njrat | hxxps://gofile[.]io/d/tvoxvR

Resubmissions

19-12-2024 23:19

241219-3a6byasqcs 10

19-12-2024 23:18

241219-3abgkasqay 4

Analysis

max time kernel
300s
max time network
300s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/tvoxvR

Score

10^/10

njrat discovery evasion persistence privilege_escalation pyinstaller spyware stealer trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1812	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b9584a316aeb9ca9b31edd4db18381f5.exe	taskmgr.exe

Executes dropped EXE 15 IoCs

pid	Process
5792	oni remover.exe
6004	oni remover.exe
5232	oni remover.exe
5140	oni remover.exe
5152	oni remover.exe
5496	oni remover.exe
5600	oni remover.exe
5788	oni remover.exe
3256	oni remover.exe
1628	oni remover.exe
1136	NJRat.exe
452	NJRat.exe
5668	NJRat.exe
404	NJRat.exe
4388	NJRat.exe

Loads dropped DLL 64 IoCs

pid	Process
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
6004	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5496	oni remover.exe
5140	oni remover.exe
5140	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe
5496	oni remover.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
140	raw.githubusercontent.com
142	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241219231955.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b0468456-8628-45db-898e-a12ce2f6a223.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00290000000462e2-215.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 128744.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe
1312	msedge.exe
1312	msedge.exe
1368	identity_helper.exe
1368	identity_helper.exe
5680	msedge.exe
5680	msedge.exe
2804	msedge.exe
2804	msedge.exe
2804	msedge.exe
2804	msedge.exe
2188	msedge.exe
2188	msedge.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe
1136	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4244	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	NJRat.exe
Token: SeDebugPrivilege	452	NJRat.exe
Token: SeDebugPrivilege	5668	NJRat.exe
Token: SeDebugPrivilege	404	NJRat.exe
Token: SeDebugPrivilege	4388	NJRat.exe
Token: SeDebugPrivilege	4244	taskmgr.exe
Token: SeSystemProfilePrivilege	4244	taskmgr.exe
Token: SeCreateGlobalPrivilege	4244	taskmgr.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe
Token: 33	1136	NJRat.exe
Token: SeIncBasePriorityPrivilege	1136	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe
4244	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2488	1312	msedge.exe	81
PID 1312 wrote to memory of 2488	1312	msedge.exe	81
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 4684	1312	msedge.exe	82
PID 1312 wrote to memory of 2540	1312	msedge.exe	83
PID 1312 wrote to memory of 2540	1312	msedge.exe	83
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84
PID 1312 wrote to memory of 2368	1312	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tvoxvR
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd8da846f8,0x7ffd8da84708,0x7ffd8da84718
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6eede5460,0x7ff6eede5470,0x7ff6eede5480
    3⤵
    PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Users\Admin\Downloads\oni remover.exe
  "C:\Users\Admin\Downloads\oni remover.exe"
  2⤵
  - Executes dropped EXE
  PID:5792
- - C:\Users\Admin\Downloads\oni remover.exe
    "C:\Users\Admin\Downloads\oni remover.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6004
- C:\Users\Admin\Downloads\oni remover.exe
  "C:\Users\Admin\Downloads\oni remover.exe"
  2⤵
  - Executes dropped EXE
  PID:5232
- - C:\Users\Admin\Downloads\oni remover.exe
    "C:\Users\Admin\Downloads\oni remover.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5140
- C:\Users\Admin\Downloads\oni remover.exe
  "C:\Users\Admin\Downloads\oni remover.exe"
  2⤵
  - Executes dropped EXE
  PID:5152
- - C:\Users\Admin\Downloads\oni remover.exe
    "C:\Users\Admin\Downloads\oni remover.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1009150897726436315,11255813330600785152,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:5476
- C:\Users\Admin\Downloads\oni remover.exe
  "C:\Users\Admin\Downloads\oni remover.exe"
  2⤵
  - Executes dropped EXE
  PID:3256
- - C:\Users\Admin\Downloads\oni remover.exe
    "C:\Users\Admin\Downloads\oni remover.exe"
    3⤵
    - Executes dropped EXE
    PID:1628
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Users\Admin\Downloads\oni remover.exe
"C:\Users\Admin\Downloads\oni remover.exe"
1⤵
- Executes dropped EXE
PID:5600
- C:\Users\Admin\Downloads\oni remover.exe
  "C:\Users\Admin\Downloads\oni remover.exe"
  2⤵
  - Executes dropped EXE
  PID:5788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x3c0
1⤵
PID:4956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d57a449c855203411a38d5ae80bc24c

SHA1
b361032efa556fc4557bbad595ce89c4b0c13dba

SHA256
bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21

SHA512
8d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
77fe0ce7e1f9c9ec2f198ad2536bf753

SHA1
2a366472f227a24f3c0fba0af544676ea58438d7

SHA256
c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00

SHA512
e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9f2488d8-e16c-4492-9184-c7b2a5abdbc8.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e75406a63e84952ee66c9dfd55942977

SHA1
29c6458cd357c0eb8f0658d9fbf0c6ee101002fd

SHA256
c6963a638ddba179d6fd553067971793a681ef829c9406c6cb1f104976579e5e

SHA512
97ea72e6094e7a937438600bc4d7bc2fe771ea447d491886cc837533aaf1752fb6eb01d46cc782370d6c8950a80c0a0145edd145c8882cb9086d62e1c5516f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ae1ad1039d3b74966e00ac57b579fd60

SHA1
58e6b5a588165be6b6443d972c9f2b94fa9fde8d

SHA256
c9d456262c908bf51c63bc38e3a4c55c7433fe8f50a4fdd17bfcb75d16beed60

SHA512
5f9a15a1d1f6e20b84a3806a729d057d2a9eaab5b0def580c7bd73bfbe734a5859e93d1d6eabedc8e9f8791be09b5edc56c7645ca33d77c7e94fa67753766fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d0bdb559caad82b13f41674ece32ce68

SHA1
21ce309e42141fbd819eb35884fc2d5a1ae53b39

SHA256
c5e0e1805aa1712b448fd688f6a678d175d29f8d6361eda19071ebe0b28284da

SHA512
5c8151d2e3f59d52bb8f823f8117f7872e98299982012f0fd41910c97dd3074963b163df82cec8453ef5f71482d769f1cc396221dc44a2763dad0c7f8e02b772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ab0dc5d48ce71035c820197400bc3934

SHA1
da36f5e00307d5c317384a2ecb82b450e9ef3947

SHA256
0bc5108e84cf711ab31cd1ae8bf482c6a122ddd78c51773881923f080cb70e80

SHA512
97a0f85ae54758a48bded24297932f050f338d6196c8e126b5b077e61756493d7c6c7af4de1369f93b0c5c8e19826ba816086472b55bb9d84dc4e1a44f6a6e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5e299a4d88e712964dd041914c464255

SHA1
e289b668cdc38fe02b94a7d9dacb5d7543297fbd

SHA256
52fbe438ca26456df894908d3eedded023da10ad34fca176fbbd0e96dd27e6b0

SHA512
240abd731a465ab40c8626f6334108f3ee16a0f6ed01518df9fec59a69c9c48494c6eb2ad5e96c5d00df77a79c42de2061471ea5c9977b548ef545438325735d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
489a95474fec6ce88776e647e9f8826b

SHA1
6a7f49d984ce88304eda79d62d451120d407ebde

SHA256
ca2d4c1b81b369d01bef20629243457ec4d34ad9956f22c3f5fa08b13d738056

SHA512
fd8f64a3e83227bdb1be0a615842bc738c5841e0b1deecb11c5f82708dff0bf04636e8ef895f873ae47740e01ece32a0f939ce8de7dc738543d4be2e422e7051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
39009b3fba670a700ce1539305aa9730

SHA1
53622babec4e73ef3467809b1928ce20a7be0b32

SHA256
9958e1fb898bf8af6af06205b980dd7fd89cf1f447df3ef542ca0cb02880f64d

SHA512
27ec2e77ff95ff7c8304bbcd26b7db374f110bf792dbe1d67e0d6dc67f8e68f56a3e239e4602db8bc646bcf13a4054a47d5b75a9b6511337add779f8f6e863e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58d608.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82e5f2ee5d9b88e37ac3bd5eb2706ea8

SHA1
a11a974045e67200cdc665037f6949cadac06d68

SHA256
f1fd36e92e5ea6a4975ebb438631b0ecc66d3da7036b7760ab2be56a39a08ad5

SHA512
fe9bfc3904a9ba06f2e311c097b68e7b62530a1ff1ccfef3f4fb4a877f31d00b905d3521713f765b139e7f56d6ebc16bcc7fd81fdda3a9694c07e5eeebbb6893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6039f0c3bb0f66fd2a69c8efa8c3c99

SHA1
1a301a1a9a694c5e7f12d36ca500948ee4ccd772

SHA256
5a4f9c686b5963a2b4a1c316555d7750798649589b3903bb28d47c2f97d4a069

SHA512
cb0df88fe35eded286220940d207db428ebd27a27183be4bad08127ecbe2ce05fc4e14234d4c7204d071a29f0c81a398539d264437a7ecf0f8895a147d985fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
344cba6dc69810757f169c94865b17a0

SHA1
2efe95c030a453193e6b87947f76f9786685d35f

SHA256
91c551a16ca7104f49e8e71e7de3355bdfe2b103bb615e6799f09c460b8bcd6b

SHA512
18b1617a7acab7fd53977cd26d11c31a1447bde6ef166e19d196ee5636a44abfb4bf1ef003bb7bbe565295b531d4dc87e7262aed3b78981d083b80f0224abbc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f670796f5e2dc577f840ec0ea8aa7b0f

SHA1
8b743b10f976b3bd00d73a6e7ba55ce1b8371795

SHA256
2ab99826f13a7c460bdf5045f6af92e909fa78ca4a445a927dc801ad1e84c385

SHA512
ec3e5615566bb5903507d13165578c6b5cb1d097aa7aee17391e7928d8819a137a6039f99df03c94f0a84001ef69662b2d3e1d62ce9c02c7eb05ac2bdb1d4052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6fe8efc3529aed82b1ac321e74a451b

SHA1
cb5bdbeec9aa722cd8b4b12c2bdcb8efbf3e63aa

SHA256
2ce26ca6c1c963c450a0ebb1b2458810888ce5998c30a53af17670b404bb18f4

SHA512
130897b0b07afd9ecec40309545049e3d274814ee65e93e4a832f0bf11002e919aad5763a27562101839b029d9cd518882a43f30b835c1700db808025ef7973d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
49be4a21b65e4f1472698f79f35ddf63

SHA1
f14ec2936377437cb5e1cbbd9e4ee470fd62cfba

SHA256
eff195dffd2d856b4364f8aef86a3ec0749da31df5d58fc7f70a8abbfb9345de

SHA512
e78d4867e0ca95e677606742ccebb39e4ee7b5d4d135f786f52feaa37f6172abb6410f22a5dfefac3afa5a3775e2c4f627bdde83af508f9ae11e287dacece592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b110804e29b471619f0a215c9b910656

SHA1
6b4806ec7eb2cde010852436fbc3689664364583

SHA256
500b1657e06d7df77558170f9b5f2ac189ea33ffc774c0510313b17b4d0e7657

SHA512
30518d088301c9bd5ab053fbae0d1dda7d43768ee1d7f676b688597db36403ff17e68b1fdb314b9d9f96a760dad43a1d35dbbc5db7e2e3ed221bf8a6ec17fa2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9b2345e425acf05ffaa1dee20d4fdbe7

SHA1
aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3

SHA256
1eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14

SHA512
647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
77006dacd174a80aa9b867f95d5df337

SHA1
7078db638c72ee5cf4ede7911e4421cc4ae103c7

SHA256
5e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9

SHA512
e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
e786e50ab581318305272a6dc6d81576

SHA1
7c33bff8893b5c8d0e112f13d29593f4549db50d

SHA256
dbbe139d8d9388c19942edfd1004f4550544d6347111bd9ae25a4aac88bfb12a

SHA512
6a78beeb0ef6f84d700f6b2403212d6210549e98650b5361fa58a80ac382629c28c5c95218718eec793e9a8c92f10206c77d6a67edaec0440c61dc3cb0d2212e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1271649c9dfb150b49f4499b1687859d

SHA1
c24b55e63771575ffc0b01e2b8cd200a7a1c03a5

SHA256
8a25b1159b0cba5c4b8f4b66588a73f4fa45f02a4157603c824c009a31a2b88f

SHA512
1c76ac8cba59dcbbcbd68f65242f3e1d7cfae30b380395d9aea9ec89e20f9e7d3caaaaef42e098f7d551e58667cbeec9b9b6424a48b90b97c6ebe692c51fb292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4d49653205adcda79a0f1e6dbbe11c3

SHA1
9a10ed0bd25b8883e15e9a4d127ab3d13241804d

SHA256
56a6f46f6fe2b451feae914555de35a8d20b5fd626d541d8af22d351a9ae2a77

SHA512
7887a1805bb2ab36556bf78c2ea01d2614a032773dc3a8e1ed211ae05c514ae9ccf1fcaa7a82b7a0e66f7576ce80f6a7bdb7906d21147e6c5936a81532fbe36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
8af9fbf3d727cf044a93c59ce94a173a

SHA1
47eee6242ef687da25ea2e30d0d2c27f5fd413ba

SHA256
2b611bb1fad90da0a163fe05c6e1d959ba1a8652b1edd1b6ed7bc5a78d30d223

SHA512
2b938dd99bce79a79eb723dd43194c010913b83ce9d9d7c024465ee781cf527a78cef76bbb816c3b952bdb389662ce1d875bc6f8d2cc5d3486ac7245fed845f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9784b1af87414b02b964b1a74ab21b99

SHA1
08112080a751eaa47716f28ef759b02036dd704c

SHA256
d859fbb1ed43c819eb18a48bbbe4f5ef01c2dce5e9f344981d869de2c38b5689

SHA512
e5869500df348e4fa18d9806a733c8be1bb32c5bdfce1b066f6f7e7e124c7b9183709f42f9054659021179445a09e6368bc91fd4c0475cb5eee4ff232c456484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f8c3.TMP

Filesize
370B

MD5
3a2e0946c7973e9a43d8c0f2a909aa81

SHA1
4f38a259d125f1b56e6be0f0ece679cff42d777c

SHA256
5b93530e3ac8e1d1ec7bcfb52cbca2dec0ebb32455a2c67abe328debde357c0a

SHA512
4c9a7299dd82f34d1abd7d023679ffe755dd98a6df9286901f8c2e421d3c3cea44e877ce2114fa47453e603624d3d3dc198cf1f85e4102ac6a4d9570dcdb80b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab816753e1373e2962b783f222138c34

SHA1
337d9c16c88fbf0ac492ddafbea3ae3fe156784c

SHA256
e1e8a7698f26d1e870a81101648e7b164f5e0e6185609c9ff8ca6cbcf289ebae

SHA512
11811ed1f8dbca5adfaa9ca059a7cd23032100893ff5e9a47a49376cda7818b5ddff850c5b94537bed0691015cbf6b2c8e6075538aaef9f209e0753408d00eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bce0ddf22e62088778bf3f4708d2ef91

SHA1
2684eb7b005471736b53d31fe69c8ec25a54fcbc

SHA256
d11894cbb0b392b82eb39acd9843c74f344050c5ea31bf5fdd51dcbe355972df

SHA512
33a3f69ec795131abef2a98255daea87a0ed0ce00a7d077d3f3317e082a7a27253b524b819fbdb067363e7193cbf558602829f8a8ed5b318e40b01acfe89369a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e3fbfbad31cb20ee484716aef302cf5

SHA1
3f96120407c21f19deefcdeca35695d6073fcf62

SHA256
0d6556ff6343f729a41f73e01521d89c201252646363f15e57a8d6147a2c64e0

SHA512
7ea62672579f0ea8d9df67023c5af2751db14727b62415b044d6a6eb6831db093dc023377a573f026702b0f4d6a3e80c93e233a34cbad070ce6b9e147e2969c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb67aeea27bda120b5446924de1d01bf

SHA1
2be3e8035e764f69f5dcc8b6411cda1c387c7232

SHA256
07cbb22b8bdf9c6c2d38474c2724ae9e543f34f4106fa46fa85ebfabc4211820

SHA512
8bff573ddc38f29766a4d2ab18402d605e64ac38c5af6456a80f22a3b54a63dd86c87c57b91a7fe079f6ebe10b5e92509f54f39c1dd6770583b788fcd03ba074

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\METADATA

Filesize
5KB

MD5
526d9ac9d8150602ec9ed8b9f4de7102

SHA1
dba2cb32c21c4b0f575e77bbcdd4fa468056f5e3

SHA256
d95f491ed418dc302db03804daf9335ce21b2df4704587e6851ef03e1f84d895

SHA512
fb13a2f6b64cb7e380a69424d484fc9b8758fa316a7a155ff062bfdacdca8f2c5d2a03898cd099688b1c16a5a0edcecfc42bf0d4d330926b10c3fce9f5238643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\RECORD

Filesize
15KB

MD5
a53742d3ee69cae1fd8bdedac05bb828

SHA1
02bc360839feb54e58e14d410266652dcb718353

SHA256
9518e7d9da0f889f568f800e1a4adc0686234dc9d9934a46f78ffb5e6c351a98

SHA512
c69c4d3eca56d725e90f9f0c4b98071f4f92a3bc06a635ce0d6309976c750b20b3da353efed27f07712ff5e0c1a8114300004c8e2d2ee9155f31d856a3c6ee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32562\pywin32_system32\pywintypes312.dll

Filesize
133KB

MD5
da0e290ba30fe8cc1a44eeefcf090820

SHA1
d38fccd7d6f54aa73bd21f168289d7dce1a9d192

SHA256
2d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7

SHA512
bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_sqlite3.pyd

Filesize
122KB

MD5
c3a41d98c86cdf7101f8671d6cebefda

SHA1
a06fce1ac0aab9f2fe6047642c90b1dd210fe837

SHA256
ee0e9b0a0af6a98d5e8ad5b9878688d2089f35978756196222b9d45f49168a9d

SHA512
c088372afcfe4d014821b728e106234e556e00e5a6605f616745b93f345f9da3d8b3f69af20e94dbadfd19d3aa9991eb3c7466db5648ea452356af462203706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\base_library.zip

Filesize
1.3MB

MD5
6bd4dff2903aa7950c7061bfe7f233fc

SHA1
8f6943ac383eeb38fda3602c0ed14a371fdbf9d4

SHA256
bb9ee7b22ea4c5fd053e13e903f1d498a8a1da629a51aa8b5723606b16bd26cd

SHA512
8dd939c20383b426de69fd370639cf13e4618ddccc255fa18359d078904c867539a14479ebd3cdb50b32e7bf2e3db4c68de3351b771530280b44714703f91133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.9MB

MD5
34293b976da366d83c12d8ee05de7b03

SHA1
82b8eb434c26fcc3a5d9673c9b93663c0ff9bf15

SHA256
a2285c3f2f7e63ba8a17ab5d0a302740e6adf7e608e0707a7737c1ec3bd8cecc

SHA512
0807ec7515186f0a989bb667150a84ff3bebcc248625597ba0be3c6f07ad60d70cf8a3f65191436ec16042f446d4248bf92fcd02212e459405948db10f078b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\sqlite3.dll

Filesize
1.5MB

MD5
e52f6b9bd5455d6f4874f12065a7bc39

SHA1
8a3cb731e9c57fd8066d6dad6b846a5f857d93c8

SHA256
7ef475d27f9634f6a75e88959e003318d7eb214333d25bdf9be1270fa0308c82

SHA512
764bfb9ead13361be7583448b78f239964532fd589e8a2ad83857192bf500f507260b049e1eb7522dedadc81ac3dfc76a90ddeb0440557844abed6206022da96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\win32\win32crypt.pyd

Filesize
122KB

MD5
d08d4ae87afa22e54ec4d2b6cd64c8cc

SHA1
6450e9c65b50bc2564dfe46aa6beb3b17a1b7794

SHA256
3088fba55a9200223080554c55fa0054353fdfcab4ed4ac51716e5413971b898

SHA512
cfe8dbdcaf1b24dc2e6f6d04af51d83af79f92e894e8af2ca73812919571089a62f8c3defef0eb6c0bcb87e9ebe9b62ffcc891474c5eeb1e051e370abe0412ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c16e079999ab4b3f54583c159664dfe1

SHA1
01cb9be48cb26c66d7b9d487b1cd8f7164fd67aa

SHA256
cd0725bc1b571bc62d6ff7f90e7d0591d14a4ee3771897fe9a3e458b60a8b079

SHA512
8eee07ece646dfa2ab6a9e71bb9727b05f0a6d0c0b7d6f6550dbcb5d447e17efa1b17efb17c1bf0a434ba67d7452b5faefaf4ad98e528b73e1885e665f5bea71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
76f7673df42a86748bbefbe4baf51b1f

SHA1
9b07da4666b388b1cef814361e64a1eccf6752fc

SHA256
1365b01621206a039bc9568e719eabcfb9874015055a21d8960447ba39f3374c

SHA512
2296d31338552287c4e4148f98efced9198ea1618978981389f8d60428114e88193064cae9214e8cd4c37e968680bdc9ab090962a35a5d0760b59e9f328bd69e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 128744.crdownload

Filesize
12.3MB

MD5
cb1f2fa480722e4e4269ad6747cdca81

SHA1
c33bdbe79d4ba4f595bb5ae7e761748c1c5960ed

SHA256
05e9f5aa804cf7620f135f1365148570c598ccd19c61784989041cb59e1405a3

SHA512
eb2eea22701752f7ebd4704fbba02861ea491db306501236532b5f1973ee55e154a4da2818d65f76102c65aea290d0ec0275ad325be2b4b574562c27fc7c25c6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 664299.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
memory/4244-1354-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1364-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1363-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1362-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1361-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1360-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1359-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1358-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1352-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download
memory/4244-1353-0x000001B5C4F10000-0x000001B5C4F11000-memory.dmp

Filesize
4KB

Download