dharma | a78e66e8532e7558968dfd32c678f4ac038b0dd686239809f22ba5f0bfc43817

Analysis

max time kernel
1050s
max time network
1075s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-01-2025 16:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

598KB
MD5

fca6ebff3ac803fe6cab95c04bcf1b2e
SHA1

835a5df7b5343f9fefb8ee449f84c5d192ac7bd0
SHA256

a78e66e8532e7558968dfd32c678f4ac038b0dd686239809f22ba5f0bfc43817
SHA512

281ce7e60944cca9a4b266f5bdb373152cbdb181fe980332aeaf3f59af64ce58f9e4a3e096ae8c4f3020e51ac0eb50f5550c0a7409b74814971882b9637777e4
SSDEEP

6144:HWDZxVZxPZxeZxFZxiZxSZx0ZxlZxxZxcZLlSgOEKn:HGZXZ9ZAZHZAZIZGZDZ/ZOZ8pV

Score

10^/10

dharma steam defense_evasion discovery execution impact persistence phishing ransomware spyware stealer upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (402) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 21 IoCs

pid	Process
6696	SteamSetup.exe
6900	steamservice.exe
6412	steam.exe
6832	steam.exe
14476	steamwebhelper.exe
14504	steamwebhelper.exe
14652	steamwebhelper.exe
14788	steamwebhelper.exe
15072	gldriverquery64.exe
15160	steamwebhelper.exe
15248	steamwebhelper.exe
15424	gldriverquery.exe
15516	vulkandriverquery64.exe
15584	vulkandriverquery.exe
4540	steamwebhelper.exe
16264	steamwebhelper.exe
17364	steamwebhelper.exe
17692	steamwebhelper.exe
19020	BlueScreen.exe
1516	CoronaVirus.exe
15048	CoronaVirus.exe

Loads dropped DLL 64 IoCs

pid	Process
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
14476	steamwebhelper.exe
14476	steamwebhelper.exe
14476	steamwebhelper.exe
14476	steamwebhelper.exe
14504	steamwebhelper.exe
14504	steamwebhelper.exe
14504	steamwebhelper.exe
6832	steam.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
6832	steam.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14652	steamwebhelper.exe
14788	steamwebhelper.exe
14788	steamwebhelper.exe
14788	steamwebhelper.exe
6832	steam.exe
15160	steamwebhelper.exe
15160	steamwebhelper.exe
15160	steamwebhelper.exe
15248	steamwebhelper.exe
15248	steamwebhelper.exe
15248	steamwebhelper.exe
15248	steamwebhelper.exe
4540	steamwebhelper.exe
4540	steamwebhelper.exe
4540	steamwebhelper.exe
4540	steamwebhelper.exe
16264	steamwebhelper.exe
16264	steamwebhelper.exe
16264	steamwebhelper.exe
16264	steamwebhelper.exe
17364	steamwebhelper.exe
17364	steamwebhelper.exe
17364	steamwebhelper.exe
17692	steamwebhelper.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4084745894-3294430273-2212167662-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4084745894-3294430273-2212167662-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
761	raw.githubusercontent.com
762	raw.githubusercontent.com

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000047edd-16273.dat	upx
behavioral1/memory/19020-16356-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/19020-16358-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\controller_base\images\api\knockout\sc_touchpad_swipe_lg.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\graphics\mnuSepCenter.tga	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\public\steam_tray_posix.tga.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_r_right_md.png_	steam.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\controller_base\images\api\dark\xbox360_button_start_md.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\knockout\sd_rtrackpad_up.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_sc_schinese.txt_	steam.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\knockout\shared_button_b_lg-1.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0100.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dcpr.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\knockout\sd_l5_lg.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\managedeviceauthdialog.res_	steam.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\README.txt.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\graphics\support_flag_bottom_hover.tga	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\graphics\icon_toast_gift.tga.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\steamui\images\controller\ghost_035_magic_0312.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\dark\sc_dpad_swipe_md.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\dark\hp_m2_sm-1.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\controller_base\images\api\knockout\sc_dpad_swipe_md.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\controller_base\localization\switch_controller_latam.txt.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\controller_base\images\api\dark\ps4_trackpad_r_left_md.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_disk_activity_busy.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_scroll_up_md.png_	steam.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\PlayStore_icon.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\dark\sc_dpad_down_sm.png.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_touch_sm.png_	steam.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\graphics\icon_vr.tga	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\Microsoft.AnalysisServices.AdomdClient.dll.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Steam\controller_base\images\api\dark\ps5_trackpad_r_touch_md.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.id-1748DCD5.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\manifest.fingerprint	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\LICENSE	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\_metadata\verified_contents.json	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\manifest.json	steamwebhelper.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\_platform_specific\win_x64\widevinecdm.dll.sig	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping14476_715284857\_platform_specific\win_x64\widevinecdm.dll	steamwebhelper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe

Checks processor information in registry 2 TTPs 31 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
8528	vssadmin.exe
13684	vssadmin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\Shell	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\NodeSlot = "7"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 570297.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 421974.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
816	msedge.exe
816	msedge.exe
2184	msedge.exe
2184	msedge.exe
6476	msedge.exe
6476	msedge.exe
6004	identity_helper.exe
6004	identity_helper.exe
6924	msedge.exe
6924	msedge.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6696	SteamSetup.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe
6832	steam.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6832	steam.exe
13808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe
10212	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	firefox.exe
Token: SeDebugPrivilege	3708	firefox.exe
Token: SeSecurityPrivilege	7044	TiWorker.exe
Token: SeRestorePrivilege	7044	TiWorker.exe
Token: SeBackupPrivilege	7044	TiWorker.exe
Token: SeSecurityPrivilege	6900	steamservice.exe
Token: SeSecurityPrivilege	6900	steamservice.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	14476	steamwebhelper.exe
Token: SeShutdownPrivilege	14476	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe
6476	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3708	firefox.exe
6696	SteamSetup.exe
6900	steamservice.exe
6832	steam.exe
18880	firefox.exe
13808	msedge.exe
7972	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2272	816	msedge.exe	81
PID 816 wrote to memory of 2272	816	msedge.exe	81
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 1732	816	msedge.exe	83
PID 816 wrote to memory of 3784	816	msedge.exe	84
PID 816 wrote to memory of 3784	816	msedge.exe	84
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85
PID 816 wrote to memory of 1936	816	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x100,0x134,0x7ffed90346f8,0x7ffed9034708,0x7ffed9034718
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1984080712298681265,6901582733643463867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1984080712298681265,6901582733643463867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1984080712298681265,6901582733643463867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1984080712298681265,6901582733643463867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1984080712298681265,6901582733643463867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4632
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39f046c5-0ae7-48e6-9e8c-508502cbc78a} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" gpu
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c77e26-389b-4bcd-81fe-569d3754ef92} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" socket
    3⤵
    - Checks processor information in registry
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c802d223-1511-4f07-a554-4388d28f21fd} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 2592 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b46ad0e8-4e11-41b2-a63c-b9586592cde4} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:5432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4668 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b63a27e4-3c68-421a-841a-49c54267a9ef} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" utility
    3⤵
    - Checks processor information in registry
    PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {074c1228-5492-405f-a382-210bb36f8756} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:7032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c0c9db-e22a-440f-8797-bcec48c53b22} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:7056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5788 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d84e4490-634d-4841-b0a9-a0ba5da164a5} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:7068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 6088 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b60b87-07e7-4f74-a323-d8c7fe39bee1} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:5960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 7 -isForBrowser -prefsHandle 6304 -prefMapHandle 6308 -prefsLen 32442 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {995bdbd1-ce90-437b-b7d4-dc143a25aa49} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" tab
    3⤵
    PID:6064

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:7044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x144,0x120,0x7ffed90346f8,0x7ffed9034708,0x7ffed9034718
  2⤵
  PID:6492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:6684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:6584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:6656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:6892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:6920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:6664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:6672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:6688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,3789358039852762890,3477280580212829640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6696
- C:\Program Files (x86)\Steam\bin\steamservice.exe
  "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6900

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6412
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6832
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=6832" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:14476
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x28c,0x290,0x294,0x288,0x298,0x7ffeca5faf00,0x7ffeca5faf0c,0x7ffeca5faf18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14504
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1600,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1604 --mojo-platform-channel-handle=1592 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14652
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2184,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2188 --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:14788
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2732,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2736 --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:15160
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3148 --mojo-platform-channel-handle=3140 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:15248
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3848,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3820 --mojo-platform-channel-handle=3856 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4540
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3992,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3996 --mojo-platform-channel-handle=3988 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:16264
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=4260,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4256 --mojo-platform-channel-handle=4252 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:17364
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4696,i,15608861910732726994,13567985405172147313,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=4232 --mojo-platform-channel-handle=4656 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:17692
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:15072
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:15424
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:15516
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:15584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3b8
1⤵
PID:15008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:18876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:18880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1896 -prefsLen 26765 -prefMapSize 244705 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d5a84b3-9be9-42e4-acd8-fdfd8071413d} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" gpu
    3⤵
    PID:19056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 26801 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1091f50-567c-42c5-9657-189bcc05a250} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" socket
    3⤵
    - Checks processor information in registry
    PID:19140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3060 -prefsLen 26942 -prefMapSize 244705 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dc2787a-55dc-4c73-b3c0-ff2495278240} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" tab
    3⤵
    PID:19408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -childID 2 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 32229 -prefMapSize 244705 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f25a7366-59d6-41d0-a40d-53f4ddf01d60} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" tab
    3⤵
    PID:9388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 32229 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41a77c14-0214-40f1-8424-602ff0b6a7d2} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" utility
    3⤵
    - Checks processor information in registry
    PID:19588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5256 -prefMapHandle 5280 -prefsLen 27044 -prefMapSize 244705 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be001512-672e-4f48-ab51-b1dae1565e5c} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" tab
    3⤵
    PID:20144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5268 -prefsLen 27044 -prefMapSize 244705 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe6cc9c-492d-4821-9890-7eb0cab19dd9} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" tab
    3⤵
    PID:20156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27044 -prefMapSize 244705 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f14f13cd-2dce-4d62-b259-2032dc9dd622} 18880 "\\.\pipe\gecko-crash-server-pipe.18880" tab
    3⤵
    PID:20168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:10212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffed90346f8,0x7ffed9034708,0x7ffed9034718
  2⤵
  PID:10228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:8600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  PID:8608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:8660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:8920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:8928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:7560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5544 /prefetch:2
  2⤵
  PID:10616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:11196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:11360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:12828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:12960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  PID:13284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:13468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:13720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:13808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7420 /prefetch:8
  2⤵
  PID:14196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:14264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:15600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:16044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:15432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:17008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
  2⤵
  PID:7348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7176 /prefetch:8
  2⤵
  PID:17440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:17676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:17764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:17804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:18360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:18332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:18464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:17356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:9864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
  2⤵
  PID:9940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:11760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:15248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:1
  2⤵
  PID:17432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:12252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:12248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:15180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:18596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:15260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  PID:15152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:15156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:15176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:19440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:9796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,5283349430853068563,12079220166534150910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:5160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3b8
1⤵
PID:17492

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7972

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:20156

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:20328

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:8180

C:\Users\Admin\Downloads\BlueScreen.exe
"C:\Users\Admin\Downloads\BlueScreen.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:19020

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1516
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:17572
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:14088
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:13684
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:19536
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:34752
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8528
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:8544
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:10636

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:15048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:14748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3960855 /state1:0x41c64e6d
1⤵
PID:34676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
12KB

MD5
14b11664e0cd458ae1c4a298ef310955

SHA1
4337b33a2c55633fb965416a92de9a5bcdfdd6a0

SHA256
162f7a5672d963fb41696bef6641783fb40e7c5224e796ce980d4bff5162e14c

SHA512
18ff53beef04b18069044e96ca715d9836c261e9e6978f68081f62ea2001141706b75fb59390b6ac3e327612c3dee424be9b32154bbde60d74e4419c0832ca94

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
16KB

MD5
ce9dd69d22b30dd1852251bd3fc1ca29

SHA1
e34c46ca93457d212f03b783c6b99331dd4574e9

SHA256
c1791948b77156f6ea944a3836c082cbcab094c810bd41030a78c998dfba8fd0

SHA512
988bc77914abab1a6634741b073414b421122da381db03d2a109e6fd2b2865f687454c561dcadcf29210c999639792f83f73d170008b43a7e7f9de2246e70f5f

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
21KB

MD5
651eaa749438a3c8810ad8bf21d4cd27

SHA1
8771c9fffbe285a4b05da52d0654c44d2b603ded

SHA256
8b96a4202421f0a6d9be917ffd0db160913f43c02f9a8965abeb975e0d3a17e7

SHA512
4b98e66f081731064e475d5d98003c121c729dee493124668684c896ad4db69e05a420bc4ce69ad5654758a5461ea497e5d78c325d29fbcc04321999b8fd636b

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe599fa1.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\logs\cef_log.txt

Filesize
4KB

MD5
312bf98857bb56c42c804acee95b4fd2

SHA1
6c7c561c4c225598a4d5f57edcc2e6cbac1843f8

SHA256
807883286dacd3f10fc0825878e91745dca3b93deaa813387131a537f9fac93c

SHA512
dab46ffd9f5c187af87471f949ae5af35e2ca3e7d5bbf8bf8afaf86b56cfe7b955debc187d20de2034a6151917b9fafe05e1289119a49d28c2e1e671c091f988

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-1748DCD5.[[email protected]].ncov

Filesize
2.7MB

MD5
418cc0f537c4d874b050f62e7d1bf61e

SHA1
3255a4055899e1a26ad75e271cfc77c78e6acd89

SHA256
5f662796c5989b3acddae6201cc5f41854b17ad44939ebfdb8134a1012227783

SHA512
e2ba951bf3d211dcc8a366838969ed7a9c7b1a32d635eaaeda81bd4784a073c41d924509176e83df8bb7e43da4b3bab521e63ec44c5acde65f26aa04376c1438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f38b7233c27fa352a23a04814e90c84

SHA1
05b017b909de9072412f680866ca4d522d3f8a16

SHA256
edbfc9f6218033394bebc626be3c64addc8b9720a481cd1c3bfc092055e7fb98

SHA512
26ae84a74c7eb359c41e3e6bab76f8269b608a42676aa7a09510b633833e58659736255a9a6c98a4b134c5c07c521569f583fd5c2f8143bc2cdc7cc467ce4001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0cc4c81b1003d591aaef568c4601ee9f

SHA1
cef11096e38bee90c1ca5daf7991e8148e2665d1

SHA256
51c1052d62a1829b760a12d0f70727baca093a937314310278015dbf698eee68

SHA512
3e9e2d03a12f5f3c726901672307c4ed05e257d829933b2c6d960a0c11e977be841ceb5d833032dc21c19206f21efa6313379d6b9e3ae51af628b06d00ba867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38116ba23e70fa157bd5a89f3b50f9a2

SHA1
c4a54a1dd81878f5e5bedf90a84d10a4e5686328

SHA256
6544748699355ef043f18c1bbbff570eac431e24dd6094dabd4b3b65402cb472

SHA512
0442e6c74df7008a5ea576e772d7f9e078ef073dd9de639f3d5d27e9671b1b50a38d1fa8849c54cdd60f8f6d34279ec88379d4568f67deff09dfa769b3bb2dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aee441ff140ecb5de1df316f0a7338cd

SHA1
82f998907a111d858c67644e9f61d3b32b4cd009

SHA256
5944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67

SHA512
54a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
821b1728a915eae981ab4a4a3e4ce0d1

SHA1
8ba13520c913e33462c653614aece1b6e3c660a2

SHA256
36c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b

SHA512
b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2ea5b61033e3ed22eb2e24b1a46367d

SHA1
f7bb6f10eff1cee51ee847197564e9e8179ee77f

SHA256
66e471be11520e6f41d5ce0fed69df262face54968ea0b8db2dc11e8cad200d9

SHA512
27d1a7c805e95e70abb61538b7ba3419f4296da2740024578ec8085d5af3da1aa80ad3db4572505f4e08ea68a43ddbc672d3d035d882079eebb62a230ad1c26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\47e63903-8e69-4878-996b-4755b2a5fc51.tmp

Filesize
7KB

MD5
dddc1a8105ae9b3fa50c60e7518f79c6

SHA1
b0dd39bcb10c7f3fe8c0bcc5815db2700841d90a

SHA256
146258d9db1e0350d01a4eff51f5dee252f1b69dee72e7b2beacaa6314701c30

SHA512
c80fa36d831b0f37d5c5ff54c9c9c60547d7eacb5a7883e1cfbec8629f1a97b8560c51ebcc01eb7bd53b6813ceb117a8eb9f880871f674d28dee0655a2c6db51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\708e41cb-75e2-4ed7-adda-e8791bba23d0.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\787b47c5-e3dd-4838-bad7-74d5d1c47980.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9f06b2d5-88d1-4a92-a95f-38a786a6839f.tmp

Filesize
7KB

MD5
fe5081b2ef70fcf8df9bf408c2d76c9a

SHA1
b9b02089c1b0a374eb4c178af28b1bf75913f15d

SHA256
ef7cc87f196e30564b00e307344cdd7162388f804ea119538aaca6c76afa54ff

SHA512
e429b1188bbcf9fc4dd644fa1e6f14a8d99e872446364598d7e1f0ba178364a48a570bd9bb5ee44e303b10cb5f1feab99f985349d0335a62428ae18acb0712ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
2a06f41a1949b67c49f29052b88607b8

SHA1
1176b892176582c524cd9a04fa1fe409ca262a45

SHA256
b1675cc02f8e4e7ca198a6deeccc1fcc418e67856ccccd3af5805c09dd557999

SHA512
551a19c97cf3aa2af8450e6bda0505d909528f1b42f8f118e8414d328f0a2d93099efaad3fc1048ce4c143f7ad47ef0824c7f2485ab4a972ad60a1f288dffa0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
927f3b2c8220f0a47b65c7bb020d2799

SHA1
e25a8e583af873e5433b72aa8ecbd1eb4f1f92bb

SHA256
e1d2ed7c7e6d4ddc0526e1912ce9dabf4185fc3836f5abd873ce88249aa4f28b

SHA512
76a2306fac05fbeb0bafb02a63efb979087d75bb225152ba71bc683ac2487dd037bd1bf58cd8318b38b7c6751ed1c34f2da7c7b7270de7fae9d6146a47d5e471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
51fe5c5586e34c5f339a0d9d79c3064b

SHA1
859c212d32953b9d0677f36fcf49524185afd2af

SHA256
ffdf932f29d31171e0b735c0c8ce4576b3abfd2e1ee631ec1feca0bec90747fe

SHA512
061fbdc2abfe9ccd8748d99fda6501c09c6b687570d5983082db569ecfaf162178d0c516ca2f5040354587fe0d773c529e51a064dbc3d7ef9e652682ac596821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
29dea50d2500d65e89a899a4d5924627

SHA1
4b712a50325d28a9792e90443c6a5c777ad310a4

SHA256
64d9f095f63be6e3ef7e53f2c8c73cb27b5d171a9dffc3763dd7ad796a9bbe98

SHA512
4cbfd09cf31f24bd041e80adbbd8cc20efaadea8b9734df3a9406d213989b80238cb6974583ea17951a563c35636e30541a1127d6302f2b0949605eedf2fb3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
31KB

MD5
ab1589a0ccf1119b52eb614bfc3f843d

SHA1
c948659d6526488cda5a544bee87c447fe15125b

SHA256
085c3eade08c2923b84757a1b9127008205d8abccadeb52e4d2bd400d46c3e30

SHA512
29b1fb88891c15da1d7704d37f2f10d2117aa21179ea192e25a4a9c3339071399783aa5ec65a8ba761c672cbd047453b1e5be0ed97eb257d77217cf1c2036c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
48KB

MD5
2df77d8ef244ad8c282841d160319c1f

SHA1
89d599f989df2c5dcb5db60234b30de90eec75f7

SHA256
f075caa781f7f19ca965eaf16753d27ac5ee5b7f17a2b09b60fcd0bf79968dd1

SHA512
8c68a3be2946acdde1ae0115e0c73cc4873f63c49f32a4a36bd30d781cc2b1c508fd9fffa854cfff90fe81db1a7663c7ec123ad9d530946ad7f5367bc8ea00ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
95KB

MD5
857aec8cbd6997222bb6f9ab7715faa6

SHA1
0de332481c806b7e2676abdf40bd2a53d6f33c59

SHA256
521b84034f4d9d739fd91257c96ff0ca26365cacdcfb39b173cb3cc0f09ebe0e

SHA512
8fec9dad91db71f28c71180e69ae0f8bf8d013582969c8c5859de115c62a841ad02b56467a350f842de2de073c827bedc6495c3327ba85e90ed468d1f537457a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
23KB

MD5
fe5c0bcb1811090777eee02390d01a51

SHA1
3114ba84ec7db639320b00d92730ee84c5ee2e50

SHA256
aaa68deb9ca7676839711c87c04713b6dc42dce99479a152b5b24871bd3f74b0

SHA512
5734c223d56a25f02fe92b77fe6d3bf4693a69ac96249ed2c3a20de0072f5d8d477f52db3acbee80d9b7f1a1a6a38b5a4cdf96275942be172ce3f73f54148a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
16KB

MD5
ee6de2159d244586c6f3a7b3b32e7996

SHA1
dc5d6ff4467d49a9328a4060b8b82d73f2f9e976

SHA256
0755b56867c53e28e183d276ae7e21a4c7c0225dfa14974f8c5cb310d1e202aa

SHA512
b6a46548d5835cad267b70200eec497bc82c9c396eaf93417435858d313f199f6fce44e09cfd923325e8468f7263e73683567e5ffb9103284fb6fdb61ec2795d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
17KB

MD5
8d7fee5b76f4d9122e08958c8122d760

SHA1
6e32005d703b24865c408fd841290f255296c52c

SHA256
44eeacc8f3136b08120c1627951a142ed10cc22d34e75db8a59a1993d9c607a9

SHA512
fcb10a5f43b6e6b7abb58a2d1f460d0b1690876ad781aa12611838e4c08ce8e279ca95747c0adc86b917f9649abfcab573c6fe2204779a70682cab64a38d0896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
20KB

MD5
d2f39ef3f36f8e91ebe98938badad13d

SHA1
41de101f4484e888e82d96fb893fc73acb0126e6

SHA256
96adff16173f85bf0c87edc5ace5b159f2f35504194bb67b318c9d9311f8bc89

SHA512
5d57a0f76beec40ba787830fedb9cfe521d2d28af940a87b5a01f6e2ed375dd3ce1aa4fb04023114c8087549b048c564b679e295ed8dac8956f6b0f4d7af3ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
83KB

MD5
95ad70b0720495f26f4b7dc7aa152c13

SHA1
d325d177460b579980d6b36a4da2defbc709d6ce

SHA256
7d40765179bc45d7b2a36b9f0d49d12c2048abb154ed0ecfaa2433417fd0cdbc

SHA512
ca9f7e4fd11ce28a5eacee9cda062c8418b4d6cb440ed82328c03d7c1d1835d7aa175a2ac5e35ce2ec3ab6a37ed2fae0bf2eb61c7b08199299b6dae9e5194fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
1.2MB

MD5
ddf4747ddce73049bc77d4e5569fc31e

SHA1
3a146ff375b96914f5c54d8b2d743a709e127ae3

SHA256
442b118e10a6f7e7affefcf445b49da8c025e6dcdd784e534566b3265e5d569f

SHA512
1780fa4029a888b687f0eb17dcaf20174a70eeeb653b1148b05111113182d85fd272fb903b8aa60a8dd115e5ec325a9dd2ef9df286fdd77667a9f82222a088aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007f

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\index

Filesize
256KB

MD5
efec17a2554eaa37f382b981f157f9a1

SHA1
34c522b176f41b876326447df8fd1bb376a59018

SHA256
00d20a8c3709e85dcb57841b0842e2d3c7e6ea9a93c2c8b1d6bb44521f13c864

SHA512
45b28688121ec93e0435c5a75dcfcf0b60ef93123c16cf3d64513b12debea839168e9668ebae69522869ce0ff508c1000c69264657a72c53a944fb28df302cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\388da9b5ffc67954_0

Filesize
268B

MD5
0801973b99bfd3038d5ca76823030af1

SHA1
b51972c2bb32eeece4ccaf74c3ba1adddf43d491

SHA256
c824c62ef8ffce31fd0a10a9b2d6767f6fcdd91513d5ddab06d1d236f9a22ab5

SHA512
362fa736c4cf1b10e52dccaf4b70a31862b86b5d4cff86403e20c23f1efdb8b0ddd85f418088c0a3ccfe7960edbf4384d7dc94c987371fdec2dcf2712da22252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ff15129970305b71_0

Filesize
273KB

MD5
224c63f4b67a83f45988b0de11db392c

SHA1
121d3bcf99dd92c69b79fb28d55f97ae4a411104

SHA256
c29115203188b26b6c628d262c007d7b9b498f4e04926f2903f98d0eb0dfab08

SHA512
eff8b6bddc2425ed0df460b093e39eb9cd735b52e8b33b3dfcb0ed0ec18bcc12ffe1361be412d26e1147465d33bbdbea71436eec5faa7ffa2ebe7376784ec9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
19bb5384be2add954db568080d83102a

SHA1
799effa3fa32d78f91e8a162c1e0131891c11304

SHA256
780271f0a4a272badcd7b8eaf8a3043e8f520680aa66c829b6cfbe279baf99ca

SHA512
abb32168168ce9c7ec18cece28cb5b617cc4e975e0832603e5ab223ed1be34b0c4d22c43efc23c39b4955b9f6d277a4e77e3e6120b644c0448814dac9e63a663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2336ab83fa115c5ca49621f9d2bb7701

SHA1
588d5b9db0234cc34985a722214693bac722b9cd

SHA256
1f5fc2100668633a705ee952c14e678852dd69fc78b16fc9161120461d4aa6c2

SHA512
86d05c6bcedff2d85b19dc8c01310513e4952f14e6161f772c9140bd98f3d24de1926a18309dd439ff8851450b8d31d73a930745e8af25a3fc2c2cb1acbf0cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
866c36b97dcb8cac692520eb50f5e50b

SHA1
d4081d61524c1ab4c217c3c204d2b85ba5a615a8

SHA256
75ec2e622d1e4ffc83eb11b0cddb37573a9297e0d463963f67f4afe005919a83

SHA512
4f64690c032896d4dfcfd5ac006c977025b37551a1f3f5412051d3b0a389512b59b0e4fb0c438df1f017b457c3de10c3a145bc1df5b29dec3cf779587ded4f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
97c01ab0af917acafb6893794630c6e8

SHA1
9dbd9306602d919dca207bada89636de948ac401

SHA256
8f447f63f8c3c1ff2fd8f39bc9d121db5a5815f52163998b022a3426752d00d7

SHA512
3ec8a4e1d1c27bb555af885fa649532545ff2d6f80cc4cd6dced9204190bb90e2a4e14a6a3a860f1590a10f52724b98b0934c421dbf1cc2560acdf9f7208a332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ca5581031d214423f5db13929bd0c068

SHA1
173aa67e975c0d789cc05b7ec2c4760a5091bbbd

SHA256
bcb6a479a79295ad0c5339c49e931238e2b12019454fe46f8d572f919f1bd1f4

SHA512
a607fed3984f56bcae5c87c5ac6f7625734fb8c3e810cabb70c2fd5348b3dcf8608601562db10f4a62bd29b7b085d40d6b6fd8dde56b193d04c9b21f9983746e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
106b1479332939fad0b46aff7e96b473

SHA1
8349cd3cb85818604133a4725b4e8c9e14f7c164

SHA256
a6ee42047549a1d40488a08e17773e28638be230e82822b2dd97d4518a866404

SHA512
afa1a6821b6fac46f42eef957213caa792410989d6959b7e17e2a9157c3b4d60fe94a4c9e4cf302f0a8b699232045b9f5f036a9d28d76d6633e63e34a39d5f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ab7a4472f49ce14d43906595e4797985

SHA1
5e6ea5b03f0d0d0d33bfda144bbe2d1af7ea4cfa

SHA256
fa0010ed0b79ccbe86682087b999bddf40c004416f11178c99671331a9bc9964

SHA512
88d609b4185a546f0f919199c9834351af372dbd305aae0867ad485c1ec80e3bb4fe8bd18129603a911a75d5e021ad7e72263f2e5d1c81f021cd5554ac78d25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
602950da10ee4dee54c06232f728d9b5

SHA1
75e49a033c64f1f97efa3c4f0a646bfa3f28215f

SHA256
1c6861a0f4ffa8016d692e67cb4cdfc9ee99a07b319685c613ae3b16457d1b95

SHA512
209b0707199337221d3768a2e9e401228e34c5286afa752be5fd316ad19a61c6d986816716cf312542286c2f5821437a12c78cdcb2502dc86ba312d9b43f731e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
89c5bd53363992cd65793cff1da6c2ff

SHA1
9db40766a0922ee8170de2649f5e78c3d5a3f7ae

SHA256
550409faff1cd90796a70c0102455b06edc9e3fa372ae52c2297a8ebb8a59254

SHA512
556635a2999a7e409f93ab724e754bea2adc5e57a01812e0100bbcac231de0409df25d42cf1d309df074d852a631e71abe7fbbc50ad18ea406ed5d3a05633083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
48230bf2b1ef75239a85d6690bf660be

SHA1
85a5ad6a214dfaf223194b3e8e745e4be70f6ddf

SHA256
3086cceacaffaf4c60f576154fd191400b791859dfb6bad6c5f639a7f3812625

SHA512
eb51d80ce198f8c3097f4ed6ad0c3a6acd25cc192c3aa696357dbaa86dbf64739633edccdc03e79e674d4c5bbf3917847ceaddf9e881d73284bb300652b667c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
279B

MD5
5b1fb301eab963866e7ab10191970d06

SHA1
d8ef3ca6b992191621e0de92f6cc69bf98233931

SHA256
5e71f166afa5dc1ad2ea0e30a8608f4fc4ac2d43bca2453edbcd0db88aac0e39

SHA512
fa578bcdcf26ae4f9558ede5d3a0e6472bc38aeb64e6be58767bee692faffe4e02999e779d0c676474aceaa5c4c15fc27c41086acf1a1575962cbf94968dbc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
024ffc6a40e766fba60672128200131a

SHA1
3ddce8169f46ec168b12247392a1af970b4f5d7f

SHA256
cf516a2829052db2c8856e66a41235f7fe4dee86a60f35740e67df0546f7c46a

SHA512
b6736b4dab4bbddf840f69c188b969a1f4fa5b73c51e8fa7de538a3c5173f279ddeae3977fca115cf6ee7361055966aea51976131fab3e015add773eb79df529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
851ef7f77a5e7f09ec88985f3dd89036

SHA1
4b267428d0f4dd555b22a623fadc69831716fe85

SHA256
31b4e52bf0f40b8c344e99b98e5d0ead7bdf84aeec59647b0c39c26d18e24617

SHA512
1b32c857160317c1703f2a5d4e5cf926947c5bd80103e7ce8031b092c867e4cac0a34046ecc3c1bfca2de160ef93a939aff982b897977625d33fdafa128b9c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
599B

MD5
df2ac3bec0560c9a001575ef589ae40a

SHA1
555a9e8b1ab387c4bc03957fdb43487c5fb7cbad

SHA256
445e66a43c3075a2fe2120711df661508dceb8bd511ce780325742783481d966

SHA512
d08433ea0b997256a43f7b792083b202cf44f8c6d9462c3a1f8e47bd878c370c5bb217864b1955f9f70f4bcc21f84052bb548cc2f3371e9c64d6d9e4d9050cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
291B

MD5
c6902bd8f4aa028a754a781c793b312c

SHA1
df3074e1daf287d65dde44cdee057a47365c6579

SHA256
7e0ba138dd5edf86484918d806d95e76a05c05fac73cdcabff95e1544cb955b6

SHA512
7bb1acee4908aff875ffb7ac5f262d68a90de7853cff2818a005720cfdcaa2eea5b09b999a12e71b18ea48ca73ba46fed2274a623251ea685416ac95b2b8d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5f4484088d83783c158372e2f2fe6bab

SHA1
62f83f39b44f6d65cdcdcfb57b715c4aa059ca1d

SHA256
6074aa968caea1e17b9fab8d794beff858bee4f98ea8f79b0bd59338556e7754

SHA512
7c49ebcf4ff1a8e92981d78ddfe07896e743bd65a99c12306c6dbe32d3bde50c06ffd538ea65500a11b471bccf0025759e6254a5ce1d88ebb94c8c5eca84381f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
ffe154b5953508e5e58511c981014d94

SHA1
33c92da072ce0b32831b25ead6f7a9d8f80a8208

SHA256
b635726e35d255f9722564bcbf3aba5e7d9dd20b9465d2be9d12243ee1703806

SHA512
0f825aaad034002c22975d742084109c96478b52abcf0531b4c916f9c395965e3446ca5a5c7779a20f0c7208f4f2528e4b2acdc6798fb167863613377b45fcf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
07649a0b80f192bb21c739e70e845e1b

SHA1
4d1d7dada53b44b0a8063be15eb86c83a88cb135

SHA256
fedb82e2095773779178e3d4d7c34bcac46c75c99df8d3939342ce2f39aacd03

SHA512
0065d5047ecea71f232268a80b3260ee08849acdb3b89fdd162d7d6ec8f35516d707ca16d02e2c028456fd9ff7d07497ee04383218426c9b6ef49743815d15bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
ae5991159c331b480bb4794e95cd15f1

SHA1
64f076da378cbcb0c7347f8d835af1717e03929a

SHA256
96e549f2f5bb9625ffcdd554f9d041de1ecd28caa9716783b79a085e3296afcd

SHA512
2f7e3a0e3c2a08da5bef1f01a8dd10358fcd080428da9fbe3ed35df453751d82f582161c1721070e4d9e60ca5b4637b42cda9ef74deb1d80b66d3d7a98048dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
48e91e7a90959841ef5fcc2102f5ba84

SHA1
377ffd9b9a245bcf645610639bf2c2ba1b9abe90

SHA256
59bb76a81ec73dc1dc5219d217ae6399d6ac797ce3a5f4096a66a681749a6ea9

SHA512
52b2f77d2b35f0190f1c229209b3f6de06f72126adea7833f9ff58010f2ee5eb4b50022ac61e0f759fee32341dc38201a8f9295ffab939aaa6e2128ad432351d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
e71b9994997e76f5efe2c40a9accaafb

SHA1
17f8c82833f2721626b17587c9893a43201880ae

SHA256
fc84e737710c6f97c1cc72ce8443b922147a439d73101be33b0980e15c3a243d

SHA512
3693c28ac4907b3299ee919d6910b2889797f6a8fa69abed39850a1125e66081a73caa1307110d47d95ae9063d56a6a8ee5e20b4675b11272a34e9f85c67bc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
760a36e0c6fa06b741afe2fc3bb82597

SHA1
3761f56b8d2d8b7b0e6d8b3f9cb8dad83f0c9e8c

SHA256
ced2b10ea887a3e7467a416a1775b6561c02861605bfd75c02fa6308c060450e

SHA512
a595dbdf2aadae0f836556408582e7be695788c88c69084e59f85119832a2dcd31b157fd77fd09a03105e49f5be7870d90b13e6e8b89fd7b4bd0d747328628f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc516f35d8273eaf6355119fd3f52519

SHA1
05ac069624920da62d670e7554b81efa9a082f09

SHA256
1174fed71c14ac1335d4314d1c9a4ee718dc6da981c11ab6c7ddecd5d61a8e2d

SHA512
04c43ed424b803f793b389972e838e8e020a1509acdfe562c1be60c7e098434b52df43f6aee17a04231fe45e91bde004ab573270475143363dd71b6af0476416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7b3ea7702fa0552c33dfb1296b8c0231

SHA1
b8d9b5356c589253353980423ce637b7199e1e3f

SHA256
3b6e539249598bb6e87fd4cc0999cda901976909abe7c8850f525df681cc1579

SHA512
36a01d02abcc29fadcd3d816ace6e9b31c2d58ddd12c52ab65d4f6e0925b77bd1a58d88bd34dbcc11ebff5dddcb7d1242fdda1ba98b9b0213f8de539bebef3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
95ec555c741ef6db4c3449812a48a024

SHA1
3de484aff3ce627498fca054666625fb3f6945c9

SHA256
ff23652f148fa4334e6b2dbd3c796b7656ab5bed99f9b1a51e39ae24b32b48f1

SHA512
7a762d7122f4132d0aa0469e91bf0480828fd18f01a035f465bba0f54cdf828ae1e5a3203c0acbbb57211b0d978ed154ae0346b46b916395ea6e6495787df89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a47fed48a0fb454cb17d6c98b60a622e

SHA1
ea3d1ea56767a2f2d3cd344dff8c0ed656a7bbaa

SHA256
51a17ddc7abda88cdb2d1c9c0b2ee991b98e8fbf4981f2b1ae90b23bffa82dfa

SHA512
cc68d865b32e4db327e02e84ff795615bcb7438019aa815ee970a7ade40e6d7291bfe4a71eb52c83a5d7ccfbcc0aa4298bc5d0d06f503f57e2421e7695a49d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
1d01914b88e6d3e9584d56e4446e6b1f

SHA1
f6d80f376c9634928b3121fb191bdb06b68795cb

SHA256
cd5140e26617a833a5b63d99f6de421d91f37cc9e374b92ccbc2109fd525f3fb

SHA512
faf011d2bd9de35c697913d11b4aacaf51865a69a38f26d04dca08a61b81c50afce3944768283546bfd708b2bdfc0939300796e9e6f9eb5e16dc4f20c529fcd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
f22668e5c768cc758a8ef458430c46a7

SHA1
2313b89eb92ed8950dec4c7af0ad9f11682961c1

SHA256
679e355fd3886da81e5bf3e2d55e30affddf954e33ac6d55ab3c62b6427f1d9c

SHA512
05557c0d84f95718b598da7191be524c67799d4cee1c6f6e7be0e6593e2fc309ee941aa20a883860014230e8b24cd7c046e9d805e65b6b11b1b62273421d8494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f9d3b76db9a57632cd27dd5df20db0fe

SHA1
a16189143e06d5cf05aabf7242ceade70a0aa65a

SHA256
46d5929a356bc74ca6dca8c70db1174f435982105e6b6c3b0bdab4ea61c48ea0

SHA512
42a70354b7262bc94a7e89c3432b46dbf236de4df6ceb5581c3d2421fb0110fa28a9095fad00b513e897a7f7da2bdf3fe9384becea018f308f7cb9b23e203011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9534124adb86dbf6b77b01ca585bb12b

SHA1
40add9795eebe8a72cf50b07b1fe7087e9eb60d7

SHA256
8bccd27504c5a8a2c240ac3c0b25d875b15f43c02bc43740bf5258dee7ec8b5b

SHA512
43226060253224b1485df2e59fbbe18783eca0e6dc2957c7a8ea99864cbf7e822e6eeab6540eae0e16db94d99d371abe2f3ce87db073a9fe6baa5035297018f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e5b5cb10c145e51c4c29bd5f567d981d

SHA1
47aba97fc6f98620b1c9e3683ba47a5c98c76020

SHA256
21270141481699c4a1d2b07f9ce94b48f39cbc1043b87d312ab24126367f0767

SHA512
31eca5043520f2c1cd1763ce90b8a2db88dd2d6f8f5dd9cfaf00dd5fcbb719f184fb8f9531577b89875a64940e298336293affb809a58ec5fb1d5a3056bf9b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ada216c8087206ee7f306c30b7efeaae

SHA1
a96c42601ce0a55cfea9b633f3da355eeb6e0f24

SHA256
f808ade5d2ac121a2a7dd9133ec49424f021c8194a530445086fdb62fa73ee20

SHA512
8a249499e022584b1869ee3ba3786213a84c3c2cc623130fddeb0ffd5d9306323bf45efcb2dfea301cb00212ead27417440d84ca2fd07c4cfc043a4073415200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
dd51f90d52d94ec6d468d43648efc4bf

SHA1
8c2491b434fef8866c1090b5c01d829c813d5046

SHA256
1074c4a5966cbf71e3178385fe77e9ddfa134549cf3ca0b92bfc5713eb3a13ea

SHA512
0c450aa24932595e7e76c869b029bb5aa4ad6fdbc04ab0969c5ab87303c0aa125c9442c52311032751b0430aaffe451cefcf9b9c9680028883966603ca6bf379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e25fa80ffa640def3b642c9f45cfad49

SHA1
a90be75d82dbd460224ed5da792bf0446f5ba7f6

SHA256
4f090f0df074bee8c88e3fa0f93997f6526e69490c5489d659e127a574c37838

SHA512
8aca0f5fbe565ff940df1500035ecce8158029c41148fa718aec70958ba0ce342d418c8e9cfe9f3a82f6e977be6d56018480bb943c9a93d4cbdea91392e9f617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7d96be5229535121592d6a98ec467156

SHA1
fe8e91dfd9c9d20a953b87a502ddb097e065443e

SHA256
8ff58d4ce5a63618b0d5b6ce7b9187b75f2d6971e45bebf93e303bbeac12233d

SHA512
2f59721c6b2c56c4a98ec4ed65b97b9b53672003b85c23b121402e420486fc6cd3707357affdf668b225eb0c3bf87605b692b8e5e2878d60a542bd19a15e76ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2a4bb317c5eb8225cea8cd109643c1a0

SHA1
1be5b648a3acf21968137cb348859588e34b6bf0

SHA256
dd96d8530f8456edc065dfb55e6c7885663807dc4869fcfdf7334b69c080f28c

SHA512
5d6d4206e9d8721e94de5b7d793036823f289cba37d0c2d7887f85d288e716bdf140091295d27973a8df55ae10e566cd9ccd7c64dcaf2cd4daae9240f7a4895c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
c8e795edb9bbd9a40baf8a2689f3c3b5

SHA1
4b8155d2166051c47253ed57f03665b2fe0bb3e4

SHA256
9f8480d70c6f098e1038188ee49491bb57266f6b62062d82959fd7f3999972a0

SHA512
f49cc08156e4e7a2901b4cbf865849e4b9234c3bb42257b5b190893a0cdc9492c146172256d172dcdc769756acde713cf7093e53beca8bb9588b836df25c4b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f88435302122b442fffdb5dd218da7eb

SHA1
853385929ac816402298c7453d05eb5de9477e54

SHA256
11664dd728fc50531f7b8b6fe27aa37c56e70461bd798b623468e31bea92d8d5

SHA512
953119f079c4409f62a9eabdfa441a5633e09438f8d86fdc9313ef0ef0c43c09256eec600c23da36ef4df57978451ff189fdfa2ee9a5d2e842bcc77a69d57d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7444270431f56744825d858f8c3d2802

SHA1
035cf99ee3773eef2e8276ae8eed9b171eca6517

SHA256
8f7a6c017d3e8414dcfb023f5882d14cda7b8231d6d82b4227e8e010a95baa8d

SHA512
9b6a6650cb9f09d16b7ea9268d28620975f01c679362352fc45776f05bced97fd5888bfb70cef98fed756de74886c07a7e70f6c8592966929218be05aebefafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aaa5c5d0df55c778f90691756a8fd170

SHA1
556e68bd4c296ce1c66732798b2c661420433d64

SHA256
0d6bc85bf87f8e7ec6def0b6b5050dc1fa00f3788f1c5cd02d5d6ff38636962e

SHA512
f33da9d5917fd53678133f897a0f6a9a94bfc573a0fd16a9e75fc5a17ee745d724509a08560d0a0609e234c139b843bb3c73ecf825e37e14b381c81ae5936af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d579ceff158624e0a53c48f47b90594

SHA1
f6dd36096ca1e303c74d46d1f9159c353a1061f9

SHA256
7bd98959598bb4a4e92f6e1570023cb1d5f767a66884df92ecc6ec46786be3c8

SHA512
b7138a7561c0102f81e6339f456e6128f302f4f1e2cdd8dcac32c2b24eb9470a5f99603c9122cce4b133d768ad08e84dc954de088e497ab344cb60c5160d222b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
09e6fffec5a173eaf7345494c1ba3294

SHA1
8b86231f58df039f80799de41f55c912affb6dc1

SHA256
f30e57e437b5e452b6373ad7868c22377ed06653be6ed424c35edd7bbf44a119

SHA512
4348de5031905ddfa92030b4721d238eab5568aec05222264b41d6709d12b0832e3de86cf5d5a903521dfe43f8a3c4367c856ec8948a98ce1f3ad0e28a3ad102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
031bccba483ca6403191859d25c84522

SHA1
c11923422808f9199617fe0a49aa64c39b299fd8

SHA256
ea594f0c0ea01bce7d92bd97020c63eb2e6d44323e4a520537f25853979fe87c

SHA512
cbca935a6e72b19a80a900b861505385830344f280578de2cc21d55b35de9ae212c60bc457f6f984f3887ea1364b4e668692f7b986460a63235d1d79b313ed02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb5c6f354d4156c8bea62d8472c93070

SHA1
69f89663d4ed9c9d5be98a69cef34011b883c34d

SHA256
28f6aabb97b2bb58228ed0ffe39385a969cfe4096dc4ba6e88e04b6db9bd7fd8

SHA512
69cd32d98d9bb938bdfcb09658376317a7785c1276fbf2d8778cfb2333dc23b54a0234552707e54cd6fa7678f76a41ba9e480ececa3dce7255f60f7ca1ce565e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2d31fab5b00c0ffc12cd066d1fe644d5

SHA1
2d269d6007770432fe24eba08158783c144b2f8f

SHA256
4b0f8a46c5fc36e8ffb54322851aee2e97849d5ca5e7eea37ccbb094e7299a34

SHA512
895497d80d263a13c60e02b9fca8496f298d25488618b89539fff9140534906a1ecb9c214baad0162e2e3b926dd667d8755b4e6fe290f3feb2019111c2d84724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ddb5ffb5fc471602185ab946b6223c7c

SHA1
4fed101c51287613d5a4d66d310e85968e1444cd

SHA256
65064a700491205d9575a4d109b49e19a1ce2298203bc3145ed16b532e166f37

SHA512
532cfe807dbb605542f9362dfb379ef83abbd4ca9e3f0743d08821da7a35e382542f350918b9a0acf3beda6aaa13b23bf77c33a4e474b0ad8935992180d394a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
78a049c86f502df9dff4f392a47ae9d5

SHA1
00e13560f0aff8f8ea98807bf738c29069c6e2b2

SHA256
1631cf0116d6e624299e855acfcad683d276efd7fbe152c89c5944e3630b10a9

SHA512
64bd581d4a60d40fb00538e80402e0e986ee239f5e15c7bf1085f5a6b91634d3f8a1257e417c0f2185b87e3cc5f503f2274d014e0ee42efb22711bc34cb234ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
40054cb73dd68fcf513186a36e7b28b1

SHA1
782f64c46affe72bd6b334c69aae88aa32216b2d

SHA256
136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118

SHA512
8689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5a087c74dab044a8c7320741d6904d62

SHA1
38cfbb1fceaf4a80632bc6505f5d8fcef83525a2

SHA256
d6cbe43a4e5844e6efb520abe651ef1139efb484e58109d4189bec96c7aee4c5

SHA512
b47aedccac1bb4f165a0510c6d89195a7ce02057c9b39a82119ec8200d19cb4a09b7b5f8e2823d0ba0ac5bde2f7b2de24e00fc0af6f6b849acd8c41e8e893829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5fa6f7.TMP

Filesize
48B

MD5
a6422472563585ab3f29736a0f711085

SHA1
3fe8916537d075996d9fd9b9cf0aee12565e527b

SHA256
7d31408c02a1bd0309e133f749801297c3c51be75fb0507c617e00964e32e203

SHA512
cd2c3b736d3a4de7cb78c101bd7e52724c547cb6acfe451a3eac2679d77d5d570cc08feef0952e960ab0984c8d6750cd5ba32e7dd9113132c86bb7c67c185b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
99B

MD5
ba92e5bbca79ea378c3376187ae43eae

SHA1
f0947098577f6d0fe07422acbe3d71510289e2fc

SHA256
ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

SHA512
aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
279B

MD5
6611c40195fa3b70435c760bc0e28336

SHA1
9436229ab9a9f8fa89df22087d354d1b57cf26f7

SHA256
f19fc16445493c887c6433e4a3d0a6a53d6d445f6184563d86e2483a6f72821b

SHA512
acc0d52d9123dfeaa2a19c9a2e02e00b50c976d4736541dae05439d6a7555c4e45b1c12dd58bb9aa6294726b20b05edf50b4b437ec173e2409f091a05c7e4ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380912326722021

Filesize
925B

MD5
794aa44c4a37e488c9579cb5a6d283e7

SHA1
88ab4ab4c8be9daa995f73cba97f7c427caa9a33

SHA256
338fc42813e643640298411d6cf38bce4b802a17a0ebc3be796e197c4471f0a6

SHA512
8790dd5db97266dfd459524417d13610a02309c1e271508a179a18680090b6f3e5aaba85f78f3153e29ebf2fdd4f1a7e1274c5eed195ba41b51bad2763da1f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
e7cfa25d2a4971b9f8b0073b96d59773

SHA1
9dd61c3a20dd447f901b1cadebdd7954dacaf076

SHA256
002e991f1c5c7fcccfc0191cd7277349e0bb92eced622ff0c7c504fe026dcdf2

SHA512
8a942e25dac5b55b61738500a910bb7b7915461fcbf43155efc644e885d15630e411060b7c7e582ac84b51330bd2dd4333f8137ce7682ffb0f8a49f45efde3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c1afefe14a8df041a6fbe12a407da80f

SHA1
8c8c25f22c4da707496e4b2e814507acc25dc741

SHA256
5c50a25071f346825e9be20529e34e7fcc4162374de61bf4de766df93d889f74

SHA512
652a5cd2ffb791af7683cfb54246e17d88a379f445ed4d86e0903a4ee2a52620f87f2f45de6134107104a4d5f6d319c71668c60cd44a05cc4b5b0244ea0e36fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2574683a650c4586a7ea559f657a3cf6

SHA1
a7ed32bf983daea9d93f7e0e630d099f2c03a0ae

SHA256
a0449e6297d14d24b906fcd51755c4eefb6a574b246e1f54c45e5a23780eebc5

SHA512
10b785893efb6eb3e7327686205069a372a47632ef791ade2b634889fbde02648e7a2be2c82949b48757f555b8e083891ccc6a952fbdb45d22a64b16c65cbc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13e34420d2c9b696e379dbe7a98d7342

SHA1
41831d0f4775b12be957818ced167e06709f50bd

SHA256
aba0c4d06cb10df893e851e426002384342d3ac00eebb8bed18abfebf1fe0dea

SHA512
e14598ec65f4f011ee95fce6a4b774766461a89bd634580895eddb4cea221fca344933ffbf95331f2b288f4c0ed13ed42f5111d839c8219ae122ee2f45466e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d49306f1f97859265bb567bec92d3d76

SHA1
9f318a31dc6a57d28e871fb72eaf4518794f23f8

SHA256
e6a6c2386eace472172d4ffd98f6d5b8e36ba1345018083e40c38baea46cfd8a

SHA512
7e2e639a94a5cf2a1e06980f351a1c821530d849d90154b5c2a4c5f1b7bdb3f35d209477bbcaa6d272445ed45f042b8a90635965a646f19a0cbecbd34e49fc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0306bfddf7865030c08df9eeb03598d2

SHA1
f68f6c9e691695925b32707ae124621d20248a03

SHA256
10757d939fb9926bd17df3a0efedcd61d1df7a2e28ceb7a120fec0c4313e3ef5

SHA512
13df7080f7d0f21afc48bed33fb0b2e0013afc71469142df68ee3d44ff5b270cd110bb286dd90eeb97f5f6533c923d56a018f77c116d0bee580db8784a2d2013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f7a012936a154660ed8e257be61ef0f7

SHA1
c6c5fd5fe1d835104f2e3ffd4274504f73e2a122

SHA256
9f755b098011d7c65026f41a5b935b23f1b2264de00d026e1f8c1b9c86bfcc9f

SHA512
f90d6b6a209cda553695bde69caa9d9d1d1c9c4f022b89fe7d14c5f9e92897220c6e72e70c07526ff523467c8eb2ee989346702ffaafaa1ab5bc41b2c9fa7631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
48c3914f2da64dc890adb8f2bc8c1853

SHA1
8ef3f312cda71874695afd1d8a328e74fbe180b7

SHA256
83d5a50c11d5d08af2380d61a2801750176dc542f1fa76572d1de682aa64beb4

SHA512
8808ec2007b7d49d8863391c520d6d347980298eecb8a73cb83a4f677e5abfa3ebff8ac7ea1834e0f89105cbe4f9417a7107b2294878bc2dd3de7fe23f447661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0cc582abc88a7ead7afb5d5f6362f880

SHA1
2afeeaaf7c9522397162a13225ba9be1421d77b1

SHA256
86f1e8783deab0ebb4fa690ea2981a38cda0994bbcb70edaaec9a7d9f32dccde

SHA512
c64c7e264b03f6b0d51f5f4c639e8a195c2c7f1fccb37ef5d1d6df584d41d0d8ebff5ae9e54d0c287b287be2cd7620dbde279a5b26d8d53eee7bed7f9770bec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
71c7f8993620fbd2efd29cd61ce078a5

SHA1
93f8f9fa3cf142aeec55d06c51177531f81f9ef3

SHA256
dd9006a55ec015046c458a5239a1f5380cfc293b3320bb475b3c08ba2c1c0e1f

SHA512
b305f452b0362f9ecfc1d556f01dec63abdedd6b9e846db56ce467f869a4f5fcfd1e5b47b2dc19a4c680ac1b205e8f4c88c3db9cf3257ff965b1cd3d1bf3d41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0988b879e60ae381592936d07534a3fd

SHA1
7b47c6831ed23ebd69c7291565dcb2e711e97434

SHA256
043a28910cbf03a0faa0ba72cc70b8833a902d069ec9a5204ece2fbd4241f6ee

SHA512
783cb2974f11e451e21a628a7f4934fb824f0c79a2b113e1df253fca56749f22d5a56cd2cd17c2732d5fc47bd88dfa243f8c1ca4f641f94e51decd6b6472ea50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5454326b0fa2b3fac2f3117ef1d0d818

SHA1
01c0db0b78abb88a9dc447704aa1a9b4c755f11b

SHA256
3ebaeee02a829322a5ee25a8e08c201b3d97c08a981b442d22853b8a5084e0a7

SHA512
d52898a50eeaa47812d9c7a5b0a7cc1471f66e6a845f0eb5849dfff1918445df65b7dc46b5c7d64226e91bb592b8f348feded22d01c132f945718c74a6d67a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d38590ba5e310f2e6181a21d067da5a7

SHA1
d14095cf651f5a326ba26c17885c6bd76f84edab

SHA256
8f5d7fef994501adf6bd79abb9c73c4b010a07012bea0910fce4a72f342dacaf

SHA512
215604111f3e4e6656f78902331a6a849021d48c9f58f7b7b1956cd948412f7a6c5c81dfc43fdb2c9c38ae46be846ac6ce24998e8e35f1b40ee5360a2c206e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
33c41ba0c3fbddc25422f78ed41b3e1d

SHA1
7893314972d0890ba94ddb118782d5ab1fd33be2

SHA256
031b30c50aeffe6b86b54c7ae72ba0ff1fb29d8755e7fde93a65a08d8315ffb8

SHA512
3132c68636ee6209bacef0f4f592a8d1f59b1d2065d84863e907048e520da0160556933683e548c762a818e8b551820965e37d4a91130f79995282963e1650bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57d10d5987a40c7cd898b6d182199a17

SHA1
019f8217b41672d58054f367af8020ad7a7e0b5d

SHA256
ff28caae405e463d0c3ab89e36eddb330acdb0abefd05aa4dd510a087b1079a6

SHA512
444833ce3aa4520b7525070d4d9954d103960a677704005645564f001fbc24486320c0a684cd161cff44cbeb9ae8c5e60fcd43873ed394bf111de7e8562dd8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
228c7ad98875ac3e5a64b50211b80adf

SHA1
0662eaef2fc628c472b9185545e1bac45f6bb2ad

SHA256
a3e0be94193b289b98eda85d971beab6d35744e48676a8ea11f77ceb0e358712

SHA512
c33dc1520b68a804d72286c31123380820f5e532a73b64fdca0d1e0ef3c0bc48a20f56ea470458fc7438496e4d0d251585065e6f13ad7c0b7d89f30da67231ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
221235b2ac8a1dbf30601c25dfd6096e

SHA1
75529856d99a0d26ec064c90fc1a0a99131badf4

SHA256
b4c1e4d5d30785e7efc10dd11b5d17c5ad00f34baa052d2ec6e5eff2628c3e47

SHA512
bd33b379ca4011ffcbc15d35491b329f35420e4153a80b7a4e6e1d83872dcde4bd13eff46688bb35d1598394b9be8aea0798d8af702bcb8ce37e00d0314563fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1679a5dc436f37b85932062d79d9855c

SHA1
f50cd2213fbc477e7310817d2d16450eb8be4536

SHA256
fd54b6659de5e64a8cf571daabae7ad1b366c74d7a45adfb497318499dec3689

SHA512
087969969ba3957d34fb67aa0d4072edb9d36375c2810b38ab94a185f3ea7199f398ec2693572e21f673958ac5ffdd6ecc5a08161038ba43071d9ab94391b32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58916d.TMP

Filesize
872B

MD5
dad8d0f3493673d9edc6de1fa312c534

SHA1
ca46f44bc5687aad8257cdb166dfb4b473c1576e

SHA256
04bcc504c6b92a6d3fb52c20b72d0b1e3afb4a546a53777ee9b9d5861b111d80

SHA512
03efec5f1ee0d7cf38f7c1b9618ba140b8996024251e9ece2cd0f52d7716c396868f939e12bde65b17a8036b2f05b7410fa7f2714bb3b563c32d07b7e4b0275e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
55e4c4ba1f3c76088c80673e22b10d2c

SHA1
7cadce2d52a03da86ae21f690c51a2d8a7b6670a

SHA256
67a3d1000cdf986d05095b09d392edaa3a63f8843d3ca0e5e70de158f9f424c1

SHA512
4af6e795f0a3a6de1b165b934f1a516f59b374e16afe418fe4ae41b90d4b450f6fdd15c70bd31aebff2aa824df6181abbd7b211e8fb036acfc6c9e3c8be3957f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d1b54035-6510-43d1-ba1c-1b9325cc8978.tmp

Filesize
10KB

MD5
bdb9412fbe6da75a7b8150691e85fa1b

SHA1
c63568e090d213b1f5dabb9c4389763cffd0b13d

SHA256
576985cb0bd6ab54dcae741098a0e52b4ef3cd754078351bb7d5e2d9880ec772

SHA512
f51eed674384925c55a34ec6a856da2788931ab09bb5214e568b0a0008b99e7904c3109dbe2da4624bdcc94b07f1017cf5e9ddb93bd9c029fc46cdd40d267019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
6678b463e21f9b8a54e0127d38841087

SHA1
8b4b32f1b665429ebdc99e1836ac29a18c9d5ae5

SHA256
c7c90b2be0ac6f05c64340a308967d2684639105cbf1a1cf73f3f321fbb7974c

SHA512
3fd5fabf4f9411d69ad4266253bf5593dcaa27fe142c92c322517224913894e44d56509fc45b0eb3c124f6312f1f8c31c4e3a54dd05aeddbc6f4e420bad93d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
279B

MD5
45c2052b6f276e422772b871ea7b28c3

SHA1
94d6674dcd78d89551c3197dc459781e12a72df1

SHA256
375df47ba6815dd8d0193d8c67e4f4840f4ee5e8f377b0d04accfdad1bceeabe

SHA512
a07647910c0f709107ae374a6df71d148f6541f66562bfecb2672b200c0e1c08e428a8d7634f82ab1ec644d9f081f846ce29044e6e8e93694a8373931565b140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
160B

MD5
2e19a9040ed4a0c3ed82996607736b8f

SHA1
5a78ac2b74f385a12b019c420a681fd13e7b6013

SHA256
2eeb6d38d7aad1dc32e24d3ffd6438698c16a13efd1463d281c46b8af861a8ce

SHA512
86669994386b800888d4e3acb28ab36296594803824d78e095eb0c79642224f24aca5d2892596ac33b7a01b857367ed3a5e2c2fb3405f69a64eb8bf52c26753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
e887b8dfeca4d21e3101e6cba99734ca

SHA1
afb0def542654ca8e423236fe979e9dfb28ee0a8

SHA256
3d17bff27511a4c3b62a09239aca5fbb2c8bdf4e4b98490e11dfdaa74470b7bc

SHA512
35da6a789d21bb1709833d0ead5444f2c93f9f8a347d46b8f5d4142eb7fc68df6e65120a76c083a4fd7a5af2f75905030b0ac41247fba97c11aa08f528965c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
1b37898daec8e6cada092a10fa1f908c

SHA1
7313248d02b3fee0259649b1b5c7c22ab2e7e9c6

SHA256
001e61bee15c232180b6ab8e0e21be613a6529c492ba109f42aa1a9f1d64a919

SHA512
eed2ff6573087e0f5a53fda4ac3782e2ba22507d5c16ddef1166c51e62f39c9bb7cbf3a8e77fffcb8d2f4e9a6cd210bb546c49653ea8ea363faa688b99d40e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c6ab7bf265d520eb90c679ba29124bd8

SHA1
077daecca3b4d0a733ded557fd63384daef6be37

SHA256
9a4c3c0d12c119c878c15cc5dea3ad93b8acbf6ac9c1c30c730426a7a0edf42d

SHA512
2e035a8e5b372dbff6ee2f43a7ba51a95fedf85adc1f9420c8dd6610f0c973ebc5cdc24c894e28da69f4e346cd8912956de8afd87c2826a895477fd62f0dfd8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
863545d297d288d09e15f85d31d50718

SHA1
78c2046e11746a63bec4997090671573d91456f9

SHA256
a3b153833effad5b4862470c6e5ab0909056bc7aae657b5725c9365bfbfb709a

SHA512
531a2d4d91ac2c3dc9d6e2b70330d7516e544094f923cf9f8669493e9c35e61dab7a531c7f4c5fb0d66a532b647ded24d859a894a13b401e19a82730273bd2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index

Filesize
256KB

MD5
71e3d522c01814376afedee4a5b0b361

SHA1
b73ab316571fa0e06b07d9bc211607f7cc6cac8f

SHA256
fb8b53323a59637cef395ecdd39247470c060b8278c7da762ec53757f6a870b9

SHA512
165e1b8ba914a16eac7f63e37209f677f2f00a572066dcb66e69d3b2256c697a4c0dfd4b67bd8f0f7e0d5454478978118011338282d8ca23c06bb4ed022fb44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0abc0d1a5786bdfa53b4186b98b68648

SHA1
835926311ad584d7004c6abb4064d4ec5e535295

SHA256
389adabeb4d1a93d4f498c4114ff8dac232762d151e8c4074620be3cc29ac5cb

SHA512
165ed7d074d484f16aeb7862a6efd500246dca9eb82f045f592298cb327d42bdfb60312a43e9796248ef15adb0654f4715c2e12aae825fa688e757f76496c5a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
adcf5bd7e373eb3053325549d0186bf1

SHA1
cdfe4de8cb094536c6496cf3cd8caf12469a575c

SHA256
aa536f97b56667706bbc7a57da4ffb35a4d5d9cc3bcd93de1fc3a3ed6de24628

SHA512
8a9b42f36707c375c02f544bcd2770bd823e447d6665a6b616a1477bfc11e37f51695d446959816b6e828a8b1905da5dbc73781e82bdbc8e07556f823be95ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
061a986c46d7c7840d14074bd425eb37

SHA1
5586357e119d98bccc986a787327afec076ef36b

SHA256
e44596f867edebfdca84fc5293fc3b9021afab64f15f5444226c24b4820279ed

SHA512
616742a71e94fd032d7f932ab8b82564a4ec63bca8aeb1879f166ce497292f53ad239878f3e3bafcfe5b7e2a7ccf26cf572afdb9dae826c7e4e04dd1d0727086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
32ee2d8f42924e87739ed5d3640286d3

SHA1
90203781c66bd3102aaa6596c8ef7092637c98c1

SHA256
7e998a7b4db662d3ff99f25d32aea84f6cc6216dd51a4cddb5a798e9487071d7

SHA512
2fa98b599bdcb9b7179519c4df72cdc7f4d7c5e7d1159830b6dd9c368aa84cfa51b6f5cbb72c7d4e72922f34cf44e2e44b636abe364add1e7e8e739036c34b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b6177f3ed2285ac5933f464bfc86502c

SHA1
64a71b605db762c35dc4a77848b680716d38e2b9

SHA256
d9a79a3c7c8a6f3b6deb765b4b0bdf73e2d1cdc0947e713c1cbc080952b3d3f3

SHA512
bc980b0994e8c2e383620c84e649eeca3697b4b90577c868bf46b70aa8724cafc49d7cebf80f21d1b33ce58ebcab0965610407c8c13a6d80ed7cf47a20332c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b0dbbc6f4be904c572f2bef6f2e64f4e

SHA1
fc9c3ddb60c0c3a467ebbf48de7412a229f68462

SHA256
70103bbb3719d943bfc30aba5a9f6fbed86b30b839f8b5c413daac790ac9268e

SHA512
5c17b033e331ca81ab0ccdc4512c48fe83170880749289c705a5b9824dda550156fed341ad2f365f0c0c809af243825c615cf4d91afee186f7e9ea4c642f6e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56747d811bdb89cf5acb86e124e07316

SHA1
3337f34b1bf59854347a2b51d1d36f6dde9e408f

SHA256
33041acc61e1f75664e1ea875c728f970e1b629fbf49488aaa3ed339aa91ee74

SHA512
375cceac7eb67e9b1186b3aa28df7d4e5272d20c409628a480af54364b3323974ebc79f86bc9e10d0c61033aaf1a4b6f841ef7d928a4c8c3b8319b1949647f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e2c18c32d49a7616abf08ad2fd6804be

SHA1
5236c68e4754ab5a18b66390a3142a0c0223a1af

SHA256
a2cdb3009a0484f81d200add882ba2813942299f0066d40900a2966877fc51f6

SHA512
abeef8adb1d9b7abfe621227910a59bd3b63c4cf9c70f33549281f8a8c547eb66d195f084b7f4458be951fb13c959d0e09b48b5540efde5d4131bd2b571dff39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k0aifmy2.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
721546303da0bf31dcebe4d44b35a478

SHA1
efb10bfd9c8adcc314103cef26bb27912099a9cb

SHA256
8e25952880a145b3196f54262fc8ad418b4b7b6d52f8b29056b95915c6901ffd

SHA512
975dc4dce64c3e5d947337685faacea62038888792e0e4ddd9d10164b80d3d26e9388f0a8aa99d6a96b327efde6299a5c13b84ae20beb09272d566aa7cf590e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k0aifmy2.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
39ac7778a77c745a29ee9906457bacd7

SHA1
5325e53deb64da32df3f0a5b5f0089ce0a50228c

SHA256
492483a4173a3d057ec4b452ec7fc175e83f0b4f3a70866f37acfcc87ce39f59

SHA512
f4c668f430644a912ef862728b678a0c7774b84e9018bb64e6320aed9a55b244094bcd2885166f7e7e98dceac99e2c1c36b078e6e6c3f6bcb130c80e20ca683b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000003

Filesize
24KB

MD5
b201e8da90ef456598b8b3bb0e31bf53

SHA1
8bb524c8e9b17920c83d9a06c0b305e41cfca560

SHA256
2c8b630d1edafb8cc8c8cd73fff10c8ab6d06232929a4d458ec34628920f1665

SHA512
50126ac5b7800f5a848ef49ebc8e71d78cb5ee9c1602486b30e697ce57af32c868e46795ac2c157cdfd7fe65c03133c7a752813d520a9106adc3e50620b473f3

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000004

Filesize
40KB

MD5
46f57737d50e34053f1f7633d74d600a

SHA1
ebb8c24e34d2f6f7e25de8ff516cb46ee8dafa36

SHA256
b49341286ebd650e4486d60e7bed27076f7d583f825f7440faa15d16ba3714b2

SHA512
c72f440d2a1a3fd6be82cc8c2b10a15f045f0c3485d734ede9fcbe436ba1a9f291830830005d386458092a1a6df1431b58cc6ac95fe2ea745e74ba70b050f2cc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000009

Filesize
36KB

MD5
21f4955f4e7a07d5cae4a46fc74ab263

SHA1
3e3e25ca71bb03ce2c9b2a495b346b9653568b1d

SHA256
0870954849b1ccc0e6a9754cfbd3ce33f791cde77156d1f84519713ac47c37c5

SHA512
ec857db1522f15d6b769dc775550eb0023e27c080de45f6c091bae25b8524ed17fba0ca84af38459bb1d772bf479327b031e5ef677d3eb7f65c703c03fc70b84

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_00000a

Filesize
20KB

MD5
7182dab792dbc9cc2928f499d10807aa

SHA1
edb2741e45fda4b9707f16a8c4fccdb4567e3607

SHA256
90468387a08481e00d3a0366954fe8b71bcbbf0037cae6e67ebd8c54dd742a54

SHA512
32ac22dd170e8a52835f45e4fa3b719c27ac5f9d840d62f5fdcee3b8ff0cfac7327723faa4a0d1133ff83867681cd857e72fd6bb96b663ef6267c64ee0c60de5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000013

Filesize
99KB

MD5
086cd4bfc33a9214939a2e914ae428b1

SHA1
8728bac835cdd5d7ad832c6fc259ebd5ac46da88

SHA256
d9bc0191f4511e05a63d02722ea4ce4c953742bd33698120d514d3d862f1308b

SHA512
a6d124d4fd8dcc7ac1a4c8be5475407626565fcc337e43ddf0971c240145fcb4399054b039dbf25fb92eb5b71aba1357e0b3a09ad34ade01e4ae370be80627f4

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
c5d6d839443bbc3db012a3b67a7ce17a

SHA1
07932b1510181ced27895bad8b57b6a7a3f162bb

SHA256
3e2dde3fc051fd20bcf35cfc0105752187f752cf851ab07729cb82679296e8e4

SHA512
dc526592001df001c713e2889b853daa71511e3d887804159f704099f18200c018132e2bbc082686af9c02ae70f7b796b604f0cbcc22b72eb2673769ad0b88a9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
805ce17f0487312a0060da9fabeee488

SHA1
5072f8620e7295c101309bb80f258f6f8c6b5555

SHA256
c5ae5d7cdb19bfc636755fb369002c66cab17c292b2b505073534f75ca4bb952

SHA512
78353387a32ef398baa8a405e24ad0b72e9cd299743e3891b609a2957030bf8a4a79617c0ed55d5678b8422d031f452ca44e5e98eb517a137781a2d5d7cd6e57

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
7f3a918bc78e6bcc3ccd4401972836f8

SHA1
0ddfcd011615034006bd97906518fb48f9cb0329

SHA256
6ebfda5d3bfa3f6eb709f8eca4ba3f381ad140daf21f4d53c87e9a527d978cce

SHA512
53fd276cc04f9e163e3f7333636f7594a8904fe3fecf517f3230a88907f5a7e6efa8c6a1180bb795a7b4e470434fcb3d8e703a61057a1d2fb93ee674943770a9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
a5e4f0ddb73e734b8b4b3863dfdc0250

SHA1
10b96e43a61493915c6395355b57c589b8769f02

SHA256
5a421ff83ae16ffafa20052543e54ad575a584a25b373f9f98247f7a7b602444

SHA512
78ce4cd2d6548110381f9f5c788fef6c40798ba68e173bf3bd19fb4f0cf2b39c31bdbbc29756e7bf57029d3dfb1ecdf2740271295401619ca77b930e39db5e88

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
f413704feb0083ab492a8004aa2c2970

SHA1
d8ae1ce631f8b476e0df9eab527f39fdbc79569b

SHA256
cce8739d1d306b4b9b63ce46c53dfeec2e2a3b7e225e64152ddf8a2aef5b7f51

SHA512
7377f15d1a83a26ff198c6f8d1da834d79454d7ef219de3eb80ed9375d54acf65c261fe3037accf2c11f4addf25c11cdbaf3b9b977b30f75fdfd326fc9f40edf

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5a083f.TMP

Filesize
48B

MD5
41e6ac78b1b23b35902c95b7269f4c6f

SHA1
0e546f2444ae48236e5ee9840f1be92d8453f70d

SHA256
09c03379d63dd1f3e161141b01631e85734d611c752f96377270ef64100e738f

SHA512
9965feceab9126d95a21141a4419d00d5d13a3a3dec5ccb8074e91a577afea581b6fdfef0be45f3de2385725262dee50a8956fde29fc812bb87dcfd555fe8206

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
710B

MD5
0ac387762d1ce5138704f11e2ebec114

SHA1
21653276ab895b3bf0273d30325e58964a40e7bf

SHA256
8eaff3663105858bc6d9b206197d826e72a028af7b4671963b29b2ea7733b51d

SHA512
9b89bf08dedf0b53a1b73d30a6431f1bd9bf469a463fa8cdb17e944f8aee22f0e775650eec65502fe3857e91e974d95eeb44ede104367c27fb5882003ef6a215

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
822B

MD5
742867bd16725282b33f84d88532974e

SHA1
4d92c175faf07b10d7ac22d2a573c2ebf1557a0e

SHA256
0dadb53d22144e12e6705470e1394b5fcae2066bd7f4d592effdecfc59ea4f75

SHA512
91c1619995452263a5f86bc7e71508fff69775ffc0b0d827f98248440a320621983ed482c865614585f7d5e4ec0e7baf66922990b5bdbc07d9858a8ed7cdeb19

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5aad68.TMP

Filesize
529B

MD5
dcf7fc55f2232d343f861f6943d1830a

SHA1
4cf0c4a1257d3b1b7b20aebd711a0fa26b1cdea4

SHA256
13a3253a49cf716ad770015a47338c76d77d9e0e770b442449759a1dd75ac32c

SHA512
faaf5cff4e48002d9f5026389c5bf5c10807240c5f00cd0d5eed4f55436340b43bbede8f5f3c06f7abf782b0960da23b13faf7f748ae646e7e3545634878e54a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
1KB

MD5
556205fd36eead82fb3dce888620e899

SHA1
524232465d9616db23645a969dd529bd8bc3e02e

SHA256
12af54e19dc3239cac6fd22a7c0ce25e792a7b33cfc1bd3e097c21b9363829d1

SHA512
81f1042bedcd7dca3016caa101f57d01a3e5095f4b733b8388d671d02e4be51268e5efde36d34765aab873831c6045800ff0cc023fe77e50ec1eb4303a39ce43

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
1KB

MD5
eda9f0f617db509c0377bc0fc70f5f72

SHA1
dce209a441767dcb48bbc3c1074a2e277cfa7e9d

SHA256
7a3da18867ef101472b0ecabd7a3a143e96992d1367e46e11cfdda92ec0601bf

SHA512
647cc91945f810837f654d6ecf99fdb899cfc45667b867cb21190c7e0dc25353d145f235873226dae783221a47b2e04a24c1cb5f91e4ba6d7589e9cc5b6c0df7

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
1KB

MD5
fed6be688b169e94ff76d4b9ef9fa907

SHA1
a41859dc969482048d309b0580e42d9f9a1fbbe2

SHA256
2c355388a7c451f0518d6932b7d9f80d7d6547fe483b57308fe8fca109e00d0d

SHA512
6c20df121ae8c4ce96dcb74d8887c2c69d57b3a7869baed778171859fc51f53bd61b61b42ffa5f13f43449e622a57582d2363f063e7728121a051e66f8708970

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5ac0e0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
c439fdf517d982dd7ce65ee0ad2d6b0a

SHA1
8232582544cbab8b0404eb19f318dc6316b01d03

SHA256
2a971549fb3f0d2930abcb95cdb7466bc2cfcdc3f84f6db656a69ad59e2658b2

SHA512
b171e29fb530cc2e07a9ce9fb79ccfbd02b8808b9815606e9e72cecf446e15ef0a6f235c0749cd213d165fdb73e008c9ad6ccd8955b573c44fa7ae475f136895

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
a8d1444fc0e48712ad0e54cc8708bcd3

SHA1
62f36484e9fcadcc39794009452b22b6ac672de9

SHA256
b5556db79cea62b6105ff97ab02434b92016b1b5978367b1e3409a3c64fa75d4

SHA512
70e745418034b6f6cf732b9a063e228a0d7f1e1d18e826471ccbc7b25b4d1956b314d6ebb8023a5025304897ba5dfc233dd68766a9a8c2ae4b287135e21dba0d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
f5826fd10d7abd6b1c04d00ccb25c14d

SHA1
04edacd3aa3fc6c8d171132eea0fbd1dba84e9fc

SHA256
cbb1012de77b3a13260438775f82c45689b57c83b58d2470aa00cbca92710792

SHA512
5d151eaa9b031ad56acdbb4b572bac0fce757606dd8905e6bcb16a347e2db058cafdff301392e394a071ec495294f965684a71d41c787c7c0cab270f2dfd7b96

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
d7a1fddede2d1de642d5752e1d701cc8

SHA1
596186bf152abff672d5777e3e7dc53d6696f71d

SHA256
70509ed4ad83afe7197f4e993f0d1ef0658f0597244b0f829f7603ea2b664106

SHA512
6d1f08cfb77c1f06e24c32fdba4f5821a63a790edc36dd490971317a8ed44a3189c5494d2da494260e21e91c1f4b18b1b7aac4cf6e92df9bb26a9e0532b9c16a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
29b7f98eb84a650023ecd0d9a719a6e0

SHA1
c714f65c1b0449b355a494b1655ff4d77c94f1db

SHA256
38667d71dd4e10196088b6735e635b556e8ea20254a16e8ae37d436e11ef96f8

SHA512
99b5a8fbef33be9f87b5c4c771f544eb92e3ef9db135b7aafb09463c9e65cec5c6af6cc2717710f15eb9f3a377ff453e93739bee019740b6e8a150686bd77dcf

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
0c62dee6fb3a26a6291e8a0ad375b264

SHA1
7a60f007ba1f3c6d8d359e50ff5f7fdb7c8d73be

SHA256
347c72bbac4d2865de75b49c6324ce13799e323dfffebb74e943d7630a5eff61

SHA512
81b49d92ba57c7a5558f9b9d310498df97e67f32ce5de98c388a18170f3bf9357dfc0ad3fac78da95a789fe029288d084d3417308eb9c374b7536a37d3cf6d9c

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
9d907a3ac7c948c61c2784d44f245618

SHA1
fe70cf7384f03af486da1a828e3dcd71e5cd9d9a

SHA256
24991e2116a12285f6d954d28e60e35a153a043c37dd7d212f44b297bd7a1b59

SHA512
95b7dc2392698ea1a5591c0245a2f2a83ef24aa94a1678ca061fcc1a66960739e297ca1dce3b42e60bc0995c75677518cf80f8f4787897292b54ab713907dada

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
4937747c711f5782f5ce54c6de17315b

SHA1
9221f4ec2b70fa29e33189c5886fb108bf308717

SHA256
f8ef1e279e77e0cb2a50f42712b3dab1e90195ef27e2e9e7f959afb5e212c2de

SHA512
4f5695b894bfe22498773ea1aa99ae5245ab99069aa71665a2a5ab5015638e0d18a28e1842c9977d66c0bb0655b0a8f3ec40fb90c3145e72e39566c503518309

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
1KB

MD5
00ad74de3c07f4dcbf24552b50e862f7

SHA1
b7751547596b6115b7af724212f3151cc575a1fc

SHA256
d03819f7066d720e5f4e78353dbe1cc8f55f35d2babaeeff14523f5d20c4007d

SHA512
d0f479e072544c60bcd749757c1c59b251e04b7ee446a4097358cc2a807f5884aa5b7f3030e5b9bfff1b6e1c6b3c3c3aaf472d41206b5b248ceb2be87bb559dc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity~RFe5aaa7a.TMP

Filesize
1KB

MD5
872676f77c6034614d30e4a7005d5279

SHA1
af2dd6d053ff4295105a5bfdd84c2a5d48129138

SHA256
c25522b3f616d8c4e5fadddf11b6086a62386258661758862167cc8636375c40

SHA512
97ba070428b4f1fb81088e7a4dbaf5f9b21888043740a308a1a4dd527b2bff7f2f34766613d58a24922eb22102b7b552423b8834ca0d99bcf91e22d5e7d78293

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json

Filesize
2KB

MD5
602c49f9246967bdcff45b4f43cf2fb0

SHA1
4c5796e0c724bbd7a9244cc8a0fc9e8f40181f2d

SHA256
a3ad9649c1038078038be1abd591cdba73b4b4f5cf30e11bb6cb7a432b746114

SHA512
2f273c0dd0127071f4c768cfe7277c6efff84c1ef4f4271c1326db3658c84261794b106af3198717f349fbaaaf276163700bbb50ae20fe52ed0a88a192d46f77

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json~RFe5aaa3b.TMP

Filesize
2KB

MD5
68b20851ccb9834d21fb32615e42bd43

SHA1
88fab935f0b9484994097c08f785e9ecb7d68127

SHA256
a954b528dd65ad6c4c2091fa32f17abdb7a49454ce88e10bb6c377734c70c26f

SHA512
dcb0771120c8fe35213d60e9abf4b242af807324759e3c99e9b2569c00a941d885d53ef6fadfe69e6b740e0b52a6008602605d643801190a2d29175a7d065e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC6F7.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e03584f15e49f6b57c903a3df2cf817c

SHA1
8a0da02d14a0d325de6e622235da2327e884d7ea

SHA256
017925cd9d91a623df5b5c73b9fac0ebf92515daab7946e7033473b3d5071805

SHA512
f72e9497e00445136f6146dde1c9aad9df34f41eac922fbe915756d987560704f94149451d5c41b0a8414d055a9396e8f8e51a9d5f856725221b575a9f98ec33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e9986723e838dbbaee81daa3d45e5b40

SHA1
1d924e84e5c54419e22972876c305579009d5da3

SHA256
ccc0ff67c4efd8064c425880f3a83b7dcd9b6c330b374dd0144801f4bfb9e2f7

SHA512
9e517779c530c6974ed10f7e3f5f1242040cc997d99b1842fc01855994c8c9b2aa9d05b8cdcc9bce685938dd9f16fede1a9dcfda99ebb42ad4728f31b28c56b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
779778ff1768130d84f08ecd21ff2e5e

SHA1
ad016cfcdc0dac23e9cb4b9db1d384d0c4a9834e

SHA256
175ffa9a55497ea3745472119826cbb0de8ecab3f14ecec1511967b366a5622b

SHA512
b3a1a661cc75bc88fe23c2bc31c90d6abca8e2a7b35461944419d81ea0871cbf873b58622aaa004ac606448431105bcbb525b74649832051d2798723cacf8f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
8d9211165a310c6f5b8e85e0da594c21

SHA1
addb4fe7be8d258e78702f8800d7fde8bdf7f86f

SHA256
63ccd370abefeb3b110c5163462a7c3f64ddc3715b45260b3d06e85bfda54245

SHA512
10d96f4c5b52491f8faa4e5455935191f47f33ada8a1173c220b83b358bf980d2fed3751438140dae511337f52f3de1de93cd5847ee5ac83120214d15fada68a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
2c8f8067f2dea0b7ac608a3c4890012a

SHA1
3fb00ae32c0f29e7c0e5f465ebba5329f9d38eef

SHA256
7540161259ee734224f041b7ee5a3063dd97e04c9a7e24636d0dec1f3ce6240e

SHA512
05b87bf6acc4d160c41da2ef16b6b18b9ce030c611605243237f4fb84251ff3b4632d4625383bea5db15006fa333aafc390d304269f4314d9421357ce0f0a5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\AlternateServices.bin

Filesize
7KB

MD5
2133e6b9f48d1475e2b97efd6d505ad5

SHA1
83dcf7d783386f448d3487bd9390648086a3f916

SHA256
6a7775591bc330ec2e8f8099a658033246b9a481b7e9e1e5bf988db3cae3a60a

SHA512
92fe128cae67c62f96044690a023dc01272e4bb245e64320137f58d41e8f543f1f0b6cc3f0a4b6cc860663248cfe14e0b607669ab00db197c29c63c6bed790d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
46900e2d14645be34a2e0dc95c7d415e

SHA1
0bae2a4af3aba19097c1c9a62df04bb8009f8225

SHA256
23d7cd8f3845a3056ff81c908b965da7c2190812fb4c3bfb553b2b8c5f68752b

SHA512
9ec98d74868f8ec9d5160954f6524033f22594aeac57c20577d7e25def73890c5c735bc77db561e06785d433afe937d922a5bb696153ebaa6d8f0c59d6dce02d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7a56133b139f7372316979d930be9109

SHA1
4a5076ffcc94cc93db2728fe3e7eda254f723995

SHA256
21c9b244fb8a7ffad85be4b7d1382829966e03d10e95b88d54f019dad9820fdf

SHA512
12df7268ff777490909d14a50a854d15e8438358507e1f3f692e1a9831850a635af09f7fa52fa687acd8ccc675d111595820959d44183465a046daebb5520040

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
93faec34bf0482d048f55e816c7f5105

SHA1
2310a60f1a0eb09393a1f7c39ece81cf7d46c827

SHA256
3e8a8617dd84c042f8093179e1820566329b1a392f3b8df39a17a8a91b3442fe

SHA512
724f3e9604166810e85b5d3e2d8df8506658c496bc9185ef5c684f911ecd1e03a25f7a5f223997a47868a4445227b3342d329cb199075e5e2622cc0afaa6fbd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
d4a36248e9c4e721af42bbfe7c14e0c3

SHA1
54b6ecc112f63f6669bcdfa453e03471718fe5e9

SHA256
16663cd26026f59e7b2b6bd4c7e1cc8e6e0fcd279bf82325aa5d6d60b45b1aef

SHA512
cf79866fd32d9d1c467246660fcd024b216bc194dd3ef2409ea4787a412e1bb0b7503eb8f52821ce3a68ab9c39d05d97b1359b11be9f7cea5137e54e13d5dd72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
3a70184f0be438cd942094ad38a09933

SHA1
d2a27e85a1c72afc1e17f4184c2927b654de68ba

SHA256
dd1e03a5dd3c74bc1e31dfa6942a46022b6b7af80843a2f9713380e1fc5c1694

SHA512
854f85e0cc4bbdd8209a48d63dae5cae16307713244e9c74a77d60d206097d410fc81f21c83dc26fc892b83215be83e3cec7e14a127776188b888fc4406b2eea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
43f2c00b5aa218d2a5b363f882a3ce73

SHA1
af0b3df9fea35db24ccacfef86437e10cf81571e

SHA256
db441423c775da055294be3587b38e8241b233d23f1a533c2a55cac2e43336e6

SHA512
dc84b5739ac87f42e5dbbfbf8cfe53b7eb9ae5cee80cdd72a08f71c5fa538e15f5d4d5d7364c32e1cf11340854b5278909f7fbfb6a4361dccb3f07ee9234fbb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\213057bb-bb88-47d9-aa06-a206785b80d2

Filesize
734B

MD5
de0bf0256eab6eb8c2be6bbf50b776c7

SHA1
43dcce4d297828b4e867695963fcb9e49cfb76d9

SHA256
8dcb1d9e9edb1be50f4293f995db1859a1c6fa90756c0ad56ec80df64571a791

SHA512
faecc3937e7b56358202706914a4c259b69445d09ef4310f5099f4b99343aa7dad9136ee0075c5767998f6ca48e313dbfde114e31fdbd8424d20c9672a49237c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\b0a3366d-bd34-42d8-9ea7-70cd07368fea

Filesize
979B

MD5
cec2b03f463f0b5e7ec1c6cd16e1c33b

SHA1
75e184cb8dec99c775d6ebbb20dbf977ea1dfb5b

SHA256
46fb6cbd7b8f9b445aff17b4998f14bce77aa4371adadd6cb4e6fb845744093a

SHA512
be554d49732283845cc5f98d4dcfb8a343920b18403a8cf9e933e19fd94189c5d69b9d0df563657f1f0ac34fbea361e429f344c8cedf4ffccc0d55a5a443d9f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\b7ae672c-b776-4920-8393-2b9d91468095

Filesize
1KB

MD5
ea2e733cfb81bb78a9f166d5cc98899a

SHA1
7391af029fea3f2b9f0225cb037bb3e232c35335

SHA256
00f8d4e2b9cab831e66e20e321015bfa250923298574751e41125bf668f72847

SHA512
0eb50ae31200113f3d927bf5f006a02303ad98e6902306d588282f576ae2b14168e43c8210e97fa517746d6a552ea9ae7c7ec3503b0335f8f5d581b82f8f7ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\d908d6e6-2eb4-4c3e-b80b-12fa709f16c6

Filesize
27KB

MD5
b86c6c742aa8d7ea23b8724296b9fe0f

SHA1
4597b194e6f913a5091ef83165665415fdd0c6b0

SHA256
2e2cb548db437a2abad5910d8a67a7638597b91897822922cb945cf71864335b

SHA512
51dea907ef6db6ef07fd601e139fe13958575bea46f7fec3ecd9a4f1de6092889ebb6aa49ca7be5954b21fd3af723c2c56ed4c1ee022512e199a11b4751fa0a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\ebb2acc8-879c-4f31-8e92-ca3a2ffec901

Filesize
671B

MD5
1b48c78877d8cc9405a2dbd3232d429b

SHA1
16917c239fffefa3584ecfccfe115a04bf03ab5b

SHA256
138214c8403ea1d62aa1f53b731b91dcfc2cc4d178897e57940ca08eeb25bca9

SHA512
c425f8461099e86328159b9e6dc5fb85d0d605ef98e7be98ac7804f6243e62f20dbce1b80285433617afb40633ced593c849202ed5dcd58e47e245472ed26773

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\datareporting\glean\pending_pings\f499ce58-c5d7-4802-9468-fb2e3035ed20

Filesize
982B

MD5
15af587dc27d1b3a303b7d1b2655ee56

SHA1
417a1cfefb4c880541d544f36b7218f6e45e76e7

SHA256
713f7abc0b12d404f8d3ddd1675eedffcba120a88a0a2e829338b28163fa6ace

SHA512
bc666dcb8d740b3936e68d184eb366b2963a8d3ae5e35457bc5947b9e47e38646b216dafbeea15998cc668e91f4b3191354b2b69d3695ef2e12d7eeb2d770d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\prefs-1.js

Filesize
9KB

MD5
f96d39c1764b47b945b65a54f1f7842a

SHA1
9289ce8c2bdd44f820f048537fb3e557ee5aa914

SHA256
9d11dd1787f26bc3dac2f61b6c503e3f6649481dee873b580f3a5a9f889c7e04

SHA512
bc5d96665657a66791c12edfb377fbc0bc1058ffe07321fb54e2c4683269baaf11d4f5b8c6e222660a3142ea62fbb836eec2ed3eb8f91946b830f6455ff3d417

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\prefs-1.js

Filesize
9KB

MD5
3dbfa2efea166e3a6744e1ca1733a4e4

SHA1
e94ec22c92650293ae5d669343b5303cfdb78dfb

SHA256
19fe0b6bee27fe10b6eaf1d714afaaa9d9dec098fa50e5c17ee03627940890b0

SHA512
6b175f19f5c86ed954bc5459eb64faf051bfbd22ed3ce9a520bee0f9e0f298e91dcb8e1c093355fe4edfbb8bb3fde77e0d74005b6fc7f1dc8f837d3dbc5a1a19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\prefs.js

Filesize
10KB

MD5
b0b1aedfb9a79223f01c4bcfdb3462e0

SHA1
e228e5e3208a9324bf3a9eede669c1ee21e8e2d1

SHA256
207a561cbabe77a2881932a436d7a0e531d1593d922169e129463304daab383d

SHA512
1803a72ccbfffd1ceaf0f33c2edc45d4ad362b85453ea894aecbaf61413de4181467851ab80c9cc84aafe518e5f712b509d5d5e3fdee0ab599c693bb9d41c242

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k0aifmy2.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\Downloads\9dab0407-f575-4f78-99e1-f2744b730044.tmp

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 315582.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 570297.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/1516-54455-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-16587-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6412-13464-0x0000000000340000-0x00000000007F2000-memory.dmp

Filesize
4.7MB

Download
memory/6832-13729-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13760-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13916-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13913-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13900-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13826-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13875-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13741-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13740-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13970-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13742-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13739-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/6832-13720-0x000000006E490000-0x000000006F7D1000-memory.dmp

Filesize
19.3MB

Download
memory/14652-13717-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13719-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13714-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13894-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13898-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13716-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13897-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13890-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13896-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13892-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13895-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13712-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13893-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13713-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13718-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13715-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13891-0x000001FDD5F20000-0x000001FDD5F21000-memory.dmp

Filesize
4KB

Download
memory/14652-13711-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/14652-13710-0x000001FDD34A0000-0x000001FDD34A1000-memory.dmp

Filesize
4KB

Download
memory/15048-38284-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/15048-50860-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/15160-13500-0x00007FFEE81D0000-0x00007FFEE81D1000-memory.dmp

Filesize
4KB

Download
memory/15160-13499-0x00007FFEE7000000-0x00007FFEE7001000-memory.dmp

Filesize
4KB

Download
memory/19020-16358-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/19020-16356-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads