03c35fcb1d10cf478c0b9896699937e6e262daa4f4a4353a7cc56b238fe86892

Analysis

max time kernel
87s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spsetup133.exe
Size

18.0MB
MD5

b86b975448d0b27727ac9c849318cbf2
SHA1

938c2d249c9bf7978b4828b9028b95b122ceefc3
SHA256

03c35fcb1d10cf478c0b9896699937e6e262daa4f4a4353a7cc56b238fe86892
SHA512

3c82955edde3f45fb45875223253351fe1938f58a307a4f7bc85a3971a5a92cddecd3d2bef31ccc60e233eb8a532ed4ab0f1708384cc4db91c02255e832a698d
SSDEEP

393216:vAfGg4AOfBzN0sIPREFXSIqGiAINgIF/x5kfSY1PfMhKokebZyjzJ:vAfGg4A+NN0xWoI2g+S6GPfMwovM

Score

7^/10

bootkit discovery evasion lateral_movement persistence phishing spyware stealer trojan

Malware Config

Signatures

A potential corporate email address has been identified in the URL: 67C716D751E567F70A490D4C@AdobeOrg
phishing
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Speccy64.exe
File opened (read-only)	\??\K:	Speccy64.exe
File opened (read-only)	\??\E:	Speccy64.exe
File opened (read-only)	\??\H:	Speccy64.exe
File opened (read-only)	\??\M:	Speccy64.exe
File opened (read-only)	\??\N:	Speccy64.exe
File opened (read-only)	\??\P:	Speccy64.exe
File opened (read-only)	\??\Y:	Speccy64.exe
File opened (read-only)	\??\X:	Speccy64.exe
File opened (read-only)	\??\A:	Speccy64.exe
File opened (read-only)	\??\G:	Speccy64.exe
File opened (read-only)	\??\I:	Speccy64.exe
File opened (read-only)	\??\Q:	Speccy64.exe
File opened (read-only)	\??\S:	Speccy64.exe
File opened (read-only)	\??\U:	Speccy64.exe
File opened (read-only)	\??\V:	Speccy64.exe
File opened (read-only)	\??\B:	Speccy64.exe
File opened (read-only)	\??\L:	Speccy64.exe
File opened (read-only)	\??\O:	Speccy64.exe
File opened (read-only)	\??\R:	Speccy64.exe
File opened (read-only)	\??\T:	Speccy64.exe
File opened (read-only)	\??\W:	Speccy64.exe
File opened (read-only)	\??\Z:	Speccy64.exe

Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	Speccy64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Speccy64.exe
File opened for modification	\??\PHYSICALDRIVE0	Speccy64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spsetup133.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Speccy64.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	Speccy64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	Speccy64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	Speccy64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	Speccy64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Speccy\Lang\lang-1045.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1062.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1058.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1026.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1031.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1058.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1068.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1038.dll	spsetup133.exe
File created	C:\Program Files\Speccy\cpuidsdk.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1049.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1026.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1045.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1052.dll	spsetup133.exe
File opened for modification	C:\Program Files\Speccy\lil.log	Speccy64.exe
File created	C:\Program Files\Speccy\Lang\lang-1068.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1037.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1040.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1050.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-3098.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-9999.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1041.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1053.dll	spsetup133.exe
File created	C:\Program Files\Speccy\uninst.exe	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1036.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1035.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-5146.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1036.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1037.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1040.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1102.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1034.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1038.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1053.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1067.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1102.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1066.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1059.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-2074.dll	spsetup133.exe
File created	C:\Program Files\Speccy\cpuidsdk.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1051.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-2070.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1050.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Speccy64.exe	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1034.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1035.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1067.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Speccy.exe	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1051.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1066.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-2074.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-3098.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1043.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1046.dll	spsetup133.exe
File created	C:\Program Files\Speccy\uninst.exe	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1031.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1055.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1062.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1071.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-9999.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1041.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1052.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1055.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1071.dll	spsetup133.exe
File created	C:\Program Files\Speccy\Lang\lang-1079.dll	spsetup133.exe

Executes dropped EXE 4 IoCs

pid	Process
5820	spsetup133.exe
2228	spsetup133.exe
5924	spsetup133.exe
5756	Speccy64.exe

Loads dropped DLL 64 IoCs

pid	Process
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Speccy64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsetup133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsetup133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsetup133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsetup133.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Speccy64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Speccy64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Speccy64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	Speccy64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Speccy64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Speccy64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	Speccy64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Speccy64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Speccy64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\ = "Speccy Snapshot"	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\ = "open"	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command\ = "\"C:\\Program Files\\Speccy\\Speccy64.exe\" \"%1\""	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\DefaultIcon	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.speccy\ = "Speccy.SPECCY"	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.speccy	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command\ = "\"C:\\Program Files\\Speccy\\Speccy64.exe\" \"%1\""	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.speccy\ = "Speccy.SPECCY"	spsetup133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\DefaultIcon\ = "C:\\Program Files\\Speccy\\Speccy64.exe,0"	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command	spsetup133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.speccy	spsetup133.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 735188.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
1932	msedge.exe
1932	msedge.exe
3148	msedge.exe
3148	msedge.exe
1120	msedge.exe
1120	msedge.exe
3112	identity_helper.exe
3112	identity_helper.exe
5688	msedge.exe
5688	msedge.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4000	spsetup133.exe
Token: SeRestorePrivilege	2228	spsetup133.exe
Token: SeLoadDriverPrivilege	5756	Speccy64.exe
Token: SeLoadDriverPrivilege	5756	Speccy64.exe
Token: SeShutdownPrivilege	5756	Speccy64.exe
Token: SeCreatePagefilePrivilege	5756	Speccy64.exe
Token: SeDebugPrivilege	5756	Speccy64.exe
Token: SeShutdownPrivilege	5756	Speccy64.exe
Token: SeCreatePagefilePrivilege	5756	Speccy64.exe
Token: SeShutdownPrivilege	5756	Speccy64.exe
Token: SeCreatePagefilePrivilege	5756	Speccy64.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
5756	Speccy64.exe
5756	Speccy64.exe
5756	Speccy64.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
4000	spsetup133.exe
5820	spsetup133.exe
2228	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5924	spsetup133.exe
5820	spsetup133.exe
5820	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
2228	spsetup133.exe
5756	Speccy64.exe
5756	Speccy64.exe
100	java.exe
4148	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1120	4000	spsetup133.exe	91
PID 4000 wrote to memory of 1120	4000	spsetup133.exe	91
PID 4000 wrote to memory of 1696	4000	spsetup133.exe	92
PID 4000 wrote to memory of 1696	4000	spsetup133.exe	92
PID 1120 wrote to memory of 4548	1120	msedge.exe	93
PID 1120 wrote to memory of 4548	1120	msedge.exe	93
PID 1696 wrote to memory of 1412	1696	msedge.exe	94
PID 1696 wrote to memory of 1412	1696	msedge.exe	94
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 776	1120	msedge.exe	95
PID 1120 wrote to memory of 3148	1120	msedge.exe	96
PID 1120 wrote to memory of 3148	1120	msedge.exe	96
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97
PID 1696 wrote to memory of 2540	1696	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spsetup133.exe
"C:\Users\Admin\AppData\Local\Temp\spsetup133.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=4&v=1.33.75&l=1033&b=1&a=0
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec5a246f8,0x7ffec5a24708,0x7ffec5a24718
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
    3⤵
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
    3⤵
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
    3⤵
    PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1280 /prefetch:8
    3⤵
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5688
- - C:\Users\Admin\Downloads\spsetup133.exe
    "C:\Users\Admin\Downloads\spsetup133.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5820
- - C:\Users\Admin\Downloads\spsetup133.exe
    "C:\Users\Admin\Downloads\spsetup133.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=4&v=1.33.75&l=1033&b=1&a=0
      4⤵
      PID:6036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffec5a246f8,0x7ffec5a24708,0x7ffec5a24718
        5⤵
        
        PID:5848
  - - C:\Program Files\Speccy\Speccy64.exe
      "C:\Program Files\Speccy\Speccy64.exe"
      4⤵
      Enumerates connected drives
      Remote Services: SMB/Windows Admin Shares
      Writes to the Master Boot Record (MBR)
      Checks computer location settings
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks SCSI registry key(s)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5756
    - - C:\Program Files\Java\jre-1.8\bin\java.exe
        
        "C:\Program Files\Java\jre-1.8\bin\java" -version
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:100
    - - C:\Program Files\Java\jdk-1.8\bin\java.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\java" -version
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4148
    - - C:\Windows\system32\secedit.exe
        
        /export /cfg "C:\Users\Admin\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY
        5⤵
        
        PID:5528
- - C:\Users\Admin\Downloads\spsetup133.exe
    "C:\Users\Admin\Downloads\spsetup133.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,928122416670948075,18417550045135444276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
    3⤵
    PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=4&v=1.33.75&l=1033&b=1&a=0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec5a246f8,0x7ffec5a24708,0x7ffec5a24718
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16737216281305120038,8852626804357838158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:2540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16737216281305120038,8852626804357838158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

SMB/Windows Admin Shares

T1021.002

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Speccy\Speccy64.exe

Filesize
19.9MB

MD5
2ca180dc33ac40d68290c310bc07b2c2

SHA1
dc566cc0f653a27436ef32b1410e0d1109371d09

SHA256
af7352096175a8e5bd4f78d0f22b1c6391d2f8d4f888cb1df120b1bd27b643c3

SHA512
9248f4544698d7da2004595dcaafde4356f70366492e85b873012123b3c23784e5d0c4911d97564e8c04ea5cea72df1beb8f56674c0645a1a6c863bccff10bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
995d7f2fdadd1b04253f3daab03280ff

SHA1
9b1b2986d4f0f37c08806df2f805d1965f0feeff

SHA256
a7f140f888f2befb6c07ad0b7620b3fc160954bfe9061a33a5af653fbb52bfbe

SHA512
dd993cfba8252b76b01b09801caa0abd10213caeb69207904469c8d6d0a60a4be1d4424adc95b45d63232051c33e9405d90cd00bd2c3d54e12a4386bbf60b1dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
447d104ef594de68c580598bfa39f0ef

SHA1
0bc9ec6f3ba84b66cd73999530ea84e748c8b65c

SHA256
472554cf5de99d19f8f53228abffdff3639bfff369de41c2252df7f5147b7573

SHA512
dbc646603b55510182adbb47a446d35fd2552925ab5a876f7f6135882965d3485a3802f18338dbe41669f65c36102835842084494337708d92edbc3696fc792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
58KB

MD5
ceafb9820a6ddac995709949c0de3e28

SHA1
c85cc67440d4e2d0454f90a1903195e02b2a5aed

SHA256
894738c70ed198e59b39e027aaa4c98efe44cc5b6d9842bd0e92f96e57cb5ff8

SHA512
2773b12e776bc327140429cd50784dc64edc4b746294d0500dffd00ba3b40cfcf5ea9e0ec98c3ddd4150f93347b97705b4c6f7dc89aeb3e069311e69f7b6d93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
216KB

MD5
57184bcbc53c535b003305d92e382fb8

SHA1
9e0786151d151fcae1c2325629251859e423078b

SHA256
4d1ee1bb0a49d41c061d5aee2492e821b3271861ac055a152d7c057273e3aa62

SHA512
764a2b66a87279255d15c9a725bc82f8b883363f6d61588230cac18e41c2fc6541fc8c120f50fc5430be1ae45f355eb3c4b810fafa1ff0cb3784cb0d3b1e2b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
59KB

MD5
6353ca7708f96a35d266bf04c7a5a7ef

SHA1
61a982869a402a730e139bce462ea0c049980afe

SHA256
e41cf10f3e6bdd603ba9a9453bb91d75f0f69df58f3f7bca49b63eaa6fe607de

SHA512
d321a3aaaee8c0236b3e9b0bc426c9aaf595dcbdca583df5c93f04a13f1c0a552aa98eb48054c1d0fddd77752b3867e1be3dfb3b912e21c4c9a5400fec9e3f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
c83e4437a53d7f849f9d32df3d6b68f3

SHA1
fabea5ad92ed3e2431659b02e7624df30d0c6bbc

SHA256
d9bada3a44bb2ffa66dec5cc781cafc9ef17ed876cd9b0c5f7ef18228b63cebb

SHA512
c2ca1630f7229dd2dec37e0722f769dd94fd115eefa8eeba40f9bb09e4fdab7cc7d15f3deea23f50911feae22bae96341a5baca20b59c7982caf7a91a51e152f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
97KB

MD5
6b251750f94089b7b2cd073384f57f1f

SHA1
4e73e2ea55aa490c0b8e89c1ab9534f3268c5107

SHA256
0d5b8edba384058da65dc69f01a087c2f2b849ddd707dedfcd35450bf49c6bf7

SHA512
f5455cc4155c13bfef2299b6d99c269b45f2509796d1e5ed68db0fa688497c3d02615db1ae1033d3ea8bb9bf77460509f3d763b9a7365feb681a2f5a3de42969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
35KB

MD5
5705de13cbd135d4b033797ce78f137c

SHA1
c9000e487988866c48aca187c47aee876ab608aa

SHA256
ee67ba5a0e3347b7317278ba94247c16121db3a79a2578b7bea931524629d98b

SHA512
b9a168a136fad76813c3dfc55c04c22df87ee506f7d5a6774c70573df9724c2bef1650aad4ae0dac2500d2b3510f162ff861db5552d052fa481b78c86cebdd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
118KB

MD5
63f7ec05e12b47d10a16c156f9f358e7

SHA1
f1813d1e0641b141cd75d5f17f9d85a5757bffde

SHA256
f9913dc1c6c8812f30e2b77fbe2d022f406be783e9b7ed7777fa29aa63ec9864

SHA512
d4ebf782e7703f1c4355c2ea710e8878bd7ffd771d0f8fe8421f097e33f7a15ae619c93c032f32d7278863900ac3f4cbac97fe14bb027829f2c64835ab39daf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
20KB

MD5
2de13725f22827f3b6d66c113f55fb10

SHA1
4cf917de95729023d4099728cfeb24539b354814

SHA256
e0e16342b7ca4f029dcbe2c9c87a29a25406cddb46be331cc9a53d2098dd9e79

SHA512
636a0f1f031b71a5a5b0b5cdd522ea9fa90284c7da8eec51825b58592fb58b0179b7d2de888e14d956c0c2f7e811f519ae55bf6b59075035a146530321c49e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
85KB

MD5
f1ab43064d4f7b6ad3b55e61d409e190

SHA1
575bcf046b389c83f6fcec86e6ed6da17e3781f2

SHA256
0b3616e851b71b089f74fed7435f29086a38c9d1853fc76996aaf6c6d2ad0f90

SHA512
69b30bf7a49303a5048f11b0816f062eaa0565fefd9d8649994f916f63b1ab31838c7ae6c85073e2ac9b213f27dca1d5d327209200a1028ca691e1949103ac2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
39KB

MD5
d6ba39e99913378e9af06d03586dd445

SHA1
564c30c3300ffc098ca859f041bfee192ee11fcb

SHA256
bfe474a95562f45a1eb720f6bd390c692f35a9290fec6a658aa957c6bcacfe2f

SHA512
bd9931fbd88b834a4238d848474667d4a698945c74bebe53ab99eefedd44e7b5bd1f6fd0f2dd297415466c47ea34652f7e8e4bf3ce39bc908e20792968e705c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
17KB

MD5
7d20eac4b52a7a9071a6e95c3f677fb6

SHA1
30ef8d7824a092e721c799595de092d55af780e5

SHA256
65519647e886271ad515f9b05cdc53b61431d33cd9b87e141c06f0912850205c

SHA512
b196bf35641fc6d8c31fd852f4981cc36041fc1e690bad535f8a665ddd39dd6c534fa323392638dd674140b538e221806c0bcf836a9d49d58588ceacaa6328fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
70KB

MD5
f385b325ef1aad43ba96102ebb33bdc1

SHA1
e646a798985e21f5d7a26c0c283a70d26b1490db

SHA256
b304cd67dd3bd15b76c31c884c60c351f99cf5501e2ad81614af2476db7f1be8

SHA512
25c559356e004a66864194253059b292b62363afc585dbe7dd3ccd059d1503a821bf7f4c613dd38f51eb3c6ad48c3e9abeb93241ad8ec8ca68945e32b9cc63fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
26KB

MD5
46bc3a2ddf97e52eb187e9ef4b79a07b

SHA1
d7e4ab0bc3fd582631179bd051af42c3f825c418

SHA256
e3cd1178b41777bdf43ac7c710a46d4201602773d346edaaba0835cf190dc876

SHA512
8b6d6b4f2a1db5cfdab6a303f84e20401291dcc5044f8ea578b753aa631963f583aeeb29c674769327ac64ba9b99e5fcccdb3a477f0cabde260442b2c721da42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
21KB

MD5
af848f76b49028d3fd62538b46f29b1e

SHA1
81dfca57f9ec81365e2282f64a98438a2519946e

SHA256
d268beeddd1bac0a06d1ea18452a267d59d19c392486c8bce6dd95b56a14cc15

SHA512
1894cefbdc1fe888b0b82b516b9fef38f897720ba84d97efcbcb432573ad92e8ee42a861c15a496f113580d948ca3c5907b1870cbed7b2a1c3ba5941d0dcd31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
bde4c52811099629e4510eed54436a9e

SHA1
0102e8cb974b30481334b02e59e13973172179a1

SHA256
49b90204da5d161e692be5b6e839200e6abfc0b06a05e0abfe57f608f5b8cadf

SHA512
22a3afc9d27522d1b9af120f842a85189a91592d0c5d1154c48255579fb044ed00bc2dc3353089f610ab8adc1995d4dfbf59f7bdfd30af84b386b5fc71d161c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
84d9f64d4ce60077d0ef9c349b44ccec

SHA1
87809975c7c72b47339194347a6525ec5e81c00d

SHA256
ce35c5215993d01469c94322c25c7461c539c8e2016ee06918779354ed5c1d83

SHA512
5d5c5c33228dfdca588fec5f995873a2a3eeae7039298c33546746dc4dbe378cf425f113ae46d280e198c8e7d6f36e32bafff7a57524a4729dd5de3927f14eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3976e2c348a5d3ec172324bb5bcb38e8

SHA1
fc0f85b94d06d3152a16d9decbbecc682b5eaddc

SHA256
933172b791d7304efff77d83f8c261702b647640c5b601f27c2a60b0ad8c4a7b

SHA512
11d6c1b7b15b3180f49b9c45831270ba65bbc19404a0eea2dcbc43d33bac7f437e876179236109659786e7cff5c503aa260f1799e7a13b7fb67c397e49d022b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
626225d65314a4f40a430401bf0f82be

SHA1
3daea1f2836cd7cc62f4581d64d87513cbe1c8dd

SHA256
a30a8057427e38776dff8cf994633c8b669117d2728925b28681a89022ca03dd

SHA512
fc13736d198dddd7c8147199dab898551ae315d8864a3fc6aa63c3bb37c5854448229863d831183bfee671bd2161773031b4c1962815675e54e514b7f158e6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81a7e422b13c667c787d24e03a3876ef

SHA1
3d8d5c4105210c3260716346c24929738020fee0

SHA256
8e4d32d64964c8be0c3b888382a33f09fa598d1ed448fe90b86cc7ddc8f14470

SHA512
908cf73d087601fb217f6cfeb394200865cf89a77e06279d5ff225dcef5b4025daf139fc191b6567a0455b84967c3160634cb6d21eed16dbb79d6b048f420ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0763e627c49b7c403a4ea4b057f29c5a

SHA1
738357d41a36073eb2459e52c6d4e793d6f7fc54

SHA256
90addb7b7157c8b5a6e3a2ad9e48ae7d16b3f577993ab7645295496eb1d551f5

SHA512
211ef3bc28bae4165f12dc010ccfc4e45991da11ba3e2f4bf272cb646c82ed7534c58f79ed006f3aa65d6e624cb925587fbc63cc4e52e3a567f9e19bba378869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fda7c9be0d5bf00ade9997641fdb2e52

SHA1
532a6f7874bb1dba44e5692e15b97e0eede1ce43

SHA256
4b16d0022bda9efa62c1ee90131b8f64177b2c573db7836ac3b8e38595fc057e

SHA512
ff6208c42b59a50cceac03b015eebe51a7a1255a9a79b3b3f86af8b1289b5a453fc85b5106a38ecf8948f37eb270cf4f0fbd3d2d0bcfbf1988b68a33b41bc596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
25KB

MD5
1ee60790d1cb01cc95f0d293dbba7b1d

SHA1
97793dc62150a76d6e4a6411ace013139c752039

SHA256
97ec3062acedece589cfef27ec39d0a6f120acb5fbb8bb7c17c30560f540b079

SHA512
c513d5e279881043091d35ccca709051f1daed93970245edd800a27b325fc93d2b39e61798d4eaab37fab94f625a0da8dd1c773ad70d6bc5f4a5d6f0376989c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Filesize
56KB

MD5
dadf64efb46498e36ee38581640ef53e

SHA1
3917d62a405fcd1b37a363c66130cbb16bfed786

SHA256
2346b19a82a9a47ac0d863ab91decb501552961dbc61adf0c621a88ea6f03cff

SHA512
28a305c88472b552a16a7b75fb523822eabf5ab0099a7f00a1721e9e3618669e6888523666462abeef8f26cf84a9d333fe072c77085ef1bd3754e107d02e9698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
acd862db87b09a029e63cb1d5eda0ba8

SHA1
c429549b1d04d9abfdbfb45e7169ed1f62f9e184

SHA256
ca01223b83bd6f2d24a9e4d29b2374dd56691c577ea2682a33751577d2a9d355

SHA512
75e560908cf4ccc1e79ce7cadec63fcfdb98c6af09cc4690e83ddab3fb49a4e8bee2bd1a032517e7538d1ea35dd8261bb0b8471c3b9239cd43a8c955982a3eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581b24.TMP

Filesize
48B

MD5
bc7568c2ae6911146d4600b9584fdeea

SHA1
2afc72c129144b2f18375cbf9893a7aba8f0bd5d

SHA256
657d39176e19b1db9c6dde62757b09fb4fc168670d87c82ffd804eac1037358d

SHA512
f975e4374c61b0eb5bf09a837d82f0759be5ee0f224f9f47822038f94cf3e3844eab582b91390b3c7bbb21a705e10e0644e9e805dc6075201b4c48a3b7b0bd8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3508fcdadcc588f86d5bd15aab7325d8

SHA1
e5d9e066b0a2c892b8dd7f5c11319e97b179200a

SHA256
cdd9026c82fdf721d74753917c6b3c1e7e6578fa56e10304edbea0762b4cbd2e

SHA512
4d9cedf92f9574a0d23899b4e0bdbd808590357be1ebbd0842146dd15dd4eb4771ecac9de55af8ea57096d8207752b5e51f1bf85cdfcfeb896ed194a86a00463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7c64cf915749b6c3fd16c8fae7039082

SHA1
beea8b6b5bd8dc757ea68e351fab1f280e7e1e4d

SHA256
f22d05555b1f5538596fdb36442dbe5a509af3def05a0d360b9f3f80eea2d055

SHA512
73b222fe34ebaba496905db8d4fc5759eb1e044fd62f280848b71a38b0e0272e8d88076243dff412cdb90b276295cb6a2d690af1a126e9da880fe9805f65a25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d6a28adc974933881b99b4862b75e179

SHA1
ce83d8867fbe6331d9e6ed167a51c6b53667824a

SHA256
a966b173efb2bcb71e753b6247ec904bfbe0871d223ee1cb12589006d8555ec7

SHA512
1f2d0ca1d1c5d6f849cc8db2a7931c281d032a86e42feafe52250d69e66ee5e8b571db298e9380773c06831a243811ec07a993f850769b66321d25392b4533e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5821fa.TMP

Filesize
2KB

MD5
9e8c113de76fb5f139346735b2f74999

SHA1
cfd636783df7e4668727c28c817e5f946e3a7382

SHA256
a8f09fa63ec747bf79d992a0c4e6789e10616d57d7c82a55b4f47327a327c237

SHA512
c2a4ef2ebfb8492445be3ad2363b5c988cb7853fee9b8f7772027aee213cb7bef67cde4f4fe0110f63fc18b23ec93fe787828238b5c716b8d513a30c19b93890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b7a5727c0e13fc38fbc3548e37e3a094

SHA1
bfa8baa3d7279710210295e983342c6a52202b93

SHA256
d59b7686f06c788da58aacad2ec2ba8f492d8f8da59ad723a35a165b95965412

SHA512
002961e4d30e74b725b110c951760d04ff8c30a611920af8d88e486c730ad9044828d301c597de60cd6ec8b7f8f32228f52334841ac733aa04864f601b6a3095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c417470e2f6dfe185bf5323106ec6f3f

SHA1
ea016f23f34b7c5e9e4e0331cb76f2d3c914ede1

SHA256
cc38fb9f07fbdc72adbbe3ea04033b96b370000726bff07663057bda3a53c805

SHA512
556c705f2a5172373cf8616f6f1585f67a123ac780ec6d671981f999877fc1ae1503742d3d2c252e80590d06a8ff55072ddb3d431a9dbe09f5cefe4e3a5d9965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0aa303831f60389c56416260c1b54e1d

SHA1
726a1922adb441e3b6fc3fcdd8e2276edc3921cb

SHA256
90a88f659d71c14e44cbe9eb5b153613ffe39182771ff2b21eee440e421ba317

SHA512
defd65543f5b65ab956eb87beeba82f98dfd4148c3c1643e4e62f683128d49196c40431f7b52247f10de9c54a9d7313cfb660828d0691dc24416afaf2813d9c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e60d21e4a45025fbe919b7d4358d3e63

SHA1
0360c15883c4ce3bf752e21283ea311cffef4bf3

SHA256
c3bcbb565689542bf8aca86a5279717610bfc6a94e34d1b85e19026aa1f6127c

SHA512
82d7d7c32297ecfed9bb306bccf33fb66d51db1b751c1f9254be6bfd5787413c31160760ce69f9f44d661d72771e06bca9cf8933a0267a7d2f6fde9046c27305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
121b6e671ad88a31d5c1ffdbcda55322

SHA1
5c1276e91e3e8e8689c955a231cac5274ba27e89

SHA256
9d0fea4f5efa51d314f91b7e95b737c2dea78fb67734718f241a60c5ebc7b926

SHA512
be2a67d2a0d866c89d5e610e8f732f908666f8b3bea02b81fb039d65f6d493b770999c9aff90408abb909787498803564bb2c3098f60e3834156837dea27e404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
10a5e9d266c139a899c8aec39cb2bc99

SHA1
a97789136d617be72c41ab229decbdfbe4646f83

SHA256
f70439ed9f16709b855eeb79069ecaa999d5f7f5ccc85a69286e3d16feae7eab

SHA512
539a82a6a3cc428e3a432081d15541b8caf5298fc965decae9020a68daeda63b90070249d4d0593bdd579ebe96b8761cda396122e88c6c4be198900ffaf710c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
12c55492fe336eeb7235e936c44c30d3

SHA1
e118bb29b4b329f5d1e299c3055c607081cae802

SHA256
47123b4485b326d0a1d94fe02103fde3ed5a6b53edf54ad36a477a2f928697fc

SHA512
23f418f7333e36777229bce20089d5b479acce37e78631f7e8d3292431aed2dc2c8b06bba3908b2a192f85e556551c0f3bcad150c9dd3f9ef31c6af7c6df4bd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
e47eac1681dd0b5efa7678f88a1883f3

SHA1
fdef55437fac96b5a5df999b9648a147a5ed8008

SHA256
cd8ec76486fcb493dba320c060c4839fc25f920bf4cae88399dff63e220ef06b

SHA512
3a5ccaa44137e7e14a5f3d8473931b0e5f1d48bc32f52d18f7e3ca91f25aafb425e2f65c652c3d4f57a009cc1ab6815c8582b0581aeafa077a82a194e1b4ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
78ec5e29e85c971a290c301c9618aa95

SHA1
e9dd27e737f524801d58488cf360ff03c1505e36

SHA256
3e97004afba57f93c5065cc371a00d7d203008400e3719e151d8f55336dd4659

SHA512
29ef82769adbde419841543e289f75add884e505da3509f08a55f78007222422d759884182af490bb213d6a794ef3ac2ac9d216cc81267df4ef7e4a3469a200d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
7506097b729f825af15e04ea29da5493

SHA1
e69520ea3349cbd58047fe669caa261b69fd1198

SHA256
ce27789a125cd76040b1da68f08692948942db38300315d2b7ffa7a9ceafd741

SHA512
d7e57ba9cef3808c5c5781eff575a41c835570d20fc4ba779cb7b6198e9aa1c06d30a819d0b33952f5e5234580522048d54c065078bbfd4a2c2801e2c87e9332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
c1209afebff10d9b9280d342a4564c1d

SHA1
7453bc25b0a65955e12b5b64c961b5c6febb2b94

SHA256
e4ee44dcbd312e848100cf5c1bd65df1560751de6cd5db90e211eab94d1fc8a8

SHA512
2ad2def24e9d04af23d824b8e11db67d16c78c0284cb8eb2a104f50b20b31569c67fbf89002fc2277c88f78b55c9e9ee04b35bbb6784b43fe85fec54d56151a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ui\pfUI.dll

Filesize
18.2MB

MD5
34be51649e001d1c92681154fbb14d1d

SHA1
36db635139493604dd85899a8b7855828f76d5d9

SHA256
61a03360af5cee8423fa7322ba660b54ca5034dbd97450e114c7a00d1cb740a2

SHA512
490f3851c17929b964ef5b8876cfa778c70e9145d20de92ab092e7ca71121c90fa8afec28ea0b2f91cdeebf3e67e3bd1c853f0ed532de2ad43c09daffc25c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ui\res\Montserrat-Regular.otf

Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ui\res\SP_computer.png

Filesize
66KB

MD5
873b7c34ced38adaa2d01752099c09df

SHA1
e659d094f6e3fe6f71a3f1b047b75206bab168a0

SHA256
aced6376065f2c71b4b619823f735bbdcac967a5113cd4e6b978298a58c927c9

SHA512
a8d54d52bb5ec4502cd4bb829eef23c1b2edff9daeeca0f4fb7dbaa0cabdcac763a60aedc8393ba12a393a8263a5c06d3555d7b165cf9927dd9cc18d68b9e510

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8ABD.tmp\ui\res\Speccy_Logo_72px.png

Filesize
8KB

MD5
1787175d95eab213cf5a8bc25e252676

SHA1
1d4bd97b2bcaabd26f2ef7781b91233575e1ba0f

SHA256
65fa6baa9d140251d04069cf538f3262ebbb0e4e62d58d06cc58ad8b22085a83

SHA512
de1df226bb9bf84305aea43c237ea76937a9df0c56ecd9afeee1920c3f4d600fde0cc0c027ca397fb6067ffb1a7fe8c03496d82ed844bb4f47f32b2b30eda52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1026.dll

Filesize
78KB

MD5
42cf4780fc4bedbd934c27e32d33615b

SHA1
6d0c2fde7426f42bf51e8c3d279b37eaff1ec36f

SHA256
f424f0699060ba7d63bd3efd29bebd5a926983879684087e819b2cb38ca02edc

SHA512
8e1500ab13ebcccf6dc705b555b3bf5991c20eced072251747b67315dd02e1ffc51134594a5685b9172833c7d020284faa5c2e44549731e6004fe5e6be1294ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1031.dll

Filesize
78KB

MD5
b5a03521af075549053798c456256981

SHA1
d7537333b1e35592243ef013313e759e825da832

SHA256
45c13b115fcc2a47860b8b3c8d83d7e29b70ec6ba63b31010f24bd499271d77c

SHA512
effbac2c7640934be97392fc9b03a751975dcb1ebd6b71a88093919079097b64b2dabcd8cf95f0fe1676ed32faa0805ef569064788aed724d9835118e11428b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1034.dll

Filesize
86KB

MD5
519936f5fc50a18620a6ed7fc5434341

SHA1
24728fb50a7572e90aa7d46b703380f578922902

SHA256
2e54b203909f0616c8e232aa1b588d8ce916570a0d04242d13ed12ee00c15ef7

SHA512
f384ef04ce3a89b0af912a371efad76afb6ee2bfb743b7f55346f453f84ed9b1b17f6e3e1638502118945eda302d7630145414f6f753158092f1eb2bf0822a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1035.dll

Filesize
83KB

MD5
7adb9ed6556b2b21d54b82e9c8e286b0

SHA1
47d4787a0753005675869e960679d9eeb607d4d5

SHA256
dfb81e7498d5080161811315484109cf944823e03e6b5d64b45a3f44fa9e5ef0

SHA512
2db2165587acfe2d70a22fdfff00935c076af8360be08f210afbb4926353985fee5b3edc8656e87bf09b3bc3212f90cd2ff254c3bf6477947e3673146b8f5688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1036.dll

Filesize
83KB

MD5
ffd1d0b82e7453d1a7529db1ed54e045

SHA1
0b3de59b8733b7350501341fc85254db6ad73c4f

SHA256
6ebdc957264ed2c03c16565a57b1d7787fe7561cba75b203dd6c62bf92ef0019

SHA512
7cd4ecc1da4cea1360213810e189a1d187d4661e307245e085efd589ef56fbe58978a3b885d483461ca2c5226d5d748e944d32ff3afd7395cc5a66bf196804d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1037.dll

Filesize
66KB

MD5
ebbc565f118391826a52203890b7fe23

SHA1
3ee8431e8a5724f6a49e81615f885feb8cbd86ff

SHA256
302ed24b5f71af2ad55bdd101a825486f7342f69e92e457553c77e74ab832bb1

SHA512
b3c6467c26732e1eec27bd601feffe681f980036f6c78c6d23753671705c90c2085d1c3345a90bc578c966c4d6526525c01fd7cd9e506333cfcb0770ea159e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1038.dll

Filesize
81KB

MD5
4574f98f3c111214f832406b1a62a1ff

SHA1
868509b0dd7ced48e8deb80f6136e52d681d050f

SHA256
4501e50b74599ea956beee4c3366d4d9f82b9cc4d2755dc7f54377c9bd6eba59

SHA512
5da7ea9e020992631fdcf6132eae4add9622d0dbb051506e7bb6b2be41c395a114ad3f9149289ee6916dbd9ab24b403ec23cbf7348f67cd960f85e7939bd760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1040.dll

Filesize
81KB

MD5
54fc8a577e0f5a63ee4dece7fba71501

SHA1
73713402ede01442334aafffeaaa0997d384e905

SHA256
e8202343f4de3739b1eb04f13ec4155c4200e7cdb7872a1372635180fa537f37

SHA512
48069f0d574ce433d0e6834812f666c5a2f4b7ff790fb05f5b669f7f57cc959b99cf48d155565c09c657afe89a4d88d1e508acd7f60e8c240bc6939368489a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1041.dll

Filesize
55KB

MD5
b0833846dae725eb72f4091a6f00eac4

SHA1
eeccbff19720a997f9eefcb286e400ee6fb4327f

SHA256
d9cd94b78b523b558c61f3d549e47417e408fea5b4d48277cf60c4e52100dc9b

SHA512
e67df9d031930ced9b334504dedf781b74d1b95d664d6e739542654bb4b0df6963e31ab8025b5030b56da6627850ab6c5d5e64b53f7591c81c64796d23464eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1043.dll

Filesize
82KB

MD5
47e3c20d5f4f8d2e14eb9e7fdcf71bc0

SHA1
250a81e96afe44d09ad07e4217bf07697c3dcaf2

SHA256
1317dc58fe9daf62b4dd08880cfe1a428e848f5d477d0b46985eefd37877519d

SHA512
eab28b5d8a6fe8f045c33ad59bbdd9ba7b741ebb07356910856b9b1ddc85ea0116b0be30d43adcc50d1efc9f043ea3ad9e13a34a64f8055231fb212a6af2afea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1045.dll

Filesize
81KB

MD5
c7b1bc7361b2e2c8ad500ee4e2c1449f

SHA1
1ce60773de394a13920958f25e88993ba4b67be9

SHA256
7ed2458e715a0377574d48a2b15801ee8a8666f6ae6e956361704b968a7cd2dc

SHA512
32babb94994e7cede07b6f368048703e2db4dc7d54783ad9aaa993a2c435d5bab4d4f91b195af7cea3b57bb029bd4b96045313a9dcd40ff6ca8f9eac0212629d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1046.dll

Filesize
78KB

MD5
da707e721c10a18ade7d04145e479758

SHA1
e1323e8c1330ee55292952f9573ab924c1b8d7ae

SHA256
2ed0ea262d9e0654f336e6e26b903241d3d20d56dc906bd4159f3a09b0c85bbe

SHA512
315dfe3a0b7362dab906e0bbd202abd1a175d5e8356aad87061a87bf793602fcfd5de53a64b68b591c59c206e918d53bb4fd46486924ca72650391cf24cb87f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1049.dll

Filesize
77KB

MD5
e03e61c1b1410f798113d86a98c6524e

SHA1
11cb0b43b39d05f39fc7a80d0a16a44e692439e7

SHA256
15be9bd1f7a41cb1238f5c19ff3ec502ba4a22cfae4fc765bdd7a75e126d880b

SHA512
51243e9b025ea4b9c984c5116f647d846ecde8a6e2a10c3c96cfec8a227b0f928034c7b0a52a925b31356cfd104ab9810251ffbdb1ad11b943ba74dedf8e818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1050.dll

Filesize
85KB

MD5
a426ee5afec16b7e363551ae897f5241

SHA1
744641b0c455561033c7ee302c74f7d510f42fe9

SHA256
4128ed1c193982d2f63c7f9909949a660c810413b853076221f3481ee292dce3

SHA512
8521e66c6fab33ce7ab78c26be7cfb395b8fefb9d9e111a6b1bff61baa56ff541559858d75ce44c5439bba1ac5c300842e6d58f1ef01bb9dc22bbce11ee6e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1051.dll

Filesize
73KB

MD5
0744358e34b3d06d06efd5cc0d40955d

SHA1
07325f51fbee7b3d395c6728c98aad24ae509c18

SHA256
7a7e6005efb42240bd3f385acf308b87c7234391f05d28f76c3d4c6773d56942

SHA512
2cc020debfe9d89d8fb9a183e9a9678b64f86dc19cea75eea1db3f3b32d3cfb30b3776834c908099e44e197705f939483caac4e140aa5293c99eecea7779b2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1052.dll

Filesize
79KB

MD5
e2cb2541e7684f6d308debd890d64dec

SHA1
f7c5705fc0d8a4f6ddd8968279f151b2fcc7ff0f

SHA256
00a862ed113df47ab4704c57ac5b8613ccba5fb49c85732c779d774105dc334a

SHA512
8e4aadb3fc39c675f592514b254ad65b899cebb8504b79161c1f0b47f6b43ded39209861839a32021c88a3cbd8540e8db8779c2580f266ac37b876f652250bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1053.dll

Filesize
79KB

MD5
9b6f95afa7eb3c9e11054f0567a4443f

SHA1
f2e1678371d68327993ab10da44dacdede6b1953

SHA256
24c74cf57071f367652daa5c681f64fd3b5d4fed6ea84e0440b4ca73ca98c516

SHA512
7f8177b8c248df59071a20d581371e6ae8b298c61051e71bd98f9f684219472f1ec9c56d4f6707d21f537563bf0a382c907a49be97357591752d1afa457ecc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1055.dll

Filesize
75KB

MD5
037876ff0705aedcaf3c39279ffbafa8

SHA1
59eb26bc6f374e8e18b3e8e6db35429c56835887

SHA256
e13d04bf44b8b4f05d9c96fa674735e2dcac7337fffbcc1de31f8ef60ff60bed

SHA512
10d0e7e36f84bea5631833099960b57e10935efdc0a20cac811b3cee1d630a9a2937c172cb1631022a95604b4667df9bfd60ab2ec251eb762cf12b0a909fd51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1058.dll

Filesize
79KB

MD5
4989ef0b1f9a3c5fce45ad1538282e32

SHA1
2aac6ec44dfd7ab06afb72d468e78c215cd32029

SHA256
48f59ad97dcb7cdaac1af093cc049a1d0efee66f245b5cf6890c8d6c89fc3f15

SHA512
41b495239ab29483a0a53aaa433a06856c8105496c5351da0ce5b9b196b3bd083009aa47a660565c2d2d98e0a00bf23db526f79c3f16178033ce08afb81ad384

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1059.dll

Filesize
79KB

MD5
01d75a1eef00e850b417afd410423fbd

SHA1
ee2d3ba51b380ab708ad6eafc531e8220cb5f557

SHA256
13349b58b3d80f3ad2ed25acf69c6efd8be5eec9375df830876447f6bd5a86e5

SHA512
7c9a472243df7acc0880a7bcad7cebf85c8a96e76a534de6cbdf624ed3baa17c9d276aadb12264d3cdcc708273aefca54124436cdedcccf1f68504f01907007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1060.dll

Filesize
77KB

MD5
5ec60b776fa3d4e6aafcc4fcdb19ce68

SHA1
ffdabdb027e3d3b2cc3785b86d1511d20640488c

SHA256
8b4e20b91e74e7625f5bbe49ead049932b3b5b12d4f7c2d7a1569089447a9ff8

SHA512
5f1e34a8753a5d1b61b7e359ddf59d74c4e97ac15b2c5f35433e9a22b6bbb3d58ab0c894b4a83772633cc5c4227346d0548f9dd71347b011d07f114e96c20425

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1062.dll

Filesize
80KB

MD5
c2e625301021d948801653e78a9e2ad2

SHA1
78e5eb8bd09fea8d76b47903fc49dc302ea10884

SHA256
a127074ca7a367beb565ce171a09478a0758d68c1e1dc351a21a88ee5364065b

SHA512
472dd0c132bc10699785669de788dd9d64438f17fdeda58e47cc6cdeab23002deae83d8778647a184f33c06a23345f4511295f44ad7176a9875e781399eb06d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1066.dll

Filesize
75KB

MD5
b9b95ab899e7a8e0530fd91ec6d84f46

SHA1
872f1bc700ac195f0a71d15475a5e9210a93a6ea

SHA256
49025665a6c0b66e66768eff42f94104d2e8b0efb8afaa75f270275155f36279

SHA512
5ab8e0b53915b2a89b0f1e5435ad6c9cc3965cebb1ffba2ed402bd3d4f6caa2d182ab772d2f0f8913e1b6e381ffb79697e6c8d4fbc858de0ccdc0d6ec04cc918

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1067.dll

Filesize
75KB

MD5
00d0b3b9ea9f6b2f8358f972124a315e

SHA1
e120453cd7ce797304061ac11f17e9875bec68f7

SHA256
842a51ec5ba7259d53f1e4921350e40119436f1fedfe0ec3a22cfde7dd0cb743

SHA512
70c48035878fe50356c0ee64b1f48045b67ff575e956525ac37ad1889d4275ddd7583cebbac680212316b7f670d79ecaccfae6a5852ca3723cc6c92546542817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1068.dll

Filesize
76KB

MD5
8f4f12279cbc99a585defa0a478848f3

SHA1
29b89db616fd9e63362c6ed50927842132b705aa

SHA256
69f48de0fdeb73e3a4d0b67eb49eaa9837b04613ad59aae82ac0643cafda1fb6

SHA512
59322e925b7e119a155c53f623e8709a5dfdd6042cc5f448e11b1a6a4efa9e25eb1fb4c3d848828b9a08952d7105aeb6d4fef56569d4eb8e147ea58300aac827

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1071.dll

Filesize
78KB

MD5
ccd7b9540e97bb6d2bc05ee8ba527c3f

SHA1
bd72f5e7a46a30ff310d0e2342dd97faf009f850

SHA256
4c01c134aa995d6b1383f0f2f759f71c0d23e067324073db2bf02b16e39e1a34

SHA512
bdbd4a38ef9b1ffbb3af597d65f10096e50a1cba478f770a6d2cef356ecf6208135801c56bd58ae9a65315c1de48e7169cf760569b645f0806456087668bba9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1079.dll

Filesize
80KB

MD5
c01d4cdd1bb30aad65593f296db2ebb5

SHA1
79869470007b7df28288048e4fc51f23ba2933a5

SHA256
012745f929ad0d1eec673c26eb5112c992c7fb243892df1b107dda9887346d72

SHA512
2bdaf5f17c285ca950303e06c34d4a27fe21996f6382d69a704626c004a772cc2f9fd3a1a9dd15153a9ce8b5de1e063b3ad2bd8b259392076cf3d91b4202bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-1102.dll

Filesize
76KB

MD5
c13e59068231748bbab2629a3629cdfe

SHA1
f222638d135848aaa2594fcaf0bcac0611a6f68e

SHA256
f7155d5c1b989109632d3aa53580355d6ddd05e7c558f8e5fca804e02cdcbbd4

SHA512
02a37c0425f1a6b8634344883de828449e3ecf82afb4dcbe8d507b2a04bf1ced275c950729cb611a9d313b33aa68a2f2d470df187b401e0448fef0c54fff8b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-2052.dll

Filesize
41KB

MD5
928fded99c769a544c9b6b24821301e7

SHA1
c328d4fc4e4a65e8919f231a880b7a1e3179ddec

SHA256
777e3f7b98a4f88a4e67a46e508d135432f3d849c5cf9161c5f557a6a9be867d

SHA512
111140b5ccc65712ca6a118033fc3856d74f3aa5677bc4431ada590b184dbf3805af69c3d4c7fa9a0b86de4fa24aa5d4c5a5edce0c426b40ca2d2ce695dd73e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-2070.dll

Filesize
77KB

MD5
f19d747ff6589e42ab611b95cc577bc5

SHA1
10eb2e15cfd6651c627c0debef23593f04b6960c

SHA256
50e158edffd4010739c6e6822069c9a2583eb37ec77fc6adc69c9833d1f36d64

SHA512
ac715dfd74002c1074860e04a90473057184883ba5f245b4d17841a5a7e93872404aa33a2e16fe4fc536da7b32dc0d7c63f5d2020c0e1398e4ad25a419e3623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-2074.dll

Filesize
78KB

MD5
7af8fd8838ec449b6d115eccdefae1ea

SHA1
d69f67d307154adfd866a78d34522f65b5c63b4c

SHA256
2f908ab3677ea5484577dc3cd289170c7e927e68459a5c0a58f25fe8bf0b5269

SHA512
c68016c7998635bc6220c04c41cec9207a4ad1ad7143cc1e9331aa5f5af1ef0fc2246b93e9f459e4a62f36396bc5e7408693a8b7c8d12cbc50569cdbe29248b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-3098.dll

Filesize
78KB

MD5
1af62a2ef146571a5dbc4e9aa5b2a67b

SHA1
b3655fc66024f5cc2558d0e15794fc5cc0cb8766

SHA256
afef041877423345cd9dab5f3a68c2da9cfed63229561b099134407991dc8869

SHA512
4a779e0150fc4dee7eda0abdf208f6ccecb69bca4cc4c27f3faa703591d16e977afe9dbb48e76e7ac96f7a8f6da3cf3cd4a385e94e70c914f18eaa7192b78079

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-5146.dll

Filesize
76KB

MD5
ffa8a078caceebf282ae6ceb7b03b7f8

SHA1
7326af0b7b75029230e5988ac625dbdb9520603c

SHA256
4551e6409d16c553fbf3fb1750bd8f5c1ec1d47ca2595ab7048f3fcfa576ad19

SHA512
7927d85552e73bd88a80a18a905cb6194d5610375bb383a5516baeb99dd5a7cfef537fcf6852f01bd20273b34c164832f4bfd52db2a834830d02fe1c91454109

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu69A4.tmp\ui\res\lang-9999.dll

Filesize
75KB

MD5
3a80ece3ee8500e8709d6907db924356

SHA1
41b69ca7ea428e0fb3e888fd49d42d4a6e455fc0

SHA256
ea6ddceb2e436cb40d5cd254494ed4d16effdcf50b5e9278e03e515057df46bd

SHA512
d1daa5bc535756585ad904858d7b14f625fa9f55c0d9c5859b436a1396860d2d13245f0703c921e429e1b46f6a98d4342d86025c2293d4ced2bcf4606840cd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6BC7.tmp\modern-header.bmp

Filesize
25KB

MD5
079cb79b69190ffb3a584a7344e34197

SHA1
35a450167cd54beaf5d50bd85e00858a6684c724

SHA256
ab3dea92a333e89f41bb310d5b5d5a52b80d2aedf78b0516f2b1a6a9af69b222

SHA512
cbcd40bb163bc51df0e42a2ce3565848734b8fd6065592cb90270182b7473ecba71d0623505ca2c5654c9d65e16394ac55919d4018bbefe0cb72489579593e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6BC7.tmp\modern-wizard.bmp

Filesize
150KB

MD5
8bd95fbd159e00b9823fe8d60ccf9b50

SHA1
c55e1a485062efcae2ac4d4aa43172a0d8dc9413

SHA256
6ef238fafc028ba028eacbff28bcc670cd7213df9318f99f619ac3e2988d16f3

SHA512
1bbf9d41d3180cfddb99e300142b619ddbc225a099a43e8755aecb44000a4248a7606d04bbea3c1e65143fc488c40d30fcf9bdd418174bd821247b932977f86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\spc_se.txt

Filesize
12KB

MD5
009819c0abc869038a9d184bd7a9b6c7

SHA1
3ce497bc1ce7cb35209fd2a8556dabae7ee3adfe

SHA256
2fd69eb9a60ae80b0168ff8f4656e5981701f1558bf5707997b1ee9ba35c3185

SHA512
3fe0065e16ade01bda35f0c850b6a67cfbd0e3377e7470c67680f2502b76444261f6abc4dbd6ea2822d1a76f3d386c6f7af7aa5bd8f32659d15912428ec7b23d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 735188.crdownload

Filesize
18.0MB

MD5
b86b975448d0b27727ac9c849318cbf2

SHA1
938c2d249c9bf7978b4828b9028b95b122ceefc3

SHA256
03c35fcb1d10cf478c0b9896699937e6e262daa4f4a4353a7cc56b238fe86892

SHA512
3c82955edde3f45fb45875223253351fe1938f58a307a4f7bc85a3971a5a92cddecd3d2bef31ccc60e233eb8a532ed4ab0f1708384cc4db91c02255e832a698d

Download Submit
memory/4000-119-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4000-133-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/4000-113-0x00000000074F0000-0x00000000074F8000-memory.dmp

Filesize
32KB

Download
memory/4000-110-0x00000000074F0000-0x00000000074F8000-memory.dmp

Filesize
32KB

Download
memory/4000-108-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/4000-90-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/4000-84-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/4000-111-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/4000-136-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/4000-116-0x00000000074E0000-0x00000000074E8000-memory.dmp

Filesize
32KB

Download
memory/4000-131-0x0000000007590000-0x0000000007598000-memory.dmp

Filesize
32KB

Download
memory/4000-140-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4000-186-0x00000000076D0000-0x00000000076D8000-memory.dmp

Filesize
32KB

Download
memory/4000-188-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/4000-191-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download