orcus | 1a3ed0c77c2f2f3b1094eb76cd25fcd39aa0b8790ab099570ec7acb9b5ae1a22

Analysis

max time kernel
1477s
max time network
1465s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64657c8e2891fee00ec8d8763b2ad4b1.webp
Size

1KB
MD5

4cbe96bdb920f426f2adc24b954ff59a
SHA1

d0d196ea0a62464cf443e21983500b93aa8751de
SHA256

1a3ed0c77c2f2f3b1094eb76cd25fcd39aa0b8790ab099570ec7acb9b5ae1a22
SHA512

f1b7c73b4946cdda5318a2489dced7cd6f6a3598e1d93632349d56e516e9f4c35d57560aa6972f823f41720d02252f85ae702decbd3192e833ac5c27eb59acad

Score

10^/10

orcus discovery execution phishing rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/4888-647-0x00000000004C0000-0x00000000014FE000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5292	powershell.exe
2452	powershell.exe
5916	powershell.exe
4336	powershell.exe
1604	powershell.exe
4508	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETD4DC.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETD4DC.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	pythonw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmap.exe

Executes dropped EXE 15 IoCs

pid	Process
4404	nmap-7.95-setup.exe
3176	npcap-1.79.exe
2452	NPFInstall.exe
3620	NPFInstall.exe
512	NPFInstall.exe
3456	NPFInstall.exe
4052	pythonw.exe
3480	nmap.exe
3620	nmap.exe
756	nmap.exe
3800	nmap.exe
2700	nmap.exe
6124	nmap.exe
5404	nmap.exe
4828	nmap.exe

Loads dropped DLL 64 IoCs

pid	Process
4888	Orcus.Administration.exe
1548	Orcus.Server.exe
2036	Orcus.Administration.exe
4404	nmap-7.95-setup.exe
4404	nmap-7.95-setup.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
3176	npcap-1.79.exe
4404	nmap-7.95-setup.exe
4404	nmap-7.95-setup.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe
4052	pythonw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
332	raw.githubusercontent.com
327	camo.githubusercontent.com

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.PNF	NPFInstall.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-sybase-asa-discover.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-litespeed-sourcecode-download.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ike.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\sqlite3\dbapi2.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\__init__.cpython-311.pyc.2166559839120	pythonw.exe
File created	C:\Program Files (x86)\Nmap\zenmap\bin\libthai-0.dll	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-passwd.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\NmapCommand.cpython-311.pyc.2166578552432	pythonw.exe
File created	C:\Program Files (x86)\Nmap\nselib\creds.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\koi8_r.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nping.exe	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-traceroute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-wnr1000-creds.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\bestwidgets\textview.py	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\tableaux.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\isns-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\sniffer-detect.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\daap-get-library.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssh-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\email\_parseaddr.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\shift_jis_2004.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\lib-dynload\_bisect.cp311-mingw_x86_64.pyd	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\NSEDocParser.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\wdb-version.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\pgsql.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\bin\libgcc_s_seh-1.dll	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\struct.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\distutils\spawn.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\iso2022_jp_1.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\__pycache__\TopologyPage.cpython-311.pyc.2166566122256	pythonw.exe
File created	C:\Program Files (x86)\Nmap\zenmap\bin\libffi-8.dll	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\drda.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\utf_8.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-zeustracker.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ipv6-multicast-mld-list.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssl-date.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\girepository-1.0\Gdk-3.0.typelib	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\SearchResult.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rlogin-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\bin\libgmodule-2.0-0.dll	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\__pycache__\FileChoosers.cpython-311.pyc.2166560287088	pythonw.exe
File created	C:\Program Files (x86)\Nmap\scripts\backorifice-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ip-forwarding.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-vuln-ms17-010.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\higwidgets\__pycache__\hignotebooks.cpython-311.pyc.2166566114336	pythonw.exe
File created	C:\Program Files (x86)\Nmap\licenses\MIT	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ip-geolocation-map-bing.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\sslv2.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\stun-version.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\gdk-pixbuf-2.0\2.10.0\loaders.cache	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\lib-dynload\_struct.cp311-mingw_x86_64.pyd	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\amqp.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\zlib.luadoc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\html\entities.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\data\pixmaps\vl_2_75.png	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\test\__init__.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-ataoe-discover.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\couchdb-stats.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\bestwidgets\__pycache__\windows.cpython-311.pyc.2166576581952	pythonw.exe
File created	C:\Program Files (x86)\Nmap\scripts\ajp-methods.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\tkinter\constants.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-jenkins-discover.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-novell-locate.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-adobe-coldfusion-apsa1301.nse	nmap-7.95-setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap-7.95-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5524	NETSTAT.EXE

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 476002.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
536	regedit.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4052	pythonw.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
4100	msedge.exe
4100	msedge.exe
4532	identity_helper.exe
4532	identity_helper.exe
3408	msedge.exe
3408	msedge.exe
1044	msedge.exe
1044	msedge.exe
4224	identity_helper.exe
4224	identity_helper.exe
3000	msedge.exe
3000	msedge.exe
832	msedge.exe
832	msedge.exe
832	msedge.exe
832	msedge.exe
4312	msedge.exe
4312	msedge.exe
3172	msedge.exe
3172	msedge.exe
2452	NPFInstall.exe
2452	NPFInstall.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
5916	powershell.exe
5916	powershell.exe
5916	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	OpenWith.exe

Suspicious behavior: LoadsDriver 18 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	Orcus.Administration.exe
Token: SeDebugPrivilege	1548	Orcus.Server.exe
Token: SeDebugPrivilege	2036	Orcus.Administration.exe
Token: 33	2068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2068	AUDIODG.EXE
Token: SeDebugPrivilege	5524	NETSTAT.EXE
Token: SeDebugPrivilege	2452	NPFInstall.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeAuditPrivilege	1028	svchost.exe
Token: SeSecurityPrivilege	1028	svchost.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	1604	powershell.exe
Token: SeLoadDriverPrivilege	1604	powershell.exe
Token: SeSystemProfilePrivilege	1604	powershell.exe
Token: SeSystemtimePrivilege	1604	powershell.exe
Token: SeProfSingleProcessPrivilege	1604	powershell.exe
Token: SeIncBasePriorityPrivilege	1604	powershell.exe
Token: SeCreatePagefilePrivilege	1604	powershell.exe
Token: SeBackupPrivilege	1604	powershell.exe
Token: SeRestorePrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeSystemEnvironmentPrivilege	1604	powershell.exe
Token: SeRemoteShutdownPrivilege	1604	powershell.exe
Token: SeUndockPrivilege	1604	powershell.exe
Token: SeManageVolumePrivilege	1604	powershell.exe
Token: 33	1604	powershell.exe
Token: 34	1604	powershell.exe
Token: 35	1604	powershell.exe
Token: 36	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	1604	powershell.exe
Token: SeLoadDriverPrivilege	1604	powershell.exe
Token: SeSystemProfilePrivilege	1604	powershell.exe
Token: SeSystemtimePrivilege	1604	powershell.exe
Token: SeProfSingleProcessPrivilege	1604	powershell.exe
Token: SeIncBasePriorityPrivilege	1604	powershell.exe
Token: SeCreatePagefilePrivilege	1604	powershell.exe
Token: SeBackupPrivilege	1604	powershell.exe
Token: SeRestorePrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeSystemEnvironmentPrivilege	1604	powershell.exe
Token: SeRemoteShutdownPrivilege	1604	powershell.exe
Token: SeUndockPrivilege	1604	powershell.exe
Token: SeManageVolumePrivilege	1604	powershell.exe
Token: 33	1604	powershell.exe
Token: 34	1604	powershell.exe
Token: 35	1604	powershell.exe
Token: 36	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	1604	powershell.exe
Token: SeLoadDriverPrivilege	1604	powershell.exe
Token: SeSystemProfilePrivilege	1604	powershell.exe
Token: SeSystemtimePrivilege	1604	powershell.exe
Token: SeProfSingleProcessPrivilege	1604	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1548	Orcus.Server.exe
1548	Orcus.Server.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
2844	OpenWith.exe
4984	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4100	4948	cmd.exe	85
PID 4948 wrote to memory of 4100	4948	cmd.exe	85
PID 4100 wrote to memory of 2332	4100	msedge.exe	87
PID 4100 wrote to memory of 2332	4100	msedge.exe	87
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 2992	4100	msedge.exe	88
PID 4100 wrote to memory of 3892	4100	msedge.exe	89
PID 4100 wrote to memory of 3892	4100	msedge.exe	89
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90
PID 4100 wrote to memory of 1696	4100	msedge.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\64657c8e2891fee00ec8d8763b2ad4b1.webp
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\64657c8e2891fee00ec8d8763b2ad4b1.webp
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe76ef46f8,0x7ffe76ef4708,0x7ffe76ef4718
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
    3⤵
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5274206372435379147,3821763742267967850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe76ef46f8,0x7ffe76ef4708,0x7ffe76ef4718
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8752 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7728 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8440 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9036 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7353703121236799051,13565496673547766091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Users\Admin\Downloads\nmap-7.95-setup.exe
  "C:\Users\Admin\Downloads\nmap-7.95-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\npcap-1.79.exe
    "C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\npcap-1.79.exe" /loopback_support=no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\NPFInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\NPFInstall.exe" -n -check_dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5292
    - - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:2300
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5916
    - - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4336
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\signing.p7b"
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:5952
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -c
      4⤵
      Executes dropped EXE
      PID:3620
    - - C:\Windows\SYSTEM32\pnputil.exe
        
        pnputil.exe -e
        5⤵
        
        PID:4728
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
      4⤵
      Executes dropped EXE
      PID:512
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -i
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:3456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604
- - C:\Windows\SysWOW64\regedt32.exe
    regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\nmap_performance.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\nmap_performance.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Users\Admin\Downloads\OrcusRAT-main\Orcus.Administration.exe
"C:\Users\Admin\Downloads\OrcusRAT-main\Orcus.Administration.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Users\Admin\Downloads\OrcusRAT-main\server\Orcus.Server.exe
"C:\Users\Admin\Downloads\OrcusRAT-main\server\Orcus.Server.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1548

C:\Users\Admin\Downloads\OrcusRAT-main\Orcus.Administration.exe
"C:\Users\Admin\Downloads\OrcusRAT-main\Orcus.Administration.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2844
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\OrcusRAT-main\README.md
  2⤵
  PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC4_dakaSc7ePa5epYLx35DcV
1⤵
PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe76ef46f8,0x7ffe76ef4708,0x7ffe76ef4718
  2⤵
  PID:4868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:6132
- C:\Windows\system32\NETSTAT.EXE
  netstat
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:5524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1028
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7b4e7065-95a1-7a45-8072-793837c020ad}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5348

C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe
"C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: AddClipboardFormatListener
PID:4052
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-x036eupk.xml 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-4e9j7fpf.xml 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:4504
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -p 1-65535 -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-l3_uzcmg.xml 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:756
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:3528
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -oX C:\Users\Admin\AppData\Local\Temp\zenmap-b3iljhuy.xml 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:5124
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sS -sU -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-kai4ka4c.xml -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:1420
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sn -oX C:\Users\Admin\AppData\Local\Temp\zenmap-ll0q7f3t.xml 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:1740
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sS -sU -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-ourigvsm.xml -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5404
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:3760
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sS -sU -T4 -A -v -oX C:\Users\Admin\AppData\Local\Temp\zenmap-q2xmbwv2.xml -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe

Filesize
105KB

MD5
300c50efe729752e96e5bb8dbd9ae8e6

SHA1
2197fa748635f6192d3e3bdc2a454f2e2fe442e5

SHA256
0a8aa4319ecb5106bfdaa45a1d5effbfd71173cf30fa284906a4437f8a0c644d

SHA512
c8a4bfb38cdfe80e0900acbc433cb20f175a3155faf4e01fadc6b6f7775dbab09e9af0e400414a33f94e8655022503ab694e6a9ea37771f6867bdb8cd512b586

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
c01beb6c3526554ec9dfad40502317f2

SHA1
89f468496bd7e6d993a032f918c5baabb21c11be

SHA256
5d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d

SHA512
a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
393B

MD5
ba8bd09f2abb6647ba0348170dad34bc

SHA1
610c6d8c9603497207bb4bec3ede764a8b078d2c

SHA256
7b7a3a393d02bb8958ad8a64e37f1d76887f8e77b714e854be816470cc674a4c

SHA512
8e76a55a99434a71c0d745ee2f74164e5701cd51eee73c578813d42ffa7306394a8a8810d718cb52fc11202a11d71c9078d28c5bda1a4d528f02cd6f3c09b584

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
4d77ccc2153c1fc19e272771ba2a5142

SHA1
07e810adcd6f5dd80b90fc9f44cf573e6284273f

SHA256
3461850ce4761131e749b40d9742b5cd6a053407fa0b8c9f1602ee3c729bca5e

SHA512
cc22f281a59b0a399ced6281b99df40962ede8fdc56520027d51b96f9b5f01d7c9cd28b742e442658ec9899eb6b20e3b12bcaad281fcea0bd3f338190c0b15db

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
3fbb9ccdc2bd8225988bdd7958783d82

SHA1
55e46a1040c121814fcaa94b97514530e91129f7

SHA256
50c39fe6e3f51c57aee3e5a34eb560bc54f15caa9c7ddd843d712a6c7a9a74de

SHA512
db81e291dba62b6314e54b3edc3bb09bc5102d787e6dcd92eb92758c4b379ecb6d38323a5e0fdca18f667cd9180a964287658ed3a3efdb9e443f7158f6fddf7f

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
ef57d0af4b270ec9793fc6e9c62b8352

SHA1
17a1c45c30765735dd4d4323b1de5f1dd2fd7142

SHA256
0bce834acdc063024c4e9b85cc997e8e6b1017d6ace428103214a17f3cde9780

SHA512
6d0827ef10e929648b8368ba8d400a22600644506b5db31b6c69e1d395ffab16573de576c6e01bd697d7b9917d189e929835f12e4df738fb0efd051b2a5ced95

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
7278958147dc24b9656d2de7938086d0

SHA1
b318326dfc3a24b5227066b1e3818f4eec826867

SHA256
8050f3b38aff448aec4ee7ff937bf55499aab0b156e0db88bacc248be45712a0

SHA512
5d0533a98c3e5dadbba477ccc9198d9d9dcc927245e5ae1631b5ff446e05cb79226fdeb42e9911dfc884ce3971f5a31448e33d87c3d5d8bb2aecb05e28ef8ac3

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
bc58acef45b0d667dd021d0c7768e486

SHA1
8e0ad045a0e554563977c976ec577e9d5f2d1994

SHA256
fcb50664d9c7fc8958fe15cb2803b3f80cb7a686f1ea395e0d5b6f10e56a23e3

SHA512
9d6f7a85376ada951d96670036d56fef571d7401883373cd0e7cb4ce040035fb1fbcd7ba490d85c0c46f37af7205a0977f92061e0a0447fa40f59c7e5f9934e6

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
bfe4183210df06c8f5769b87ef929b8b

SHA1
f7a191049f45f4210af61733d6bfb17b1c9fc4e9

SHA256
a16acd28872d8eb078e7bac54bb171b4c42fce413a7efe1633ca2a62cb40c0c6

SHA512
08cd9ebe02e5a6e0c3cfb91d01c9b897275b9d61e1bfa4c47790b4c29b3bd75dcb78ec4582b3e138a0b0789b0417acbcaf1cc882e937e89b03fc766a03e47344

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
cceaba2be7ff3a3f40864276e0d3ba00

SHA1
ab025d3b40a3d5cafa55696b007c031229cccf53

SHA256
5211c90c86c5a026d4ee2afbd5a93c52f700c82b5e9f408e492195a4ee1a4489

SHA512
fb3cd538ff2f49024e4a5137fc0f6e9cf05c5ae9ac4c9ae82c2ebf37b477c59289f7954cabec43811194555ca762c19d8fb9146c3f86d8ce4ad80667aee53700

Download Submit
C:\Users\Admin\.zenmap\scan_profile.usp

Filesize
1KB

MD5
0be64556263f7e7085fa1fd226c9a65a

SHA1
71d87e4ba660a627e8c4d5afc5b0d10fead10443

SHA256
c9854d1d6e4dd51efb7e9cd59a5672ecd96c07ce63d0311368dcc392d0e39e36

SHA512
6f926ae4a516a82fbff8c2255ce0d7b7ec7e82dfbc0cd394ee5522929cad7c51200aa70da54fc9ec65323440753d67a186a39eec7e6295a3e16e2482d6ef6d1a

Download Submit
C:\Users\Admin\.zenmap\zenmap.conf

Filesize
1KB

MD5
45e8fcb44fac4be26544b8f599cdd8b7

SHA1
ea5c39b923d21300ec66e1c85a299754247ed2f5

SHA256
35e6a9be2917731669895eb9ee43bcb72be823b52fe327324a6400af1b570de2

SHA512
ac5c64eea726d607e4d1b35a3d893d8d7eead0dda1ff618a50513b725473662acece3aac5ca3aceb63da752c3e424509682f67445a322f273ac9def572b75bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b706e5e41e1a34467b236b1a5e31598

SHA1
0dbc51f2b35cc02c571f4e557e0b58ba3fbde7fc

SHA256
4c61a39ae135f935d91aa659db24b893bd50476a70553ab614f14116c2f015a4

SHA512
a59099a823fd938f733b62a7e0cc20834fbb93399949da91a87f1d1c52c781dad652ca34e0d43f5e6a9a8ba073c4ac2347e5016717a6d4db5ae557385d8e2762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4103446e-eb2a-4ccc-94a5-c85682a85301.tmp

Filesize
8KB

MD5
f968b1eb24897436e96c51219243fdac

SHA1
1fa4ca3f126f8c9ea189ec0455ef04b3740fdf11

SHA256
79aab05192f7a173f58c77d550b4cc8d222f4f230830ca5e1d51a0e001f68149

SHA512
9f32c514c9c39c3f19c948b4c0b59d6383eba4e7683b1c27d04a276b2cf57bb4ad322541801c4d6ce372716469ac51c0a180cff5f9929b2927024c0e8bd65ff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
51998e96218c80ac1a5d337454aff485

SHA1
bfee74f1544471b8710bb9fe79820458d6f56dcd

SHA256
9f532dfb0512e480284dadce21f5d079fe88223a924171d63515e75df9a0ac32

SHA512
3ced7c9c62d414d7061e88dc394a47a429cdfecfeefa6c6ebae4a4bf3693878f25b616ecae0a02d63614200895e78d2c00aa142e84d8fcb574459798bf76b32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
a1319aeb5a5f775645b846397f6fc306

SHA1
001e22d6688575e43ae670634fab035aafeec128

SHA256
f4dff8e1869197d7f2f8c83c71fde7b7231eb573551d63be42c8c1986bf435e6

SHA512
791a16b21885bd067b3613f396fe87d7fa424693edc498ba26dce50ae3f792d6d118325114e71a844cc6d38ba5b129e67cb4e9a3b9fc5afb3425fa6890af40e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
0b17fd0bdcec9ca5b4ed99ccf5747f50

SHA1
003930a2232e9e12d2ca83e83570e0ffd3b7c94e

SHA256
c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d

SHA512
49c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
38KB

MD5
c7b82a286eac39164c0726b1749636f1

SHA1
dd949addbfa87f92c1692744b44441d60b52226d

SHA256
8bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0

SHA512
be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
37KB

MD5
56690d717897cfa9977a6d3e1e2c9979

SHA1
f46c07526baaf297c664edc59ed4993a6759a4a3

SHA256
7c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e

SHA512
782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
73fc3bb55f1d713d2ee7dcbe4286c9e2

SHA1
b0042453afe2410b9439a5e7be24a64e09cf2efa

SHA256
60b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f

SHA512
d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
58KB

MD5
6c1e6f2d0367bebbd99c912e7304cc02

SHA1
698744e064572af2e974709e903c528649bbaf1d

SHA256
d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8

SHA512
ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
39KB

MD5
a2a3a58ca076236fbe0493808953292a

SHA1
b77b46e29456d5b2e67687038bd9d15714717cda

SHA256
36302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426

SHA512
94d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
105KB

MD5
b8b23ac46d525ba307835e6e99e7db78

SHA1
26935a49afb51e235375deb9b20ce2e23ca2134c

SHA256
6934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6

SHA512
205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
16KB

MD5
5615a54ce197eef0d5acc920e829f66f

SHA1
7497dded1782987092e50cada10204af8b3b5869

SHA256
b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26

SHA512
216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
52KB

MD5
27f4f82b18ca899721b9d94ab7bc472e

SHA1
30c4e749e742edf3135ed0c0bba06184953b405f

SHA256
83302f71544ffc97a8093be6de48e9beff8d1af245798172554d66dd7a559e22

SHA512
df7c164edb60c9363a932c5e168e50e08a28f6f6a3e2139366c3342bd2a060e70272ebfef207aabc2f50912a5ffb4521d8903f03609adb12887e3f94826dca46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
144KB

MD5
ce2bc14ae896a05758f5855ea0787f7e

SHA1
f499b3016e2eb4da43957bdeabdc90a139d4135a

SHA256
f5b36518a1f34f6cc9212c55593616090a1964cfa8f94b27f9372a38dd855b33

SHA512
3ed2e0d2b0bb15adf32db9119a3703d4dff03f4db291d9fbb1b2f447e9c484b785d813a26386344652eb354731725f7700daa00f15be61e130edadac6a3c0d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
98KB

MD5
a06f8fa1e46ea397a7ce9ec0106953f0

SHA1
c67cac110aefee970ba290925e8b2842a9405c7b

SHA256
9edc1c789da9f7ab031cdf0ef91c6653dd7d914a79caadcc83dc8dde7dd45153

SHA512
4baac335df2d5a1d6571647a572b4e012c966d21314f7357c13851a540478df16b2f86671eba83ccd8f9e52bc5139a716f63a30fb11fc5980ff6347da218dbcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
20KB

MD5
077e3f0d3dddb018c1e71fd8e46d2244

SHA1
b50954ed5904b533372fe39b032e6a136ca75a7d

SHA256
12ea854aa2a6588219451d4af53fcd368e24b109085062deec4e5b891e059e82

SHA512
f9cb475d16d3e8dedc6ef2feaee4f9bad365a8bb992352163a0a9f4ff9e809bf895fc0ffd59375e60a44e5c5bd1f43217177fb44ffc0cc76cc85e45a612b9b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
20KB

MD5
0efcdae8412f64713244acb713cf7412

SHA1
b33e187d7323f15050885e512ca9eec3afb1c33c

SHA256
18a3bf2c3d887e6c3e3b534ab36354d59933cecc05302093c22768e9bd7a02e7

SHA512
ac3f28737f4cf8d9b392f50633e5e76b9d60f42033ec9235956ec63f30c75cf85f2e1766793651c2310c55a6295ed08b1c75cd63b38b83974be4e6eae5a85217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
20KB

MD5
efb9f6a1680c9d3ce3abe4d5a75c7c6c

SHA1
a454374b7f43f129d4245e73c2048849a78768c9

SHA256
96919908509422207d3fe3dbdf26a7bf0da651dae2b8481c4dce4ef0812add18

SHA512
1d6fa00634b899162a4e97adf05cdb97ca1eeaec3f43bdef4412ccbe4ae560ee19073817aab38508b724f177e7942b07982acbf918750fad0385d3b5db3d124a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
59KB

MD5
b39e0b951986c479cdad18c54159f443

SHA1
0072ac8dbc7c02eac61a3d33529b8e0ec4d185b1

SHA256
501e320d7ff8333f084f08f5fa69f2eef5122a719b4ff882f676282b2904d869

SHA512
d1e469f2e006a227d3c74df9032be9e74baf1bab87797e896504c0e2a023e5bf00c90eabb708de71a75a486bc2146ac5557541c6276dd33a0fadb59411f22ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000079

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000091

Filesize
20KB

MD5
e9eb314170ed1c5d18cd6c924f6aeb4b

SHA1
3cf9c40bc5fea2ef26485792eae8252ab8635e58

SHA256
13cef348cee591ab76e32b8286b745cd4662a4af4e3330838b21517e090eee5b

SHA512
a1c7d2814a0ffc0670d28e4681246d91e65d767edee7f5108ff225178221709b8a17fd22c3d80aa7330f91ba4643e44e3652e6c5415d8e39d26991a791c1f4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a9

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\072f990e4ea0495e_0

Filesize
66KB

MD5
d2e97a3ccd74321721ef4642e838bbf3

SHA1
86bb6e6500c497d63ea13d2d2c9c57cdd5c1107b

SHA256
b4b6d90d1e79b2634cefe139712d6f4381857251a7aebe4d80fb57c9bf19d8bd

SHA512
187663695453364efacbe73e3723bfa18551a745894bd9d0bfc9d96528319cf1cbfd692d3c3a8c0109190162cc4fdb62c9a5b12a72dc5656142a336bdef1cef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\132522cda87eda26_0

Filesize
26KB

MD5
7bda774be50cfc7b8283de5ff3f2b270

SHA1
2448aa450f06955c74e214d78d22f9ac632a1503

SHA256
3eb83fde2ebd9cebbf50445147b89454201610b31d9986b5e01e57f5eed80bf8

SHA512
cd4d7cddd54f23cce96aa4a154c12f1b85b44b2bce19f055bdd5e44a7c934e542cc3601a1c0949945fa10e90daa0674f456b1466f2b709f0bf47d8d0031a8dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1ee0800227b973dc_0

Filesize
3KB

MD5
133d2336d8123459b0b9e49273d1d8a0

SHA1
dd5ddadedd64fe698910453de25a03287c4caaf0

SHA256
41536318a17a8c12222f24beebfa91c6bb9d2889716ed4a97bfd37bc0eeeb450

SHA512
032b5501a7ea53629f18f1a675684ece6c93f865a0bccbb9312b2e601aed9c52472dabd15ed6698071e3d9a1be16dbe963aa9ec8f3bdc634a8f4f2761822c671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2625a2d7f1c0e124_0

Filesize
272B

MD5
f2ac626e5874c1bef93d2545da592a64

SHA1
cfb643914843b9f58609e9c7cc897425ef8ed2f1

SHA256
65b5114c58ca603c24b51372ac971501be66d219557261463cb958d8ba54773d

SHA512
3db7208fafc0518bbe415604c38c76bf8ddda6a4f40911c16b4b52e074544f01e668bbd8ba682005fd8da0e884c69384741d1b0de851525412b6fd29b4631d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\31263ed17221d3c1_0

Filesize
55KB

MD5
761eed83f44900959e0b354d5013cf72

SHA1
77c12bf1e417dbf9bb64e7a9dec94eea5addef92

SHA256
497f74962b2a224787b1f924cefe087401fb82494e92bca50b7579384df68951

SHA512
4abb9008e877be0047bd8f42ce5395c9926cd2bef4343eefe8044b258111cb6915ba7345de5f15d2ce552c6c4138d42ca43ea57f2feb18be8c846c41724d3094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3d1444df0ef7b3da_0

Filesize
3KB

MD5
22269d703d6d8e7f98de42f67d9bffd6

SHA1
214e5538dc39e22a8b3f8375ed99db2fcf4d3acf

SHA256
1f8d9188a7aa9dbeb0cddc9e50e8f0f721459ad7d95f51ba3ef1395b98d4e129

SHA512
b1aaa1afb0b0455e11897486da3c7647c0bbfcdd69a050f8a6725880cf52795dacb2f633f8caff4f869e872f9c8acd34cc77e01e21dd73eeab5c033da11c5547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\529a43eba11f0b86_0

Filesize
278B

MD5
39c17bf3061ad225ecaae99a63d3a3d2

SHA1
338e1b97dd12f084fe776fe4ec015cb8a6eba6ba

SHA256
340b844593829040931b3a739f56edb9b2dcced61f12fed8ea985d5e46d72c90

SHA512
0e198cb6e47591e57344b41f447ab012d2515cd37e1b625c8f9466c6eac5cf9c5ccce752095ba97dff7c79e258c0cf1f3ababbb4b1d0ef6facfd47e913529cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6752dc724235f88c_0

Filesize
606KB

MD5
776cf26489a204840126a433ebdf948f

SHA1
1619b1df5dc39e831d778660761b18c3a34974ac

SHA256
113e399032d9f5ffeede4384aa1d17d1cc2634e6567105c590ccfb6b15330fb2

SHA512
8f2d37b6c5d3767c100155a12617494b96bd01d47a2d42a31a04821263c05da45432f17530bbaf00ec2f849352a93721505a20e64b017da9a5e04fe99c7c5f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\84f38ad38423df17_0

Filesize
31KB

MD5
af681890cea0cd1750776ce6869c0c30

SHA1
4d7610d12c91a2e1c935300a0faffc4b2a02b7d1

SHA256
6e548b03d7fdb645c7a159e41ac9144e9a112e1f1483f9d8351959f3fd26349f

SHA512
9eb812cd77946ebf37f40f9a3582bdcebd6805fa4feaf200e587482527edc522d6e94f116566d35a4933d874fb8dce15e2cce84413740f00bf2e1d1f087ed3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\958c2587d0970a2b_0

Filesize
255B

MD5
266d12e82cc5fcd978141e4458383826

SHA1
ad7cbe04d2a6881c9b34b6ca51d0a876db47f05e

SHA256
1054ae96f933752a159b802d4343c6f57bd18b7adde208ae5a2d573112f4eea8

SHA512
67b643f9ead5b7106ff46a4281325bde8b0ecd635c99ab5e30051fe4b2658113b5a4217e33209a5b728aeda7bdb89053174fa5a7fd954a0449c302ebb5250c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\acbf7d8aecd29751_0

Filesize
413KB

MD5
44c317d6446d41ae25cd5a6879958235

SHA1
a217c668e236ed1ca26ff0b95c46530afd6a0889

SHA256
ade045cadfd8f51a1b58eca95ba0a7ae25ed3b177b22bb6a11b625603a34d795

SHA512
9a379bb4c330bd6111324efaa6f02bb4eb903f54d5502ccae9387213503c7d4ec4a77b416f65dd0b2a8a9a089be5f73c68a93761dcafe36abb65e91685aa371a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b6527a2fe5ce549b_0

Filesize
55KB

MD5
812d15007e67b81bd2f3ca1de7395707

SHA1
faa92853b4818dbc4f6991be09671c29cca90e3f

SHA256
08efb4105e7199ba66cf9bdb54de573c6ada3c8681f22f0af78a70bb682141ba

SHA512
6b22101cf62d55bd26159d30ae06a15b931aee39f0e9112d62420e3c465b317d04221ceb5b9f6839cceecf9fc9ac2459c72a0b46045917bcc35a33d50df4ab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb9768d854671e7b_0

Filesize
84KB

MD5
d291df151db1f2fc78a25574e784b54c

SHA1
405eb843436d0000b4bc6bc6a4ccb6640b90584e

SHA256
db030de6a477957a55eed81374312f84557cd529d9ab118cc69eaa3750693890

SHA512
cd7846aaf6186d23abef27365d5a800b0e1bcf587bb3f8e252e40cde62dd46c6d11da061047fac1eab027b16d409ae0bde6b61195cc6b385a256073c1920215b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c978d75e60f2fc9f_0

Filesize
250KB

MD5
4288485ffae7b6887eb769a184e31d84

SHA1
2ad2998d35ea29d3ce845b47c8de1fe49d357970

SHA256
bd32f412ad69a66a008aeef17e1eff6b4f85bdea3f36f2aad361680277395f8a

SHA512
30d68afa82e0895e3e23b1b64979c4aff4c27c652c2468449da79591112d8486318cbc46c5e8f614ebbaf56ab644def80e21f62ba62aa6f3a00b19be2285fa70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d06504d908e96b33_0

Filesize
328B

MD5
4ae954a70f3a8b252e4eef3575c826a2

SHA1
cbcfdddeeeb6da071d83006a0bbec70e74bf9773

SHA256
e0816baa89a1be44d5cfbe5173a0158aaee433d79281461b979109b261d6e5d1

SHA512
b40b26627032d6ccacc2a4b8c8f812134dddfaf9f3e86c5c5bfb089066e57ade86e312861fb10c525e2100c0a0370c465c22cf2f67dc44900e39ffc571f84728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f942e5beb2605dbc_0

Filesize
372B

MD5
4c1bd6b310fc4ff76a167b6eb3cf08fd

SHA1
269298c44ea57abbab094c3572257604f917f7f2

SHA256
1adf6947e52cfcce35efdb2ba2893dd78c63b560037568779fb670450bd81a27

SHA512
9a233c65c77a286a828fe43f529dc554f83c91f714948dd99881e9ea1958785cff04863fdf73f8cafa995471775b46f1ea1836ccad75e9b92f4eec54c3f73035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fccbe519a93ed94102131e57c7b83f72

SHA1
9c3d05fbb9eaeff18364d4a8991f7184a184aa33

SHA256
5f183710d7031a1f92054e5f4ca5d07c956b2bf88fae689ec05477961091b1ec

SHA512
2a87ec207c0d5ec351ca536d7b39528f06c399365f3fd33f29b1f733b97e75257134bafcb57ba143f5ccf0a4efcad4142cedfae776fed15e6475555070bdc003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
947c6da65a6ec596bb6110b9a4311c6b

SHA1
4100b1432313a9f63425f906a4362e6f71117e79

SHA256
594efcc340d539d768774cb8a126173d3f453fc83638209aaa31edd3852b3e2b

SHA512
c2a7f868a23926c8d573ccc545f800769dbcb5394911308854826774986a44f845ccc8030370f626b0cb4384429a09e0c3ea2bc5f8b9ee4c1cf8a2044d076d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
491824293015539c0154511e8e076043

SHA1
9ae981cb65181d3f5af4c0e3786b9e47a4290346

SHA256
e3f85966d6b36ad161b809a1ff9b387f87a17aa96d14a9ab0ac200d9c1a1cd49

SHA512
f516e5fdac0032fb1bf1ac42e2bafdfc9f6fcd74ee08fa95b74b903ec31b417495ada525ea29274626b4a542a75f50c7d159406fe746a853b654fe93eb019bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8e72c646413b003a8a62e534d390135e

SHA1
63fa4254bb05c46abf8ccc1a0f410a34bd48c2cb

SHA256
f07dadb9a405895e0778994550db4ba34af0b8a61039a345f07bba15e96c0fee

SHA512
d4bd38a5e4e694c7863722d1a52d872f4521b9e22c9fb59aa21259119915bfa33f2f51f82fd82d925a537c05d53d7ee217f084b422774903627584ac69f603db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b883ad24b87d78e8120807273410ca9a

SHA1
0ad4601ea92b777314b2f931a876fdda42bd0aba

SHA256
fa7d7e8b7f1d561baecffee06a47b6350e21ecb5b531ca367d3fdf72041d41c3

SHA512
3c1f0ac9be8b49f34bd0688e908284b3ac07ed9412d5dbea116237f880f256cc2ec8303328e8f4ce8efa607a813a0056048f298d14fb389f05dd23891577bbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
232fe011bd922dce2e8fadcb606e0629

SHA1
156630eacdeb355ff4391a6442da674e0064b732

SHA256
8f8b71f0e9cc17c4c3df7dc4ee9d014d609f2f9c6729afaa9233b35d56afa7aa

SHA512
4cac5b374f7a5d0bcfd4e00f55b811a933fba94437fff0a51d85e01785c0698419d23cb503f1737696ca3726868945ae0bad7a6b9f3affdb8cbcab2c86bd8dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
947ddb683589006c3e352ded3bcb3a1a

SHA1
5544c9660575c6b84366dacc05bde05e6615d21c

SHA256
8e0b00a6e6616627886e9f6da53d819b77c874bc859c09c933954916ab4fafce

SHA512
43b16366c66ba7ce92d2481806fa9d9b6ff379389bf72402d491a42ab22ddd8de9bc3c49acd311ba5b38ac3edf7c0c5ddcddb8eb6bf1d6df97f0f6ad7b2cd9cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
0037efa1928d13f15ef02758a82c5952

SHA1
9cb462ad9d38bbe85a2f528a91a584cede8ede05

SHA256
8224dfb69daa5f53861a2ab624e2c29b9b96c7a5d79392361e049338b9353579

SHA512
8df90f6607e2eac6875bd5fef02e45f7951919669bf3d83cc0d980295271f150335a9996b274338b57b9c0da654a71f63d4dd5dfdbb60e99fd04437b33eba70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b780fdb66c25c53bf722b70276a0050f

SHA1
fdaedcd8edf791a7d9e4d5e299ef33c1185814d8

SHA256
a0b03acd646734bc3d8f307a7479d9576c5f6c5d5b8417190f37575884d016dc

SHA512
cbd55e837a21428f2aea3c2b96590789a0d995cbd5f3cdded364d2ca758043340524efd9491f84466263d0680c1b972333d1bf5b3eccdefcdd64c045960efd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
1369f18ed32dda1a3f39fdae689ec0d5

SHA1
bd1fdccbc37360c69220b31afbc2f37694b63f0f

SHA256
53c0dd89cf0735e63db80046e0f9dcd50323b9f901742b67ea49ddc86b2b1dd2

SHA512
e647450f8ca2fad3b0468f771913dc97422373dbf2b2164727bc36d2e4ea1502d7ffe0e2873168f2184840f9d3a10e086ad5ad198668f6ca39e810b85377afa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c6243d0b87f835fcfa857a5dee3cbd0f

SHA1
af5531cc25818e210f338e5226c3161fbd979ef6

SHA256
0cf4e9be59929ad73838aab1c48fa9e98fc10e43fba99e618bff8b63195af65d

SHA512
097e5974466fb3678f0cf3281ce9d94734b3bd1f21bb6d3a6ca81aea7afefac254929f1bf7dbe37436e6d429c3b80e5ef301afe4c7ebe38382267e66935caae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4072980237c562c8fe4ebf341e8c9a18

SHA1
172e48ffb4bec53ad678f4bdce54c5630df21bc9

SHA256
1f0cf186db433d9ad32a68db83bbc80d3674ec6428870b1acac1d6e636410940

SHA512
b0423c37afa2b022151da2341f116c502cda5d878689ac026e09f39bc09b914af874b025cfb354c8544aecf3f85c3e64ae3da52c46d743a4a89116cc719d3720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
91e7b17a3258d2704875eb6d984ca734

SHA1
de1053246beb1a6911ed742bddec5493772ebd20

SHA256
081b375a6d0e2412d1c16c174066d54a304eeaf3187966f36c05e1f2d4ac9646

SHA512
efc8892bf8351cb77b08f7bf36cd2a35364b0ccf74a4827d5e9b561334183c0cb07fc2c64ce92e52a2ee584f62b012adf3bfed68b5c950d3c7db4ed1bd313cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
857bc3f9a8d0b485fa50605e65c88764

SHA1
0d9872e1a370b33086b20bdb45c7ba327c180dab

SHA256
fb544f68582b214ac691ecc17807721b55475c8601f666c4781e3b6d2870fc59

SHA512
ddcc37fb1a5c133ccf24017867664358630a2813359ccc9e845f053cfc91f523b114904c07f4b7f2f901144f5ac53e0ac8c7194ad07551adf9503b4a2a03cfc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
794B

MD5
5008c9023ac5113cd53f608ce200597d

SHA1
6b5eccaf9dfde2da086e3fd3b85c42dcc24f535c

SHA256
9e8129a412f22fbf1857040b59d2a91fc94f13b53c733d434a82349b0893f5d7

SHA512
e88073d4e5b9bbf4995dcc4d7f9615a65b2febbf6c3a26bf721516005c8f1c0bba63b680b72dff988c1ee54cbd930fb64a0c202c871df7f9b8281d0015f8c825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
52KB

MD5
5052244719609440715d419aee1ee898

SHA1
f61d74c3865a6a8fd5160ebb23b2ded587aca2f1

SHA256
a0b4f49646bf0ead7d4445a2f63e1f8432e5445c2840cc85b1591386e4f71be5

SHA512
f6e60895b48fc2abdca5ff63446e80d17c869d3bab2805a483adea7afd4705f6b84bbe05455bd2c6ba21ff46e419208b384959c5cbc28affc1a9ba5147deeb4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
0cfc88e26f48f204fd1eabaa56260a26

SHA1
18fdb3e374014fadc58404045f23d766dc04c50d

SHA256
40e7bcbcdb1369dbf644ebfc339a530ce98d6d2f2577260195107a1adb4ab32f

SHA512
15a5253bc266d7455a04152252299407c636e567f35407c20eba6ed9d8a3f59c8ba671d6935c87cb002953d9a5d535107692700fc26e9202d59afd47f52155d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
852B

MD5
16d7805cc80df08210543011a2a7a50d

SHA1
0c25176e4e0fcfdebce153ebbbf496513c9c8939

SHA256
5e1a34bba06c143ae2c205ceb81e21b9c5b70e6383ac995ad011d94416243c60

SHA512
e13ebfe2bdb6c5067d4c9b978aa6da3ad3e826d2644ac8f2133377ad2a021b9ce78489df9590c2807408e94015a0bf84207861a83c11b410f90c316a961fab2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
4bdbeaf65649919ab2cc03194e67f915

SHA1
dec23a3fd0e1abe490f4a5b93706695d7e39467e

SHA256
1d53e5021bcb9343fd4004794878cadd18eeae21d0b00acc51cd5b57730978bb

SHA512
063f52b8115c821d04ada280c2148ad0701980a6c401c2a0af7dd156f75a3747561dca86dc2c90e4e4f95525c5303998c19b2d70dbaf22ef113393c2f78abb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
2986b92f3a5d554e1b1287ca92e8881a

SHA1
22e04a799f608cec6861a80fe9e7e7f0f03b1d77

SHA256
abc82e7d9c5f37968511022755756ec43fa92c8681c8704eb906c420d8dea38c

SHA512
d1f25fe4546d929f01083487c5b8da6c96b697f8b74316fbee026c1ee2402c40269cfc7de10fba6248827f0a5b8c6937663dbd55d21fe1afca388f06dedd6e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
2374a814286565c3204421f8efd99da1

SHA1
631109973ec5043d9d676a55b6ca0a5d1141d5f2

SHA256
2ef8c2122e60b2f62105b4606451571693c06f60f511df7ba9ec2debdbcaafee

SHA512
9fbf184dbfea74ec26cdf2bfbf1e96964dc5c847959fad23633617fdd5f3eafce6ddce313b4bf46e58536ac97e704df847a7adab2f1b30cbc3d2367048647624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
6d70cbf9c599a8f04e0d36256162274d

SHA1
4a195a0055f5385a26adb4133a9847b1da298403

SHA256
e1b213ae569d8766cf1d58b69cce745e157aee41c0f8f75946ae9fe721187998

SHA512
7695288eedae5a83a9dd883c98bc7f5a87c60c808b2aac947c931ab50746ea8df6cd353fb2ec3708270ae626cd4bcd04ceebfa75005688fc1c9c4a5a85cc5984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
98252dccded70b2a96682621571cadee

SHA1
1e80b10c7e661c79b797b258f4424681e3317046

SHA256
9cab3afe30ea2167446742e67d24780da5723bcc00288d7b84ec67eb727e16cc

SHA512
2ad0a45dda08db2ecbed330851e2e8008cddf07bdff62d5081d478c9b5eb0ef81e1c04b132b7e8ae2a52a906d376f72a4e2725220b443e7f0285d4ee961b0f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3db92805288ec44204238a41b9261c38

SHA1
24df13255920c89653166288bfe4df47e8e3074f

SHA256
81646bd3679ce365947233beadd6d8241d2789e1800e57d0bf315ab1b5867537

SHA512
07302eaa86fbf72a37174fe1b2955ed2eb156ab3d914ee21101e2991a17a299a102575133e4160b41d4e75a8357d78c42f873496684596fa23397d6a9f0486ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
9e41f707c5e047f17979da25b54c5e42

SHA1
e08f929936781703ab2499c08ce64ff710f10486

SHA256
d8e601a8ccd368544cfd2c1ee9c6ac3e87c59f0a20bf093ebd4b0f0dab68029e

SHA512
8a0ae9cc46d6ac40360d506f6b0edc1f5afd5c317947f758305ba261af25c0443479219267487714979f173724e29589731f087900cb8d7d659af446647355d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
857586c1b9ca1aef061246f268e5bd79

SHA1
b9607c337f5ea998d3db827b50ddccbbe19a58b6

SHA256
99ae294f3ce6a66a9b5c017a912e5180d80d3dc96bc716388b046b96e8611695

SHA512
f4577d2f64eb63843d9e6ab1329ebfc0f73a612c802a8a0600605c33ce063deaa65a96eefa90b2c8f1bb09db73a8b6a44acb7559eed28727b0ef9a90e58bd1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
0e4e8e07b2555a0362f886bdfee0e4a9

SHA1
39d4e3c167c5628e5de2cf4b6ceb84a5e6480d12

SHA256
72b1ff287f1accb29134662194481042ddd76e2d3453776f96eec2d772baf09b

SHA512
5d15494a1ff6a877ddc24894cd39c752758cc205edfc4e7a61e19c357cf11cfabb208aaac36939e3e27dda4abb678a0c9a3b7c4e5b987cded6de2f776db4e4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
b350b6183e7898c5a870085461d4148c

SHA1
8cdd14db422624c601e6cd1aa2ec950b0adc3e57

SHA256
962904fc7e768feb9f36db68509aed669ba976f380e4accc32b130782059e09b

SHA512
c7d64710b9ffc704402b8ab1b8ec017b47588bb2fa53e6c14a8e32034dc85722536961953448301d5444388b501ff46bfac8bc48b2a00a81b20860d938b4ac5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1e66f4d3d5f5a388ebf57e53db58df52

SHA1
4c70ba5b81e63d96f850560165630994932e3fcc

SHA256
3b61236126334f87137f4b477776e3f5dcf188635b567319af83cfc860ec31fd

SHA512
ea85b772f7de484e437c38a169484889c7da3a011fda7c9453581332479de06a5da1cf0ab5e0f3656fa6551026b869cc08ffdc322e64a66a22df58a8144f21e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
bd508253175766130605cec29efddf12

SHA1
787aa737be4280c84839de5fce8162342c6fca84

SHA256
2da485fbc70fd7a9a7cde50853f355b7e819f6285150bbe5a861a8188d1eaae8

SHA512
583196ab3c5a8abe4d8d709b029d566095a26722bca8d03ac4653c19ecb14bb899405e7275992b9a4a7540e48c1ab96325f826bcf8fdaf690bff14ddcba53e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d875d68a725786f44a114bcf5233c1e

SHA1
d8a1a00a625d9893f4898fba3515eb7035868cd1

SHA256
12538d42e7e6908a8c5ef63b0f95b11af59daa4982a3130e03486cd2b8ad913a

SHA512
1ce9192016be76c0f6a64357d63add2022c722a3b44a27f95748fa7e4072e57b3e9cf61233947abfb4fc6301c8183ca98ae150be935c2bb4c45f1f52672598e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
29a41552de348f168c1cda174a4889c2

SHA1
32c0c7993970da620aff52157baaef076968bc91

SHA256
1d307637c323fbbd0108ca9e867ba4a1e261faf76b102855a1cfcc50e08c2a76

SHA512
218945b5bf11fe6120605bb7bad076023732b85eebbf2f82cce5063df868c8447865456d8b558c5f67b1c111e9b2c477d02b14ac33b2af2c532ba67dfa1b9f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
346c53e1c571e31f0ce314e3c2ccb596

SHA1
bb668d632c8468065433bc289f00c521b74f5f46

SHA256
22104e6eee74ad7493c6b0aa6fa40e04405371eb74769c7b06f1fe7c6994f2ff

SHA512
0c378e33ae06193f4d429865952e9fab0312ad3b95907a2c9cd264574f506e842b22614883f1fda12a04f7c786bd482474188cfb8df937ec110dae1a0c3634d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad24f553c68e041c8d3fa1f42678893e

SHA1
55e73ec18aec41de4062c6a7ba470d2f54c7526a

SHA256
0b62e8e405b36160e63e5b2147c42696c91af803a06bc96f87d8f8c411416850

SHA512
7ed1bcb710549d7c7eed01936e3d0dea24f8145b4185b01b3c7b78791bba85719f7518b703430be2d5b8a6cc8f0fa088c37045492e3697605443bdb9fd7a8583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38d6532a39b8d22aa1cb86c0e1bed386

SHA1
0303da4a54407133a6694354c0c2261c3ea0b480

SHA256
96e78c28964e27b86cac4cb80a6a25e16418f579d9ad62bf25a07ccd208ab178

SHA512
b19e6bc2b866fdde6483c00034d5c4c7b27b9178d0abddb67a1e87bc955d5f3139d24cdbced8e24a14055cfeab2e5c04964b7244c6ec6704f1961a1e436bd16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
787d6b83d9459d57674f7991b8185e3b

SHA1
638ebf5e0d25a7d1abc2bdaf05cb72bbcae5aee3

SHA256
75cab25fa381a5ba1f5bf5b4abf1122b04e30ff6c4d8472947f5b8c99ac9923c

SHA512
8910426274d8548ec37aff7b0c29782c1b5eab3aacf536f5b187297ade032b797f9b03a6fd4211d5e2556884880644225d9931c3e1bd69b3fd3f1f9d412337c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5af2dfa0c3d239c4d13bc77f249c56a1

SHA1
afbae99ab3aa7edb6ecdc597703d977ec3ef361a

SHA256
47a23506af4c4255373d37d7b713173cb1680785311be7d66b5e2d8ebeec42a9

SHA512
ebfba25ffbbaef0cded9ac6e1fc4ea020a017fcc1e5cfc104cb5a3226c5842738b97b3d05eb92bb975301053e304a6ae974d8901aa16fae5e99bfc1e27e9a8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f4cd24d76506eadda4684821151c2055

SHA1
227238731121972cc57d34b5b4a7e9b3bf096acc

SHA256
4caf3221de87d508aa26e4fa99becf20bb20ffd67831e20ca022d114379aca8a

SHA512
6b04f2b36738ddecf8bcf76d281e14f24ff5b696ae60deda034e5312f68a85055a0d61da92c5031ad01d8f84f15275f725f02cae4dd0857380a4185840a68a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
06155edee7ef88781115d917c91d8dea

SHA1
fd77239b96928204b84054d9e358f73020150d56

SHA256
8008fb6d5b9081ce74aceb6d67cfe48dbc683a6673c27d1c6e3d69ef3059f7ad

SHA512
e013a6fa240fe6970df66676c75c1f828ac9593602e7c74df00684d09a1af7922275a634cd15812404048300f70d7e7e3b0ee82ad35e6fe4add80e585578d908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
384fc5a8bbd967efbec3f5aa8e52a333

SHA1
a9ec1a52fe2081ec4cd915b64a99283cc8a0c3dc

SHA256
08ecd4ed95d39bb35ba2e7b0f8e5502b2e56484e428e39a51d6641b079c945ae

SHA512
f845ac00bf68107d6f7d714cf8988cb534a5f30922238db04ccf466bd313cc04402bddeb47ea2d6cd45f104b77a61290a847d946d9ce13ecf043da31a53434f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5bb6bb05d0fc4cb6f93f9bdc3f4a7e89

SHA1
e8c9e8684acda02183bef8ff97d097806339ac44

SHA256
a803aeb20c89382655d1f12c4910cdffb93dc450e67885b0a6ddbbd7ec3bf273

SHA512
47073ceac1990f3d8c2869cc5af6d0edc625c595d0093a735e0f6c87f825c0a0e16b3a63785c48e2ed8713b6892f0081260cf223d34e76a45a5030df68cbc1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bdf13ccc2cee54b45a1d6f7f02f68623

SHA1
f9512f525294c21577efa066665f6dde8c494a28

SHA256
89af7c8d0aa9d98a9653a379a5e9cc31775385d3370ead989903f8033bf51e24

SHA512
00daf5304c9b4918ac0f97e2e17ecd3abf9831ff4a9fdee3321ce557f19c5869f56b738b33da9af4a60431d77b764ce1adae16bcb441d879e7afb976bf44436c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
33f2c60c6b9c9d4d0647e75211f469f6

SHA1
32f935274a385b1476ace4941ab27d51bc641a7c

SHA256
1bd3ce0cafcacefeaecc280ebf2ce79587379b0171d7aa5985b45a5c7a33d54d

SHA512
b87ea470756e09abea33d628bdbec20dc88797d25c2fbc3379beafe746c5243434671a56f063a62686467ecf43435711a6e946a1a18b9797d10846073027408e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7345ff3b8f31d9a3ab86ebc6858cbb3c

SHA1
71d0cf30c64c93cb3c8e2f50e565daa1335c9ef3

SHA256
536e999dc77dc60263ccc0fd79634a8b6c0e0720f8ac12424033d8d10d58e810

SHA512
145bca65a0ba13a583bdfc506f93b0db9f2ef1be92337f74803cb3d3668dd7be9232825cd885d8d802d4993f11585f42a7f537e6961fac62820c4a6bc23eeaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bfd56f1143a6d947fce40caa60d55b3e

SHA1
21f9b91ca76a38700164018bda71704655c638eb

SHA256
aee60ba8018815ca3e46c591787aeb37ff282e7e90ceac57dd986e514982197e

SHA512
05f2635a354bc9a4913321f150d90b86ceb7cde32ac57651f2cab7cbc1a712428050d9b45ad6d71888d2ffc1e733a9716ab5f45395fbc7f07abf7a479b693c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a453a99e02555aeaf62a53898d63abb3

SHA1
7e377d5b8ad3e9e1452b229bc6784ec0a9629a99

SHA256
cae7a7f0476f9562fca76710c65506013d9e8edd93a521367473d059e50b7b5d

SHA512
de09cb02198748a7bc8ba195eb224b80e2047db90bbe4365384cbafd625e8746ce0e5b3a68ef340219aa3f079aa80d838b45cd035c115748ba81cb1279d34239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e6c16aaf18a90ab1fb6ed57988081f88

SHA1
70c86728f88fe07700c12c490e96225ece4012fe

SHA256
df6157abbb0e2f895e87760030de82b37e139540a294f6b74151af88480423ef

SHA512
8b53e9f7268277e5de6437aed7a3c7ac12e05cee564c4e2d708ac4207bfb3e2ab3d8d1481fd746d49e92ca4a46613c59c7fdaffaf33ab0bc1f4b2f4a27a74046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c641b31ec9022e1d330ca8007f69a701

SHA1
ab1426e663ed1a635822bd6fd32382cbde235001

SHA256
83379db9a6d84ef7123302a49bc0bfbe5cfc8cb2817c7c898f48229d957a4d7e

SHA512
dc6711806e7ea478f339ce499cae4b09491a9b4d3db73df64e50b7c9ae939d482154f0f04cac25c4bfd74486c884c73dece75a391a84ed91706e0713ff1c1dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84ddcefe-05d7-4834-b122-751df95b68f4\index-dir\the-real-index

Filesize
2KB

MD5
216097a59c8f178af575badb40a13b9c

SHA1
1653403534efa8bce118812005f71335ef00b6ce

SHA256
5d51168f0f8e5a44dfe5d007785c08e4b1029b3ffba58ab5fbf56a1fde8cd974

SHA512
e30fe359a268ce7805777ffeb8efa454f0601ad52ebff66ca2fd60578b0797f617110bbaea3e3e0b02a8ce94b125e19a6295cb1c423b74f5a05cf33584a93ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84ddcefe-05d7-4834-b122-751df95b68f4\index-dir\the-real-index

Filesize
2KB

MD5
8f07782f69effc1f38cc6b9ef4baf108

SHA1
c6641d45f539dbaa6cabaf79fc6dc57dfd4868f4

SHA256
cfbbea3d46114b5e4f35aecd5fbff835288bed554408c5bdade998486166052f

SHA512
fec34af36a7cdbf4cdab2dd0254e3eb600f33b0e89944dc377f7104aa669fb0bc18bfa21dd3e7da95415fd6960fb8a3b244989ae1990c371615fe1be9b8a0d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84ddcefe-05d7-4834-b122-751df95b68f4\index-dir\the-real-index

Filesize
2KB

MD5
37da581c53bc3094021a0f4aabaf0265

SHA1
12dfd055e67b6f36370fddbcde157f25af6658ef

SHA256
c96c6fa42653f604892cae46f253af9e7b4bfa31259d2c549da90e0a6a2637ce

SHA512
ce159ffc4da985611db81e7d0c23450cd630f8186b5a2b042b54a130bcd9e9fc01b014f570e22afb5a5d1174e759c2e847189e119fbdfbccb9b4c254c5630c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84ddcefe-05d7-4834-b122-751df95b68f4\index-dir\the-real-index~RFe5e391f.TMP

Filesize
48B

MD5
7979ca9861d9f74e925572e32bc9f58c

SHA1
cef29837b134693f93d95520a7eb48f4688f5257

SHA256
9ea74f5221fe7eb1b3ee2dbb585196d9bd8d7ce2c3fd0f49485a2c7d93ee1750

SHA512
cc2e7ea0e2b685be748bb057ad4b3fff50d67a5cadd869bf45e3d32a86a2a4641eb3e45ad63dd40641403ed0371d0d2dab16481f9219dc220c356b3234aee25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
d9b236a689b96c1da057cbb761a2eb16

SHA1
118a6b40732e12a0aff9cde86cc660633642962f

SHA256
91b754fa3d0418ae4d288c44315f43fedb5e9bef0f2a3ccc176706a9065d26f9

SHA512
018a5f8c1f1df0c442e115fbc5ffe6abf20f0f61717faff730dac48088bd82afe3e7bc1ce583404777dd33404fb9d7c1fb9fb657d18a58dce51f23233d64505e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ef7759beaf7dac45f326141d06880baa

SHA1
2e5eadef8d9edde774d4705a0412870e8cd2d04d

SHA256
39994c69ba481b75a817293645840e5df6b8095738e124bbcce10b292b667bfa

SHA512
a70c6331684a4c7314c381b10fb23ba753430bb24a4da5164478ac569747335f88d79b0204d0f38f2d7d3d086ea6c32add6d78733e0aa4316f26b4092f71ddc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
3cb52f8ae58e8657bdfe03de9087c0cb

SHA1
7429e491aa6090ccc794b4b506db971783480199

SHA256
e3081820c7e062e9ca49280b7cd0b0d5571ed85d5d8aa7fde4feab22bd836d8f

SHA512
94852dedd0e04355b53283d1f4002ed5a9b34f283e6d367e0953274c7726f151c9eba43d25ad0bdb4f3a355838c749169cd75b1ac32ca6f77ac6fba98c717fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c10909395f9ead789dc2975259163ab6

SHA1
6b82ce0f022f1057cf57770c90ed6e8e079e869b

SHA256
ee5c65c322aff2c24bf37b6842118dd2d8578f6400a425301eae3344731532cb

SHA512
2071a2383127e4c7b1e3933960581ff85bd9dbabff13e8757c0a03d54f435d7fffeb4dac9ecae59f9456c7c13880a4a7b64e730b4ef84afb351b524faf11c34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f806f75a51a927cc0949518299258350

SHA1
d125ce55812b1da8561a7760c6481d9e386c5802

SHA256
08930f5b577c2b6ed4b34389a4f9ff17b521a7726cef2b18b6a0b704a7ed1e15

SHA512
5a60b589ac96b4b594d192f88c278ec49b63513c3d87cacc5032b3f1dd6cfdc6db2cc2a1e403ec5b52cce9d0c920728c1624c55067553c0845b1005b779858e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
263c536632b499fc1da859370859513a

SHA1
9843930c0bca748189a39b3893b1f4d7b04538ad

SHA256
d7c669daa4279d797751c999fb48076706516cf7384a16bc98b959329dcade2e

SHA512
5462f3dcd67fc7d8b42f46dd2c6acc8d2f04cc41412588237581b4b4f64499cce95d92aa0e19958f90aa6ef8adb07318ba8842f8c2dd3fe0ce7e8482c5d9030a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e3e2bb3dec025a151b1ced105d07ef24

SHA1
df7639f79e3316680cfe148b1f38f48ca4c059e3

SHA256
03627fa893d7e38baa7dfdc54fcd19f63aeb3eb9be843c0bda9a2c4be42b8e03

SHA512
9d25d3fe34463c6077a5b3e92fee479f45d5fa39f1d2302d2b4ffcf2ab4e22adf76ea5f167bc4d591b92d93773fee1ed85e9ff566eb161c4e20414fd4d31db8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5e1923.TMP

Filesize
48B

MD5
0e9df03081e7d48f9f1488167c878f3b

SHA1
03f55aabae4b285c67170f1939fb90fcba4f3891

SHA256
8507afb23b7e6c2c59c04727840534cb6b467b772380068cfc1a6392e47d62ec

SHA512
173f2debaa1df01d744f5398f504b491dbce31d0a3790eaf12e50ac2b903da7bdb4afd7c35da8a82d80d81f4d70d2944b1f2d680f9799f64f05b63d42cc8035d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
5e3684dd9e896d133ef30231dbeb94f9

SHA1
1afe28555c78b575278926e002c690a993e48c97

SHA256
caac4d1052cfaa9730db56fa5747a343aa5f637bb3984be46cfd3fde13889481

SHA512
33af1a48ebc08f53d15fa77aad0ba07ed019f9bf72f447a130107ff764a486b895f5ba5dd5cb2ad890ed32052e6a62f9dccb29288886548f02b0798e2f98c80c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380258028544665

Filesize
1KB

MD5
95dfa26cac69d61ee97ef314f094a2cd

SHA1
4d5f89caf74700b097043f49c2f63494eceee6c6

SHA256
e91a599c2c8d8108ef88ca8f5a277ce67344709dc0be0d620ba056bbaa63d22f

SHA512
57b3dfcaac81b5b2519405f752b9e553680c3a27d51954ce6c41af8be827b3aacd18acd3b9cecca4b26d7608960d8fde0bc77c457a973375db378bcf6c74a9ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380258028747665

Filesize
1KB

MD5
1ea2c8bec52022de437eb4da0f025494

SHA1
96ac0d7e2c9369f4498b20ad74e81e044137aec9

SHA256
eb1070c70208a86b6a05c06e77c4a740d16e701d9d9540e841f5b8f4a69a2ba3

SHA512
3a92c660c58de4d7ac18a437fb407152c7087cbef11ace62c5217f077746b3469be6a6f238278320aab9435bdb619fe89e5d6534c41f632448adf548124d9341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts-journal

Filesize
4KB

MD5
bd768a76616f73091e481a61e99578b9

SHA1
050087e095bd3ecc5d70d5460364d5d759bb725f

SHA256
efbe22a9844c78f364a880e2a792bce0110b23ab69d2774a16d24c2aaf8236fc

SHA512
7daa048d00cf2212b0fb4568470139059619a403ae6d86123c9b807f4321d14f6d179bf90792580b31cdf4a2373cf1c144aa9c258cb4eb3d5d5a319f38ee4113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5efaa3cc519df6251d04b96bb1e202fb

SHA1
6c32eadf43333450f6a9c5599b57662b21c15f9a

SHA256
b660521d524290f56b161809111709f482f7a38f1875daee2dd232441be0c326

SHA512
d0fdb239706402f4e4375856d1f677bb8605ae6f7e406b4078c1a1ccda611f35e9e8658d3e17caa17fe488dab690e925bb44be18926a20988699c3eb1506818a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
80ebb54118799b80e3cfca2258869b39

SHA1
05807cf24be2e727e4cc282a4e9f07632db1783b

SHA256
0917a7c55b593e5424daa70c8662c2b8e4cc2e791097bf6fd9473489d54e9ab4

SHA512
58bf9a9a40faa66c9f34531dea774317988837e1c158aa3aae414d4aba05714538466a74c5ceb284d98da261fd69afe5e8bf54f68e3b619741cc979e650625eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1f8de165d79d4e7cb0a6cfa3c422e249

SHA1
eccb945a758bc6065c50ce89e6a84317dc3fdad4

SHA256
a8f4bde041ef13e0149c278e225e6a5a7e3c682a53cda168d37821826b7e1bf8

SHA512
adc80c40ca8674171249a003bf046aa0ceebcb8130ee85cad2870dec5a543e4b180acafd34bd5af97cd8b46b78c5e780c159a2528936fa2489c6f0d36053116e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1018B

MD5
bc7f1dc6c74b7fd68be08952dfcb6c1b

SHA1
24f8ae55ad6926ddfabcc998caa0ff785ccbf042

SHA256
92717233f5b2b9226da3ca9f0deb17699d2f5bded3d94ee2a4ea94ce5a9ea623

SHA512
8b01b3f8808bf0a5809cc422565cc400e628de4a52e6dd78efea99a9043ab478894f1e9bf1b0e1bf6c566ad103ff3bd93642d3a94b406d32d7cc8c8dc12db4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9bfe83360df8fd9ffa21e4fa61c7a1c5

SHA1
d4914db1da0d26952ca50843b86514e916ae0b32

SHA256
427111462dd526e9dccb2cf9c8bde709763f2334c344e00c41f0d42308706850

SHA512
73108c791510e4ef0c7d87f4c255cef7f69219ecb5f477468a5d4809c6db1014fea7682ee6031a5a0f4e0e9072601759bb3893e80e62824895c1e9ea1de13815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3749f46bcd2181e0eeaefa9e950196eb

SHA1
4cb1e2c387d0a01273864534f5fc7c01187f2656

SHA256
81d9de401b55601ec93920435c3ed7d0f69b2232e5acdcedfb9c4db22051a94d

SHA512
600082dbceabb713c2170216f54ac693d1e2049858a6f17534c15e55c65c238b9aed935cd6f3bf6dc2a4462b51729b4e88915d8d690cf2f69d01c2b531b46c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7788a137642bb68eb63206d5c86e5928

SHA1
8cdc42185da8c3ac8917bcc4d19a5f2c2f5ef71b

SHA256
6ff5f64b791710fedf186e1b426c4043d09d04b28e0a0e1a9e6d0b4e54e68f13

SHA512
ff9e8edb01b38979088bc30b310156a5c844a500387415d76930cc1fc1508c019664f8452e95f9f86d9f9dba825a16f89aced1351b2205e262c07524dc531730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9fac615f3fbe1887fde22674204bb3c2

SHA1
c30a2cf42e1c56197a6d08dd0ab2fbbcd5990370

SHA256
ac9d25f10f4810f077371de371e6b960112d03f07686d0045e9db8a02846d5f4

SHA512
fdc0b987c037eef00dea079a5c62fc014c9963244a25f0c6dfb1ed3e67ff6a7b60d66752d4128cfb33a914a6c882509319d97a4f892676641a5a1674ab17a14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5b4747a77251f7f3f5cbd55a6cdd53fd

SHA1
aecec7cef0c65cb5086a0fe6523b24526b59dcd7

SHA256
f46d3e17b80944144b97d94bc0362b7eada25cefeff7e70adb6df7eb439da043

SHA512
4c3c9b6cac40f4bad4cc44fb23363663d8b8664fb4c21358b94f62b8b3ee13755e37854d39d647039bad13a2165345c195dc5718c78b79df09e97e7305286aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9dd2ccc9f1a1902e290f7805a0a5ed0d

SHA1
fc4acc94d4d3c9bf77694d21952ca441cf3b4dcc

SHA256
d622ef26af95722b88b78f394e5b79fbaf6a7cedca39c40550ee216c5067708b

SHA512
09423d3a4b419e1be85c7acf9ba9f94065276ae32e2004221202ceef5a5139369af1141325b85613dec0e752b947df99c160284e4f6bc5cd867231006ee86b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c380f4fad360f05408fb4d3c4abbf04c

SHA1
7737805c08662808312b3e133a1dc18016ee6f15

SHA256
d905b05f876279515c04f83a576b6b6b6b4739bf3a1e054753bed3b9cf3a9437

SHA512
516a05c3ba93f031805c1619c752c722955ad16371d990274e3df4809aeb85321d69f3dc18c0d7bfb2c2e68424050973d78aabbb35c8912df843e2305e848bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2c9cd8115d1c23ad7377994188b41f10

SHA1
1d119882bf1d90765254bfc3eecc06d7f95c9262

SHA256
91e51231d90ecad2472832d7ac1913e72625ac78f97cda52cad2e633f033d5c7

SHA512
368971543b7adf069a7a6a15a77b94e40b38e0221a74070815125db799cb27c126a6c25518294e740ac72c72e404e286bca77282e03f73ee25dd59d1d512f026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1018B

MD5
ed5c557cb644b94d0b91659600268ae1

SHA1
584e9adee539ff696456d5365ad81454e0069889

SHA256
67cd49c2e8b6014381cf20a54ca79828f86fa1183a7675e9ceb77411a4cb6bde

SHA512
0909e92e1bdf6be108596796031258cd2001e6edb46d4950afe2532c38290b07e3f9f85009aa450d30141c61f0f5173c0d8b07549dfc963ea5ca89c4e9e17410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9b5b9661709b7471699de95ddd460e6f

SHA1
e07c6584351a594f0808a932a96f5893c1b1784e

SHA256
c48ca6087720f4db1c9feeabdf170c938f2e59c638e1a46a96881b747780dc24

SHA512
e6374c93ea7e3b4eb5cc28d048b637376813293e671e5ca6aed095a5643f438b242384f04b3e15bb271db8e5ec48c32ff301addb4c0ccdfe1f163c973b5c734d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2ab19cef72e994bcfbe0dae0a5ac6874

SHA1
3c996f973276704b651521c8e499c2b0b457f3e1

SHA256
21dabd189f3d55cc053ead3a51166ce8bbc5eb3b819ef6e00e40f90fa447c750

SHA512
99593ef77351a7c6486d08abe7a2fe4842a41c1c8cf4fde8980c77700fd5836bc1cf123701d74c6cb70269942bda48b62c65719849cb93a401d014d07868df38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
57a4719509951d236b21adcb351c1629

SHA1
11b6b4ea8e8d48eba3b4884ac8479eab7c3275e0

SHA256
8c578f18e9a5d73ba7e0668af4646190f824bcaa8c6adc112076bf6068a1379c

SHA512
d621fb092835ccd06c2d7648bc297146443d33deb73045e4e1ee2da44b08af49b0714196bd538a6e6303a4c1b31093341ae592276e2212a670fefb49fc9e87f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
54a07fc1ad3188b83145f81e0b2828f0

SHA1
0cffea073075a76a1b16df8a0421b069d50d0b30

SHA256
437119e0aa44d1813046e1413d3ea50d84385e01fed95f0c7cadb2e8343d8afb

SHA512
7ab7053cbc71eb40210678921366bea272e7cfc03eddeffe247d6544b43c8bd1953c1683c2050e5f7ed8c4d331bd7b69a854d8055745f82aa7ad1f9c135afc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a4d152886ca72c848653383e522abf1d

SHA1
9d6931acd1b8d6a36e97033e3f9a72d2e59badbb

SHA256
36389ba6812749ed520fd1f137ee3c00870a30f844184b57283838b2f70a3595

SHA512
30e3a899cf76d3f471ada3665fd7d4d6afceca7643d36fef1def46a15f4ae7739e8a101bdc08d7fc502e24a1b97fb7d35fce20c9cbb932ab99b2a7c930ae0862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfa9d389782b6e14d95b250f3e081da7

SHA1
22c748a22c10bf3be6a890671ca604942762ca2f

SHA256
5b7bedd5e8d9856286a529a2aa2997e1174488aad856965d5f124ad86285dfa6

SHA512
74560bd87dc89bc6c33c5e7619a0c34d9fc284fc162f99a4b535b3080c90355867c3e5d27957dd4c11a459567e86cecd1fab5cf16ca451cbb0576c76b6b964af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
84b78eac57fb91d2d42a2916c449af0b

SHA1
2e1c1080f209dbfda89533c42f36d28753491392

SHA256
0fdb5d04d716c0364d03eafcdb9aa36cfe64b7718321148a1da4075d27f8751e

SHA512
69d17f57f04eeae4b2a359259447fa338bbe9a6d1d2f522b850daf24f6938798b9ad7f5c2ca5c7a11b9644c9449940c0e590322e08ad91f4e087e27a17458884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58294d.TMP

Filesize
706B

MD5
d50a1017b300fe6c5b3919ad2d72c3d0

SHA1
13d4253145218af2f6719db18e294fccb28e752d

SHA256
af616d85f5b8acf7af3256a77db851b0bde93cc314d527eb3be72c596934aaf1

SHA512
1fdd4c142dc2865befedb9032546173713d58bff4ec17e34ccd82701b5108d56eff1c363925c06bee3ce1cc8fa6195b47ecc45569b4cb958b501a2078ff59bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
2486a0bbcb0be4918aa2734c1ccaedcd

SHA1
cca253a8ae7a00173717369f179cba9cde789539

SHA256
43fa23c4f4ae069b617f4ab6af0ea35821e3bf35e258b974419053161b5a68f3

SHA512
2d860ded8aba1fc73aee86cceb73f508137b59370a156aae3e5fe4c3cea883f332b8ff8e13f7f82ccbdd8709e34dc3199801a64417ca335a6e07133437965f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
5a542f758ed6f830f2d81dd8dd7b3329

SHA1
f134bd68f0b1e7bd028e6c542e66f03d61a65495

SHA256
296ca4d4f12c44caa04cd5b3a134fe1ebec0e2e41bef4dda4a8d9945cc87ae60

SHA512
a8864e14e0c37c90285e9d15a9e2a93830e04a02bf991d8f0bd3c1258945bfc8587d176a2b3ffdf81538513ced20f8e62cc05800bb24556ba4a40eae5ace5427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
c2de3d41015afc7833689fd305bbef0a

SHA1
ab748e6ac48309ac88402e8af9853e09ceb73266

SHA256
90954b9c90ddb21074245d18fdf7bc40de5dfce8f491d7ef586db61a5dd1fdd5

SHA512
742ffeddcb6ec808322cc68ab460a6e202f574c55d7668ae512592ba29d0ac65386c02861235687c2ad9b033cfe56b5a848ddf775ae5acdcd8947217f598e3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
aec93354c0d05ee6aa4e61b33e3ba251

SHA1
7505307e6bd0100dc270675d32a14a375db1879b

SHA256
6751486bbaff8a505bb81c5b73408ffa7c27a78f5c47da53656bc1b056ae7502

SHA512
8cc166ddaf0b89ad1aa11ecb0b853389805ec0b2a95844b060fde42c0be566214f789df1fee91a99da8b135b49569d5d286912641eaa343d7917542046b66921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
86429ee365c836aa6b222e35c872346a

SHA1
dfca9ebf98cc0aa8d9b70c9d671284ff922e5692

SHA256
8c85765be5e0e3d430f08b129197ce016557f062dcb6e128284c74d2fda76cf9

SHA512
d8efa02d47945dcbb978292b207afca60a0f9ba7b4d21e8f3dad083429da4767386b0d86df98dddfaaa4befb732f9b3dd9c12d7adb8d2df8bba3de64a257f465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
28a13afae8bd4a78017072951ec049e4

SHA1
0658227722d5d6d0b68346adf08cd5d141a134a4

SHA256
1744ce2709eef41af374582a59de3c6ce285d6176cfa87d9a19c245b88bb7783

SHA512
4ac2d8975e37d8135adda7e22cc5be4bcdb44fd90a5cea6f81019c476ebdbbf49ceefbceb4980c58bb96430e05ace9d7c27f0a51bc303d0abf20a9a2672bbfd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
75a33a459b572b8db6c7fe787d22d682

SHA1
cc94c8630b2bc1c69638c899be2b175251b3e626

SHA256
4db89ebb4290a6f32e3b7dbbebb33e9095e39850b12372888aabb3e7891fc660

SHA512
88be3edc81d3d09fe3ab7389424bab6b1443efa5262fa140855efc05862b440517f53c81c06e3fe733339310a576b473df7b943ac7004717d03a1972a88c888f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
d704844fb91c768cb7518fbe40c102ca

SHA1
10820b0f27c7fbc55b944e56d75051fb98bf819b

SHA256
b45abcab18314586cc0f6d07df3e8db71cf5830ed4fbb3594480204bf47197d8

SHA512
e63eca64256b60ba3d79c4e741765406da80c7aa797943462b37353402443013068c366d7ba32aa0fc08c9c60da93a475adcea4923e1aa090b3c4f84445a4325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
de94055be21a7765dea3a38749a0ff82

SHA1
0c35faf0935b200f826464c98b1bcdf37fb1b4d3

SHA256
455b5c7f98a0f57243e08da2e7cd0e66a96050cac3804983fb78f7e60017e9f0

SHA512
f0bf92d729db557d28ca4136078fed1a0cc127e5f75f9927b1b86a770b978359a90c35acc0517bab5171bdd146b9ab168fbfa240c90876c99ff5bb9f678a8f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
bbe89c2ca5f935e27ac5c554814a615e

SHA1
227951e5c76b939e0db97dfccc56a1b20402de8e

SHA256
e784d94dd280ed62afc6b7a60fa6f382173f77f53a39427b845cd789d2ed90fc

SHA512
44dbb21986cd2466ba903063d964cecd22b6193df298645867ca4ba8a441beeb72b39c60e5727a40de109756045819a7f5c8b51c2717f2c272f5f2429da691f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ad7e67cd1d19ac2baa57b951a9ed0aeb

SHA1
faebee7483825997b085c199c58a5353af105969

SHA256
304bf182bf9922849b37cfe7f2e824812ea5be088eee9fd9c806ee6717352b6c

SHA512
9cff6a2bb448980b66ee39e5d5614b1ac2f3049b07fc37ad931b629063977aee792308c0533286170dd46e7d6bdc01533f1ec959eedb3563d772f9eb6472883b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aabf9a249a7f4ad02624beeaa3c65ce2

SHA1
76307ccb9aadd6e63dbf0da0d60803de4b0f390b

SHA256
84837dc02bd9089f724bc4222f7221b6f1daf4ad1659604ae1fbf3b944e30cf3

SHA512
7eb755ae6af970b80a6d5b528c30b0e902be5ee2dcb367dfcee7282e9a46dc773818f05d5098bef6328eabd1de8c0b34b51b6ad4c19aa4d6a68e5295b7a0b32f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e7b187ca8f50e1e15566f9c2575523e5

SHA1
2af709933c5c5673369e48e7c80194f0f32acec1

SHA256
4ee8b3968e9db3e4b2b2d5f6389fcf80cdc8bf45315121e2bfe6a7e21f69103e

SHA512
bf677355d6e1d3a8c527c98b9f0921270db7cfe84f80c1c03ffc7ea25a9804ddb6607a7112c9c945f5f6051b4339bd53b1ee0f12fe2f8f558f1a55fe6fb0dd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c749bdc16ca87a792c4f4a90db2573a8

SHA1
9dab587a5154ec5d53d0fd98ee83589edb8c867c

SHA256
580039661db0dd83b8eb06f50c73b16f4424028e25784aa7e1b47abf270499af

SHA512
25fa822166947a7b4ddda4126b13894080d46b332641b1571c9480e7247980b5db34a802e2a6619660f561d70d567af8c912e261f1780ffb69af35d2201fb599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
144e1db8603fc181f7f818801644a945

SHA1
ef75cc54d1fc7807dbbb13ef79e389ea802a82b2

SHA256
f3ffc66ab4f3b387c87c7948d26c57ed28dc606075f564fc1144d24a9cd78a02

SHA512
0da1fe811b01f6d5fb3058334ddffb5ec117f5bac1db71cdd4213441be1a56024cd9fb25d2555f0f848625b1fc3ccef927c4a764f329e1c287655127b4742df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5d885bce5cebc51fdcbc4e11e8b7360

SHA1
f7bb5e24d553efc1aa78949a6ccfb7b9156e4ce8

SHA256
73a55b11c3e0009dadb449e52168b1675c477fc8249ebb2534ac18daca4f331c

SHA512
6752119a971500d185b0cdb2b0d1e48c7f21a8a5c5990c1c71daae5936c4937e1b4d1e4d7dc27800a92fce55bf762b34bfcbf9269f0a98986e0fc5040c0b5e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a6f168488ef8a4164fc7afc926fcf32e

SHA1
fa9afe23440f874bc92950680fdab2510671eb7f

SHA256
8a34a9755cca2ab9691ddf0fa1155dd0fd86524704d8c7c6e5257aabf30b07be

SHA512
c9c34c57b61534a3c7c77ba8264cc6649b7c071bf836e460bc9f1d8a2beb4099b1fabf8f4945b9645437d60aaf896347ef614dbb4e581cfb487d101f17612724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4204606c660786d7344d310ed82c59a8

SHA1
8d687ff9cd40053d6a4657763263e1def99436f5

SHA256
0bb7353a883bd37ca68e35a1656c87ade477e9a4d90f95cba4be585949ec8785

SHA512
991511953ec67004386df6796593ab56d56a9c7d6d69603bdce52206f191ce09459bc67ef4d98a3fbf6102b9c1528e6da55bfffaba804c8f887164f263135d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
80d7cc6cc09f39d12e9ded97e010d874

SHA1
6965049818eb56d40a0f257e2fac68767e96321a

SHA256
01c559a57eb40328b3781cb4bd176241993ea09824988e0eac28c295e7cfaa73

SHA512
da79257d4b222281f03502921f147cc1585ac1a57a48d30ff0797ff8c377ca7797a43707abf738965dcea58c40107585d2622bbed25f3f52aa63adde632ff4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af4e6f991ff610644a6b336d62fddc41

SHA1
36559a57d9b81b1a268bb09d6df16e8af7aab314

SHA256
8951054c922ad9450cb4011aac6a622b05b68e8fe62a4f89c81bba97bdc14c7d

SHA512
c2324d7b136c92f2866a979801b4e477313b9ed2ba330ce834a0d3c20b72530f268f32d8cb68c74c4f332db568965b1e09b39fa49f65db6494c4016791279ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0122c198607d36ea78cecd4bb029c8e4

SHA1
a81b5b83d13e3911dc75af6f1245a6c76caf2fb1

SHA256
e2e97f7c5af332bb836b6f63a0549558efeba93e8f0abc1e2859faef19aee17d

SHA512
b2eece81f71b7eff1a7a7fae0ab7dc063ea958b0618bb0ab14a6e1cf5f32d5e8e8e95977275f98c56a2eb1aaa6f11021fb70548b90192ec886f9685d3dc37d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
ad0f8503b9186440b8d7224afa3f81d3

SHA1
b99daccf9ccad1f8df8c52c3df171b8c5c055670

SHA256
def5a0eb466bb6e6938306d519c642a90247ae26d226da11d1b594ac559a4f2b

SHA512
14423a7fc3364846ae3f469d927101e3d00490eb046309c3299906cd76c789e2711de6f54e466c0f93dbbd8dfe31ca26237126239ad69e4a9cedee3e0cc1a64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
b7c31ec49de3321d8fd9672330e1ec4d

SHA1
9f5e46f28e51bf288393d5795b8ea4abdd00b087

SHA256
9028f677da15f01449d652c033e04802424e114cf7434cd37e439aec056fd28b

SHA512
0c576bf53cd59fb90ecc1a5bb6e919f36b85240dffb7ce88478cd3e8fd97ee2b053fdd8337daa82032447114a88a8ba9177a57b4ed062008a536b46748b82fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1czqk0nw.ibq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\final.ini

Filesize
566B

MD5
71776947effb76fc8200e5144e2684dc

SHA1
b548dacd0a28763e328bb199ae5781c0ac0858b9

SHA256
70ca60efc07f136d638c71d5eb5d68dc0f30e68497099f3fa90dd066f5e4231b

SHA512
5fc202475aaa7afdf105015b92d251d0a7d56831837d6f1de7ffc2124eeb15cc3ebe827a1716cea34e3c9f50dba79c88ea55849d14729c1a687201e1e29b3fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\shortcuts.ini

Filesize
452B

MD5
4a0bbe8383346a2146fa07b5025c30f5

SHA1
2205fe641f61731d4f7f12ca067c77b0982d77ff

SHA256
8d9cc8e0073c30116218d0630063591063666b0d74efccbe4604341766bebab8

SHA512
2c095366310ca58e1586b339b9ce5f5b990e3015611923fb34ce444e006f90bfdb1591bcea6c867eb69eb8811dd2b401a7faed015a58d7b1a14397979cce9874

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3C58.tmp\shortcuts.ini

Filesize
526B

MD5
0c0313a77685244daf9cc009f60b0b48

SHA1
2ba5f793d77d3f07b68e0dcf1a8c74eba2444f4a

SHA256
1354be8ad380646c2805cc42f70299e7a094564150bf883f72e1aff8e6092e3a

SHA512
335caa2faeb560a9af4b045b1594cfb8816c605bb693dc2f29b3f34fac25678a32327ffd80791fa79e9027f06d7870eaf75128d2e248df204d978d0964bd80f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\final.ini

Filesize
568B

MD5
cae757421db8d011e41266bfd9439885

SHA1
7108a9f0740ee4e3a118f6ac9212e0446f074181

SHA256
ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204

SHA512
785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\options.ini

Filesize
2KB

MD5
5c12cb2bec2ac5638afa58c50594efbf

SHA1
f7838c285482781b4b3470a917511e46b2f529a3

SHA256
6be0dbd9dae055bf41c260fa807241f5bd64e270978bc1c56ee133a8ace9ea97

SHA512
e2a67b32fce1aab31850a999842603197fa6a64deab28b1d090f18b2bb5bb3c01bae93fc97ba0edc0e1d45fb74878d55dfeef3d051d301bd079b4314003f7b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\options.ini

Filesize
2KB

MD5
5e6c0cccfd782b9507d8f7c42113d298

SHA1
ae1639722a7022b99d0fb2dc9db9d7f9c572a5aa

SHA256
77a56d34e952c1a2439d93590a72da6cdd90e0d5cc809266a64b96886510d0dd

SHA512
af4c48c668bec73058a21004786af0365befecef06fce1f7db81199a599d91f5119875e856a48b886bd2eb1b1fd85d5570709cf4144bda717705ba8d28bf8f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi823A.tmp\options.ini

Filesize
2KB

MD5
622e5cff01852ed1c74729f7ba751328

SHA1
dfb6c7984b76e921dd9aebdc3a4cc9ca036545d8

SHA256
37a056662823919787184ab85589aa4bb224ba2508a8bf81bac1c8cfcc99aa6f

SHA512
8fea990cea0e47e0ba1df26a66daa14770701875f595e89c96f98d942ffb4ca1a229153a23a7f3faf8bd6d06cefd1307b791e8a83d2eca5e0bb9671aa60c6d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\RustScan-master.zip

Filesize
3.1MB

MD5
be99cc8160657cc6ceaf083960c4dde7

SHA1
c13492b4d0dc35702ad731f57e661b7fc8c16cc4

SHA256
50e856ece88d61be9d0541f01b750a5c90092a73ca2c654241b287af8673b9b5

SHA512
8bf5258bcb9273042dbc3b6588db16c2e0bf60ae87ee2e26015b929a46c932685e5fb081a9cb1b5cd5215bf9b52639c5084d6bdfab354ed0cac0ba71ad3cc511

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 622236.crdownload

Filesize
25.0MB

MD5
4ebe8621171038676189cbc5e7053d9f

SHA1
2e3a3b97163d1e8af1e41c36f9495062fb4b1934

SHA256
3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3

SHA512
e0091ae9f3acddc7e8d11b89a60debc3dab57b8af57bde4a3f538b2283eae398a1adec8224bf5fd2d0be61be015fc2a79c49b06cf786945073e1cc87d66be356

Download Submit
C:\Users\Admin\Downloads\nmap-7.95-setup.exe

Filesize
32.4MB

MD5
bd457e3fb19a7f127a23369e70ee84fc

SHA1
09bf57bff436520af6b8842f7ea9f48e655ffffe

SHA256
c59b51d15b5965f27db4c5bbd21793ad6b492c8c751836ba8bd43829d791146e

SHA512
d55d51be6a12aaa87906102876aeec54bfe40f8daa5cde110de8c21b7135ad6d581caa7c84278cf02ad84efa13c16090b2336b90956ef983085c4da1e578fc35

Download Submit
C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F4.tmp

Filesize
12KB

MD5
851cc374a87e0a83956a29c762c008c5

SHA1
1f1c907e687631c551caaaffb0de28dfcfb03c01

SHA256
f05d0dfba14aceb7cb27b49ec8c4f1ce179813e0cf89a32855d7ea2fda91e124

SHA512
260c822dbb2fd53cec2ad352e97a42a665fc030de9cf0b223fed3a945822ccbd7e0e12fa0873646aaf38f5f7b93428f29c0bed3709fbaaa83a3dab6dc39a2dc7

Download Submit
C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F5.tmp

Filesize
8KB

MD5
ed7304fce3f5e3de28435d3f9e8b4156

SHA1
45bc86c10386c9368ac482f341999a289dd46897

SHA256
64be5edac3eba224120138c6dea3e4a75740e23324fba5a0799499402d96a258

SHA512
d7532a12b726869e430745da536b7e1e85ce5871bbf3c3cf5fb4261f5b3d5d4307e6267a8b5f53a6719369e261c66c85c05f3941974594ae4864b16242cae41b

Download Submit
C:\Windows\System32\DriverStore\Temp\{8a9ecd00-4f54-474c-b5b1-210060fa4310}\SETD0F6.tmp

Filesize
68KB

MD5
1637086aa0ba4637d2788dc20a0cc67c

SHA1
4628fe7561526714361764ec637339b21ea88b60

SHA256
734c62543768e37c36386b4a07582bb5b322a60d5c997626465725c5b5cef978

SHA512
92fb3dd73873ef8a888823f14911f52fe7c11a06bf4172929783a3f3106ea6298d660389cfca902153424b8df64fbe9dc9c5651228d5eb72a650655df21f7cdc

Download Submit
memory/1548-717-0x0000000006CD0000-0x00000000071FC000-memory.dmp

Filesize
5.2MB

Download
memory/1548-715-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/1548-719-0x00000000067A0000-0x0000000006AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-720-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/1548-721-0x0000000006C00000-0x0000000006C3C000-memory.dmp

Filesize
240KB

Download
memory/1548-722-0x0000000006570000-0x0000000006591000-memory.dmp

Filesize
132KB

Download
memory/1548-732-0x000000000BCC0000-0x000000000BCCA000-memory.dmp

Filesize
40KB

Download
memory/1548-733-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1548-716-0x00000000065D0000-0x0000000006792000-memory.dmp

Filesize
1.8MB

Download
memory/1548-718-0x0000000006480000-0x00000000064B0000-memory.dmp

Filesize
192KB

Download
memory/1548-726-0x0000000007460000-0x000000000746A000-memory.dmp

Filesize
40KB

Download
memory/1548-709-0x0000000000970000-0x0000000000CC2000-memory.dmp

Filesize
3.3MB

Download
memory/1548-727-0x0000000009870000-0x0000000009B06000-memory.dmp

Filesize
2.6MB

Download
memory/1548-714-0x0000000005950000-0x000000000597C000-memory.dmp

Filesize
176KB

Download
memory/1548-730-0x000000000BE10000-0x000000000BE8C000-memory.dmp

Filesize
496KB

Download
memory/1548-731-0x000000000AA30000-0x000000000AA3C000-memory.dmp

Filesize
48KB

Download
memory/1604-4717-0x0000000007140000-0x0000000007172000-memory.dmp

Filesize
200KB

Download
memory/4508-4459-0x00000000079B0000-0x00000000079EE000-memory.dmp

Filesize
248KB

Download
memory/4508-4452-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/4508-4442-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/4508-4441-0x0000000002F80000-0x0000000002FB6000-memory.dmp

Filesize
216KB

Download
memory/4508-4453-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4508-4454-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4508-4455-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/4508-4456-0x0000000006A40000-0x0000000006A5A000-memory.dmp

Filesize
104KB

Download
memory/4508-4457-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

Filesize
136KB

Download
memory/4508-4458-0x00000000087B0000-0x0000000008E2A000-memory.dmp

Filesize
6.5MB

Download
memory/4888-653-0x0000000006480000-0x000000000649C000-memory.dmp

Filesize
112KB

Download
memory/4888-692-0x0000000011840000-0x0000000011878000-memory.dmp

Filesize
224KB

Download
memory/4888-659-0x000000000C860000-0x000000000CBB4000-memory.dmp

Filesize
3.3MB

Download
memory/4888-687-0x0000000008930000-0x0000000008938000-memory.dmp

Filesize
32KB

Download
memory/4888-663-0x0000000010A90000-0x0000000010AA2000-memory.dmp

Filesize
72KB

Download
memory/4888-688-0x0000000009480000-0x00000000094CC000-memory.dmp

Filesize
304KB

Download
memory/4888-683-0x00000000084B0000-0x00000000084D2000-memory.dmp

Filesize
136KB

Download
memory/4888-658-0x000000000C780000-0x000000000C7A2000-memory.dmp

Filesize
136KB

Download
memory/4888-689-0x0000000009450000-0x0000000009460000-memory.dmp

Filesize
64KB

Download
memory/4888-682-0x00000000085A0000-0x00000000085EA000-memory.dmp

Filesize
296KB

Download
memory/4888-662-0x0000000010A60000-0x0000000010A6A000-memory.dmp

Filesize
40KB

Download
memory/4888-657-0x000000000C7D0000-0x000000000C856000-memory.dmp

Filesize
536KB

Download
memory/4888-690-0x000000000BA00000-0x000000000BA08000-memory.dmp

Filesize
32KB

Download
memory/4888-691-0x000000000BA10000-0x000000000BA18000-memory.dmp

Filesize
32KB

Download
memory/4888-656-0x000000000C720000-0x000000000C732000-memory.dmp

Filesize
72KB

Download
memory/4888-681-0x0000000008490000-0x0000000008498000-memory.dmp

Filesize
32KB

Download
memory/4888-693-0x0000000011810000-0x000000001181E000-memory.dmp

Filesize
56KB

Download
memory/4888-655-0x000000000C660000-0x000000000C678000-memory.dmp

Filesize
96KB

Download
memory/4888-654-0x0000000006340000-0x0000000006346000-memory.dmp

Filesize
24KB

Download
memory/4888-652-0x0000000006350000-0x000000000636C000-memory.dmp

Filesize
112KB

Download
memory/4888-651-0x00000000069D0000-0x0000000006AD2000-memory.dmp

Filesize
1.0MB

Download
memory/4888-660-0x0000000010A50000-0x0000000010A5E000-memory.dmp

Filesize
56KB

Download
memory/4888-680-0x0000000008480000-0x0000000008492000-memory.dmp

Filesize
72KB

Download
memory/4888-675-0x0000000008470000-0x000000000847C000-memory.dmp

Filesize
48KB

Download
memory/4888-674-0x0000000008500000-0x0000000008592000-memory.dmp

Filesize
584KB

Download
memory/4888-673-0x0000000008400000-0x0000000008464000-memory.dmp

Filesize
400KB

Download
memory/4888-661-0x0000000010AF0000-0x0000000010B78000-memory.dmp

Filesize
544KB

Download
memory/4888-686-0x00000000088F0000-0x00000000088F8000-memory.dmp

Filesize
32KB

Download
memory/4888-650-0x00000000067D0000-0x00000000068BC000-memory.dmp

Filesize
944KB

Download
memory/4888-649-0x0000000006530000-0x00000000067C6000-memory.dmp

Filesize
2.6MB

Download
memory/4888-648-0x0000000005EE0000-0x0000000005F90000-memory.dmp

Filesize
704KB

Download
memory/4888-647-0x00000000004C0000-0x00000000014FE000-memory.dmp

Filesize
16.2MB

Download
memory/4888-664-0x0000000010B80000-0x0000000010C32000-memory.dmp

Filesize
712KB

Download
memory/4888-665-0x0000000010A40000-0x0000000010A48000-memory.dmp

Filesize
32KB

Download
memory/4888-666-0x0000000010A80000-0x0000000010A8A000-memory.dmp

Filesize
40KB

Download
memory/4888-672-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/4888-671-0x00000000080B0000-0x00000000080C4000-memory.dmp

Filesize
80KB

Download
memory/4888-667-0x00000000110D0000-0x00000000110D8000-memory.dmp

Filesize
32KB

Download
memory/4888-668-0x0000000007C10000-0x0000000007F52000-memory.dmp

Filesize
3.3MB

Download
memory/4888-669-0x0000000007F50000-0x0000000007F58000-memory.dmp

Filesize
32KB

Download
memory/4888-685-0x0000000008E60000-0x0000000009404000-memory.dmp

Filesize
5.6MB

Download
memory/4888-684-0x00000000084D0000-0x00000000084E2000-memory.dmp

Filesize
72KB

Download
memory/4888-670-0x00000000080A0000-0x00000000080AA000-memory.dmp

Filesize
40KB

Download