789bf857da2339be3549966e91e31c1b04555868ce59d9a8168

SHA512
e5292b2df08f64d3b620592f119825b99dd4147465adf834d472dbf82bd665410f64dc1115525fa1086f399a526d89779928ce6597ea6ba67450d83d5da55d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6cb7f116606dde6cb6e0e55f5e21728e

SHA1
130b85777968b5c9bf9e284e17f1f06346d9dcba

SHA256
af894972c7ba1f14ab7642e8a606686f2a2610edb2a16a4f32fa628fee66ee2d

SHA512
5573797ee69c8373a2b0667b3fec88a035a01504a0b77cfcdb6029aab4634c8e7168ea369615f23f1959a11d19d96433718aba40fddb999419004bba6087ab12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4ff2a6e78dd1b8695d67086bf9b71a40

SHA1
739707a25c173998cd8f54760d129aa352af9d25

SHA256
58b9cee20e61f3ba98c3ee22b29212470390a9bdc34a0dcc050d830575ce2dbe

SHA512
2c6024535eb4f8928958aaf8d609f82a45265d56b287832356138e70b94cb4a71ebb01246af2c29051dc891f27a0c27c92054db47756476d0db5876cfe83a90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
461d047449bbdd0a8ec9af71f59e9ec6

SHA1
ddb3ecacc7aae2038f501186a52afc9cf690eb0c

SHA256
6116ffa08314bb66e1cacdb42544b77e60d7932dc2a03301d99a34a5f9abac7d

SHA512
bf86bc67510da172f4eff61e8ed6a19e62e46250390b9794ee7390922b302527bd1a236f77f3aa174f1dfcbba48e7d9e0caa4cb1d2af046dd9b4646051ba6290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
faff85292f3f8ab255865696cecd71b5

SHA1
93ddc287d660dcb8a53c6bb49bccdaca2bfc58ff

SHA256
69b748eba31fb7ec2b24c6b814a64547844907e698e1f8404f6f5a2a5359ad63

SHA512
9aea3bc831c42b8e1d15e2d63ae33893bcada502ef1e1d07951d78f6e4c4512ab0a96645772b1a3a45e0889ae9a273e5a177dd895752a88f42ff2662bdd9f3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a52338358b69cc0724d7ed7c39a46913

SHA1
5b95be13d405956fdc6f74e30c3ab4af841022d2

SHA256
8b6d89457236b274d51e3d1addfd289f20a242a8835bc3b32874e0453a772f4d

SHA512
123b0471826946401b9dae731e2bb932823021bb5d0364903cdc3f48b58b0fb77a0aab66dd249aa2bc31c9171a92d884f1709231707baba762ddec5f312c96c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
82216d16be50cd217442dfa19b5302bc

SHA1
5062ad195d6af438223fd2582110fca0bf12975b

SHA256
09c1c9384a2af19272368521ee9c73f2db00c2448c5626a34ffaa4c0a34e252e

SHA512
bb5089646d2ccf424f1e93f85c966c71e03de4477975f0fdbaaf6f772a3163c76597e4026e4f2ba2d7ec7153a24cd7fecf88c2969298b2cff0ab83eb7df94bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
829f452765bc41eb88165d67c2e9f140

SHA1
f884642efb177ceaf7af3419a341a031af79077c

SHA256
09d1a05b2d2596f146a5f1d40a7ef13574251b29ba951ee15dc17efe1a16c3fd

SHA512
2d2af88b60673c44a90f2dcbcf17eec77e78c3647a7d97c7bebae4712250875d8fe77e45438fce1936db3dd93520c09727943912e327311664c1fbd48247466a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7a2e2c40316d709c3c579e52404d1db9

SHA1
10fc23ae264bbdac67393c3f68d93e55ef863e03

SHA256
2a07c678063105924f7cf4c9e59727eb3c610e53226a0f6d712b62c7fccdeb37

SHA512
0d399d587f25f8983f1ee655bc90de209d95c5afbedc4369b3d27b474d39a6b7320a08ca81c4ad717ce4818946a2cc0f819c802daad5d6a65efb46e8cc1aba07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7f76369ef1995225a4135f0a805558db

SHA1
72923c0cd1558cbbef9f68889ce668f3ae74eccc

SHA256
bd764e1b2b2c5586b23e0a8c3a3fe071d77a4934167d847be937cf94e5bdb520

SHA512
5803e2708e583a8f16eb0546fb76c196632743d0469c74c8e25f0a1a84cc443b549b91454d265ec743f9f436fe83fb80c5f88ddf648e1f8add28f8ed14dc1473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
1ae9a82e0136c9daacf31b00e1a38ff7

SHA1
34b836c08ec16b438f9fb9ab9947130849fb50a2

SHA256
dc504dbae1235d06c54cfb97509d6ec552eda72f4c26de34b558a02b7e902abb

SHA512
5e3bcd84c2983aeb5f777285c4374bf483e24f4a68b3af17d5c09431b63a38bccd1a6fa1e8be5379cd66f3c47a9e48b14d13776cb8f1783bd0cb41274e8dbfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ea5acbc42dad2dbedf302db2de2d4acb

SHA1
59b050f8cd643b15869690f2946c357c67d600f4

SHA256
d467b9325169da0ca45da050e1e43688ed5a7aab52843a199f8d5c9fc5eea53c

SHA512
52cf983cab6d7860e4368fd5d72148e9efd45ec40f4607e727ce825b0fa3aa378d5bcfd29f049e94933bd08000928249dbab9fda046d47f37af741dbbfa5f5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ebbdf6cabb668e77e0f2d44a59ad9852

SHA1
3083c0a691597c17a7d1e17d3df92edd617fbd5b

SHA256
e7710982a2b57d8e61ac0d3c914c0c12f34ad5f34e82fc14b259dc4f869b197d

SHA512
4d0f28682cc686eb8a646021fc0f3e2a5416084c6b0209f1660ed8bfb20b3c8ea1ba7004434c6063c1a1b5231ee3b415e6347d6af26095debdd8f637977d8131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583cd5.TMP

Filesize
872B

MD5
2d8aa86fb32a9f851b74d2f4177b8839

SHA1
276353f596cff4dbf0dbe7eb7544b298a3422168

SHA256
d5517165305ea7b19d0b2c311c538cc36d21cad4c8f2aeffb96945fae6a98188

SHA512
1cce2273b95933a48f1d4667e693cd0fb3849ecdb48c3d72077dff80a03a85b4f5bf2b7153bd79f762b2a820d653bb90289c74666baaf035f1ba0b3c0b305954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a1ad65ee9244b23a3aa12e75cb683a7

SHA1
08612e6136ce9e25ee41ad5915cef4e4fd6f5c85

SHA256
2c1d05c9e1a4fb9ae8292b7b0545c346fd67d7d77aa9fc2ea85c61dd857673cb

SHA512
37f9d177a50bb11733dadd815af886025cc53fae732f8a9f8ad28195b9ddc8dc94cd83afb8a4a32b3589d665fc89c14f61c3f1610ed10e458f3ce4c1e0bc1909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8764e4131bd0e2abc8ccebf25ea17b5

SHA1
35209b795545575996a580d6b7a0507236564199

SHA256
bbd60d9b9baf841e4f5fd1ef366d6de4d68d87d75acdb1b6b548ceed9bcc08cc

SHA512
df716f2ed1f90bc082177729330e12cf1132aa1c1b2f0be657d4f0cb93e40c0147a5f256005030c46d54fc94c756169b6e87c6a48c8b076ad957ff6792287e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52560c62dd4a736d3012994e3322e3aa

SHA1
0b78fa0bc7cddffa6a7eccd9bd4f1208903dbfb7

SHA256
b5fe502d99f265f1fcac138094c4ffa02eb2fb01e88be59b246c98434a1abf08

SHA512
821d2d0a8c342c010e8f1180a6d791f8cba689ca8f5db75c6825403f4919dad51b5a5f8e0830aab49dfa77d1a15d77621e370eb38905846dc81f46ab66fb7a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28e595de4b3ee6f03f2606a9bc880338

SHA1
081b85712a8666455eb18238cfeaeefc8daf9ce8

SHA256
51f81b3e22f2b1801f9ad076f8ab07b04ac6b39fd719bf7921f532853b54f600

SHA512
d2dad7dbdb14c094e1ff4ec02aeea2b4cd252d63ad1be37632ecc70a72a0aba3b67633a5b8711ec36f5b0a29b91a7af455b8f5ac35ae552ad16a7485db329a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd67d7f022763f7d8f799d749be2101c

SHA1
5939dbfdeacf19a5e4d368a14fcaa2c445352b06

SHA256
1e5e8b7cb58f524c0f919d17259dd80914a8a8007bc66411bf7c06c6774c1a4b

SHA512
bd80fce8c0d2600b21838c18db9b7d9e60689dcf11769c1319c0e445be4a9af8a0f4c269aac5d71a6913e9e2f3ff53f733144d402b6883f5236194b57baf3c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
453KB

MD5
32d785752249c44e16fbcfb314714ba7

SHA1
2d7fe4bad7d7e293db1dc5f3a03115c21c817c22

SHA256
fbb38dc329ee921d8f22619dba7ba1e7a63b6fb0ff172aae8a46a608048a883f

SHA512
a6d66ddfbbaa1f1039d8a989fcc619a21442dececa1f768e5c2b1066e5092718abc5d47b0f18f42819cb646b3e6ed741b77d07989a48e1556565e74568ef83f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dywd0k4.la4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
9b8321cf6adb3c02ff2f34d98153df01

SHA1
ef0a9ee614501a91b9512c2c900568c1ef51a253

SHA256
e52ed2e60f7a9ba3a4c34c765547701f8ac32c2a8635ab6d52299d1b14c8a5c7

SHA512
4e2759adee7af4c57b818ac5e9a39e23add86a6246e09d88915fe715a61d4b0beaac9e051b75695bc885c382276092057b4a2ffe3def9f846d2244c41dbf2194

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
355KB

MD5
c8d3f1f2d0fb683a5a378f734bd2ef85

SHA1
10b9e8b4a3f9ce416b360751e031b85345e6d461

SHA256
a3f037fb54904ef8b1d53e587036c18c6d32bb10a3044d57f9b9eb3aa8dab1c5

SHA512
43badeacbf59ff4e7f1d0e19a622b935567c196cb63ac50df687167c67cd881fc372230111137ce9adb1b794c6b0828adceb156c5d6a45e49d658f793aa19ee1

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
233B

MD5
09e4e4dd0a6479797904a3d39a9766f4

SHA1
87eff361e460b3eba013f8390b367ccb84d6b050

SHA256
65b8227a951cccfd47f61756e989ff659fd4d19ee23a6e5562401643af9d7a70

SHA512
f0db70a84a291fa5f48df446f0278e29f01a4f2bd329c6d8894b1f926a092de819ac7c1a55673872933bf853a22f78b21ddc287a5a98a2a1bff3fbb939474e93

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
874B

MD5
1bca3f592c232cd2ac529702cdf7ef10

SHA1
9f23e0e9104969f45d835d9164c61ed0ada67571

SHA256
41d9789ac90500588d0c43c0594cdfd7bece961bb3a616f966c9cba284ce60ae

SHA512
a3013b5f6c7bc376c536ed7a7967776a79cbe08c2eb4bdbada9cda12d54cd5469ccea28be0f374e257df2e5c7a9ded3028e96654f3e9bc74b3096c28d326d9fe

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
a3454031bcd4f73ce59454d2c69542bc

SHA1
01ecdb3fba50c923aea4683160b324ee9cedf5e3

SHA256
b798d41e0809c7591de61befdaec7dbacce1859ca73c4bfc8e9ed0012c29b5e7

SHA512
9049fb9b6206b27762f904fb9b1dd6065d2fd574b4bf9b483a92798b3570d0f50922c48ca7638cc392021695f3550c7269f6c83ef7dd69b585456ff6aadba8cb

Download Submit
C:\Users\Admin\Downloads\@YeatTheLegit socks5 proxies.txt

Filesize
193KB

MD5
d28c1fb990736e6a178faddc0115c794

SHA1
441e92c2cdff7a9d394671a7d25f1efb750a247b

SHA256
c78ee96d8f8f4b5a34c3705b5979a868a57b481d10a5438c662ae711479debba

SHA512
4a45a97cbc96d46d197c81ede53a75c3f889393fc4805363b5ad56ecce4370140d4bff4e6cd6a0c91f87780a04718a200944843d382a4a315af6cd369f994893

Download Submit
C:\Users\Admin\Downloads\AddBackup.odt

Filesize
590KB

MD5
3b03c99215a40c0896dcc771f3886458

SHA1
9379f389609ac208b38391b1b0203a7a5d92b299

SHA256
c0c07e680b7a87bb0b3269439982717b77749647ebfaa99b3b1740860ab7dd66

SHA512
df51165ff2d03b1513d7ccafc7a341b6500eea92f83dfb890b39539103bc2f1e7171cb11b0972c97bc00f6431744e0ac961ed94e7aab47d28d6b6bfa9ac3bd24

Download Submit
C:\Users\Admin\Downloads\CompressCompare.cfg

Filesize
482KB

MD5
0f69d3e3c835ee5fef4b7edb17cfde2f

SHA1
28ec27794b9511663e4295250cf59a68edff4081

SHA256
4e9a9989c518cf98360381596783aa99bb62306846c9247000db7d16ae233290

SHA512
65c26e5431128a2205279be3c4b71a329c9b20b214bbc449d566b31ce2d26068dcf1e4b9fa994a24e04528c2a561c2a85030f03dc7da9887ae62d9618efbcad6

Download Submit
C:\Users\Admin\Downloads\DenyConnect.emz

Filesize
313KB

MD5
4f6cf93ae2a44d68fd86620eb640c1f8

SHA1
6c08083e036632be558f56ab63b56e3ee24ad325

SHA256
04c012e5cc48049d44cbfe71fc811dff73cd9c7a193dcee72f788ee3778b4ee9

SHA512
06594fd26566fd939a98b816e6aad468142ff4a150bf82abcc2b23e7efeb86f584c4064d0451fbe5dd2d93469c3625973b0818295b247e319cb31e62861f319c

Download Submit
C:\Users\Admin\Downloads\EnterRestart.pptx

Filesize
566KB

MD5
e11331eb01d57527421c9ea459d8551c

SHA1
b1a7cccf88fec4c5b06e73516f3acbbd2193a510

SHA256
12ffa19184ad2b941ce036a88641687909a9031e5b291aa67e24b29c2c1858c3

SHA512
93a2b06032002437d21deb195df333149e54ce8e4d955efeb6013fd1125e110ccf2f9fb386a1dd949b45a30de8e14c7d75f3d401e73eafae89bbc1c0fc3ddfac

Download Submit
C:\Users\Admin\Downloads\NewCheckpoint.cmd

Filesize
602KB

MD5
df1b585e5dd555e5e072c0ba7d22188a

SHA1
213b8b2965876804523eae875cab6dfbeba3e35a

SHA256
9aee30c6380c3ff089c06ec9cefa52a680e4967d33984c9f95d902a5c50e1b06

SHA512
573d6bdc97622bf66ca1e06ed6a5565ab6d06be06ca7e5a7e28fc90b026542388e3b6a5917cd7b4cacd8c9345099eee195eaf76182de28727546b385d4488c64

Download Submit
C:\Users\Admin\Downloads\NewPop.mpg

Filesize
289KB

MD5
9aaf2d67de27f3b960d8ceca79c5bf48

SHA1
e7989af83a23fdc0e471855257848d760ebc7a21

SHA256
bda3b763f3406e440405cb18a7a6cfee243a4063bf42d26abde2c1914debbb00

SHA512
9d9a0a26961390849192177a0f904e210f0636e06d28c8c6bfa0081a67e32a608a5e832b384d5b03b11f3c6c52fda93391b1f150851d8f9bc444893c144af565

Download Submit
C:\Users\Admin\Downloads\OpenBullet2\OpenBullet2.exe

Filesize
158KB

MD5
9a6ce92e6fd77b02d7b338e2303ce742

SHA1
93e4ea93a2d32b2fdbbfa9e4b82183fd31cdc996

SHA256
e323d90f08c638baba3b8ffd06be2be209ecd3ea9072bb8179a56be4651d4850

SHA512
686e9c8aa997a3ade2efc468094d82dd5a546684ccba1b87b1e3e0e9f91aa68db4f3bcbae1de0b8c3da3c7fc01f58ad74c34797742e3f716cf5a18dadce5a709

Download Submit
C:\Users\Admin\Downloads\OpenBullet2\wwwroot\_content\Radzen.Blazor\css\humanistic-base.css

Filesize
126KB

MD5
261ce53d876c215be1f44fee0899edce

SHA1
425851afe9704c08bd9787cc9626628fcb6962dc

SHA256
213b9726acd813c56ffc22f87e34d5f96f05b62d3b76848e567edd4e40b706a2

SHA512
1dbd27a4956932b09d4ada8855ae24132f60b533dc11ffa44194372b6ccc031c5d42332827613c21dcaab05a9dfcd5ea0d3d62e8cb33a58dbd7900680b947988

Download Submit
C:\Users\Admin\Downloads\OptimizeUnlock.vsd

Filesize
361KB

MD5
333ab7d0c380d5fe30bb91feb9ee6626

SHA1
c13c4a1a2ef649345975919d42686a55cc0f9b14

SHA256
742d6ff5a6c3687faf346ff62b8ff5bb0855401084e7ad93e44aa17df0c3a504

SHA512
a7e1309768ba64a6eed37deb4e9c8e669d7f5de49902f7c59122ffac95f58271c181821ab329a2a3c8a619b2cb94b7df56fccd7b1798205bf1f5ee9269599e06

Download Submit
C:\Users\Admin\Downloads\Release\DB\OpenBullet-BackupCopy.db

Filesize
8KB

MD5
0ed578b5d42ac4b31417d062700e372f

SHA1
cc784577152e7aaf6b8cb28405e1c366eaaa93e8

SHA256
b2c3fa1ae8edfbe86281cc98f71392d56b86acf03fdf570ff6ca0197095667e1

SHA512
9c7b27cf4286874af157012491f5355fd8f201842bc2f4fdd74cfa21df0fb1f6d27157038ccb4638698bd635d1e3322dafd06e58c00ea0ad7e77d9d3fe4a473b

Download Submit
C:\Users\Admin\Downloads\Release\DB\OpenBullet.db

Filesize
20KB

MD5
b6397eac48ee5327e9530d8ba5c276c5

SHA1
f812f7d45543ac09364d7af9dc7f1f6107513501

SHA256
98d8df8b9b53b258a60cbf4c634a538a7c31ae129a9d3173d2afe00a0cc8d5aa

SHA512
351137073811fb2d2b76df2aafffaf7d02a7f3366f4c6796ca022390547baee95921f276d3032bfd0e18e9ae4d76d1bdf8444cc05205116b56ad0bd1fa7e85cd

Download Submit
C:\Users\Admin\Downloads\ShowUpdate.html

Filesize
626KB

MD5
382fce306b943786b53c503dd15e6c61

SHA1
bd35b90d2e19a40b535c57177cca28466d48af16

SHA256
f79a5170b3db988ac499470fb8b677b4d498fb960420a776db02374c1dcd3627

SHA512
8a470cee695d1040520e102a0ed29c93ec10675bb5b53e9f88796b8f1591c42c5b2fe150f3210166740c0e726e707313c1c5a0e39d8b7277df5bd018476a2151

Download Submit
C:\Users\Admin\Downloads\StartCopy.tif

Filesize
614KB

MD5
1739b69e58f3a014448ea9327e7a7985

SHA1
32f7acfafaa3351eb4e6aea00c7df3e6f065b687

SHA256
f2241ae16b98dbe3314d060e9300ca6c703b8e0071cd3beb1bc3ffb64e8409c1

SHA512
9e5553edac488988094729abe3f6066992e169e978f10cdc0cee832df627deb0e2720d6c2cdebcfedeb38ad9061f1b04b58142e6169ee85a716314f56de8fee9

Download Submit
C:\Users\Admin\Downloads\StartNew.mp3

Filesize
434KB

MD5
fccf36cca40fdbe09576919509b4c587

SHA1
59d206909ed2705347afbaa08338b6bcdf7aac68

SHA256
567f633b5e9b48985f1884e1eee86c27fae6a9c00d6a545cac0a3f7c157e565f

SHA512
3edb774646c58f19eb7b1d437f7acb049ec390729c4b0995a42115ef2c1447cfc31da3c2e27f5836f30512b57f449e998748f612dc6b3cd3887d1c93b233d344

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 433358.crdownload

Filesize
11.8MB

MD5
90f1638520011bfc42e7168d81fe697f

SHA1
ad02b534269f5c37553a95d8a89f5bda3fac4661

SHA256
60e99f67ea7080e78041b8c582500da516d0b2f75d4b65c9b5f2de686dc75dd5

SHA512
a96cc707ffe1d31eaeda91aa438c9a2d21291f373a37046d4cd12d25e9173403a77ecd924c9acf0373afcec88c425e7db34868b0d47c9f3f215407f1df633707

Download Submit
memory/232-4698-0x0000000005F40000-0x0000000005F48000-memory.dmp

Filesize
32KB

Download
memory/232-4663-0x0000000005D60000-0x0000000005E10000-memory.dmp

Filesize
704KB

Download
memory/232-4642-0x0000000005740000-0x0000000005764000-memory.dmp

Filesize
144KB

Download
memory/232-4643-0x00000000057D0000-0x000000000582E000-memory.dmp

Filesize
376KB

Download
memory/232-4702-0x000000000AF80000-0x000000000AF9C000-memory.dmp

Filesize
112KB

Download
memory/232-4701-0x00000000086D0000-0x00000000086DE000-memory.dmp

Filesize
56KB

Download
memory/232-4700-0x0000000008700000-0x0000000008738000-memory.dmp

Filesize
224KB

Download
memory/232-4699-0x0000000008080000-0x0000000008088000-memory.dmp

Filesize
32KB

Download
memory/232-4697-0x0000000008770000-0x0000000008892000-memory.dmp

Filesize
1.1MB

Download
memory/232-4696-0x0000000007FF0000-0x0000000008068000-memory.dmp

Filesize
480KB

Download
memory/232-4665-0x0000000007BE0000-0x0000000007F34000-memory.dmp

Filesize
3.3MB

Download
memory/232-4664-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/232-4644-0x0000000005BB0000-0x0000000005C26000-memory.dmp

Filesize
472KB

Download
memory/232-4662-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/232-4634-0x0000000000560000-0x0000000000688000-memory.dmp

Filesize
1.2MB

Download
memory/232-4635-0x0000000005040000-0x0000000005060000-memory.dmp

Filesize
128KB

Download
memory/232-4636-0x0000000005420000-0x000000000543C000-memory.dmp

Filesize
112KB

Download
memory/232-4637-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/232-4638-0x0000000005670000-0x00000000056BA000-memory.dmp

Filesize
296KB

Download
memory/232-4639-0x0000000005590000-0x0000000005598000-memory.dmp

Filesize
32KB

Download
memory/232-4640-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/232-4641-0x00000000056F0000-0x000000000570A000-memory.dmp

Filesize
104KB

Download
memory/232-4645-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/2896-4731-0x000000000ACD0000-0x000000000ACDA000-memory.dmp

Filesize
40KB

Download
memory/2896-4726-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/3172-3945-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/3496-3990-0x0000016F148E0000-0x0000016F14902000-memory.dmp

Filesize
136KB

Download
memory/4700-3933-0x000000001AE90000-0x000000001AEBA000-memory.dmp

Filesize
168KB

Download
memory/4860-4277-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4274-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4269-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4268-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4278-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4276-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4279-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4275-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4270-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4860-4280-0x000001E99C350000-0x000001E99C351000-memory.dmp

Filesize
4KB

Download
memory/4940-1642-0x00007FF6BD5D0000-0x00007FF6BD6C8000-memory.dmp

Filesize
992KB

Download
memory/4940-1644-0x00007FFB26650000-0x00007FFB26906000-memory.dmp

Filesize
2.7MB

Download
memory/4940-1643-0x00007FFB36270000-0x00007FFB362A4000-memory.dmp

Filesize
208KB

Download
memory/4940-1645-0x00007FFB25390000-0x00007FFB26440000-memory.dmp

Filesize
16.7MB

Download
memory/5624-3987-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download
memory/5624-3988-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/5960-3912-0x000000001C650000-0x000000001C6EC000-memory.dmp

Filesize
624KB

Download
memory/5960-3911-0x000000001C0E0000-0x000000001C5AE000-memory.dmp

Filesize
4.8MB

Download
memory/5960-3910-0x000000001BB40000-0x000000001BBE6000-memory.dmp

Filesize
664KB

Download