stormkitty | cb94a8e6572ceb8cb0e6649a1956390521f19d5642f7693187d364fba23735b4

Analysis

max time kernel
817s
max time network
767s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-02-2025 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverClient.exe
Size

33KB
MD5

5675594ba9110a749bdd1bf9d2cf4252
SHA1

2fc803ba59555b3f58bb1be8e4eac4bdd291c472
SHA256

cb94a8e6572ceb8cb0e6649a1956390521f19d5642f7693187d364fba23735b4
SHA512

975ce3d094de70a8b4fa59b557ed3229e5d04d6fe21c2206451b8a91cccbd33748b1159e50e9e9332240897ea2f0a75f6c320e81a6c0c686de5b93e5e22a317b
SSDEEP

768:t0tAjVc38hoGxfV9g9LnvR10z1QB6SjME:vf99g9LnvI1QowME

Score

10^/10

stormkitty defense_evasion discovery persistence stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/788-216-0x000000001CFF0000-0x000000001D01A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SilverClient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	SilverClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Software\Microsoft\Internet Explorer\IESettingSync	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833366570024350"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "823"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5218064"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "823"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	SearchApp.exe

Runs regedit.exe 1 IoCs

pid	Process
2252	regedit.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1560	explorer.exe
3492	EXCEL.EXE
788	SilverClient.exe
1560	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe
788	SilverClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	explorer.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
6140	Process not Found
2888	Process not Found
5804	Process not Found
3304	Process not Found
3636	Process not Found
1920	Process not Found
948	Process not Found
5872	Process not Found
4360	Process not Found
6064	Process not Found
828	Process not Found
876	Process not Found
884	Process not Found
2320	Process not Found
1268	Process not Found
1360	Process not Found
1440	Process not Found
1764	Process not Found
3436	Process not Found
3620	Process not Found
1604	Process not Found
2308	Process not Found
2752	Process not Found
2548	Process not Found
4108	Process not Found
4412	Process not Found
740	Process not Found
3424	Process not Found
3584	Process not Found
1016	Process not Found
2512	Process not Found
2988	Process not Found
1820	Process not Found
1960	Process not Found
4280	Process not Found
1184	Process not Found
4404	Process not Found
4292	Process not Found
5116	Process not Found
5640	Process not Found
5656	Process not Found
5988	Process not Found
5820	Process not Found
1348	Process not Found
5200	Process not Found
1892	Process not Found
4612	Process not Found
3392	Process not Found
5980	Process not Found
5672	Process not Found
3348	Process not Found
2372	Process not Found
5092	Process not Found
1460	Process not Found
1096	Process not Found
1588	Process not Found
1592	Process not Found
1856	Process not Found
3404	Process not Found
2188	Process not Found
4340	Process not Found
5800	Process not Found
228	Process not Found
1932	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	SilverClient.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: 33	5812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5812	AUDIODG.EXE
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	1560	explorer.exe
Token: SeCreatePagefilePrivilege	1560	explorer.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2188	StartMenuExperienceHost.exe
1560	explorer.exe
1560	explorer.exe
616	SearchApp.exe
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
788	SilverClient.exe
1560	explorer.exe
1560	explorer.exe
3492	EXCEL.EXE
4152	EXCEL.EXE
3252	EXCEL.EXE
664	TextInputHost.exe
664	TextInputHost.exe
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE
3492	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1560	788	SilverClient.exe	91
PID 788 wrote to memory of 1560	788	SilverClient.exe	91
PID 788 wrote to memory of 2240	788	SilverClient.exe	94
PID 788 wrote to memory of 2240	788	SilverClient.exe	94
PID 1560 wrote to memory of 3492	1560	explorer.exe	102
PID 1560 wrote to memory of 3492	1560	explorer.exe	102
PID 1560 wrote to memory of 3492	1560	explorer.exe	102
PID 788 wrote to memory of 3868	788	SilverClient.exe	112
PID 788 wrote to memory of 3868	788	SilverClient.exe	112
PID 1560 wrote to memory of 4152	1560	explorer.exe	114
PID 1560 wrote to memory of 4152	1560	explorer.exe	114
PID 1560 wrote to memory of 4152	1560	explorer.exe	114
PID 1560 wrote to memory of 3252	1560	explorer.exe	116
PID 1560 wrote to memory of 3252	1560	explorer.exe	116
PID 1560 wrote to memory of 3252	1560	explorer.exe	116
PID 788 wrote to memory of 4204	788	SilverClient.exe	117
PID 788 wrote to memory of 4204	788	SilverClient.exe	117
PID 4204 wrote to memory of 2744	4204	msedge.exe	118
PID 4204 wrote to memory of 2744	4204	msedge.exe	118
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 3912	4204	msedge.exe	119
PID 4204 wrote to memory of 2072	4204	msedge.exe	120
PID 4204 wrote to memory of 2072	4204	msedge.exe	120
PID 4204 wrote to memory of 1996	4204	msedge.exe	121
PID 4204 wrote to memory of 1996	4204	msedge.exe	121
PID 4204 wrote to memory of 1996	4204	msedge.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResumeStart.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3492
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResumeStart.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:4152
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResumeStart.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:3252
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2240
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --new-window "data:text/html,<title>Welcome Edge Browser</title>" --mute-audio --disable-audio
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x108,0x134,0x7ffa941946f8,0x7ffa94194708,0x7ffa94194718
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=none --mute-audio --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=utility --mute-audio --mojo-platform-channel-handle=2840 /prefetch:8
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=none --mute-audio --mojo-platform-channel-handle=5852 /prefetch:8
    3⤵
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=none --mute-audio --mojo-platform-channel-handle=5852 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:1000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=audio --mute-audio --mojo-platform-channel-handle=5944 /prefetch:8
    3⤵
    PID:5620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --service-sandbox-type=service --mute-audio --mojo-platform-channel-handle=6188 /prefetch:8
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16774565796783641657,5640453751167925273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:1476
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN SilverClient.exe
  2⤵
  PID:6048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k4ik00pq\k4ik00pq.cmdline"
  2⤵
  PID:2084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20F8.tmp" "c:\Users\Admin\AppData\Local\Temp\k4ik00pq\CSC4A53366ED89D478D81A0E5D098761147.TMP"
    3⤵
    PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa941946f8,0x7ffa94194708,0x7ffa94194718
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:5216
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
    3⤵
    PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
    3⤵
    PID:2776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17764384701181636442,17964717621617895044,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3316 /prefetch:2
    3⤵
    PID:3428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffaa721cc40,0x7ffaa721cc4c,0x7ffaa721cc58
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5032,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3680,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1384 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3068,i,4502460225223461399,13936649080663648022,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  PID:5664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5960

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5452

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5488

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4116

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5988

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4612

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1284

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
92996a10c5d737c84570ecb88803b324

SHA1
6f6b059363da68706f042bf2b51b40bd4f0897c5

SHA256
734bb93229f5553fa1c31d7127bc046c9c6cc0ebcd15fed90bc8117eec7fc284

SHA512
089be111d5a68736cb3099b49081a290914b076f8df57ecdbd4025d3ceef09191ae96807d436229a841501b55fac18968df04d08d812b771040177d1ef693a7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
8208a6faa4226874bf76e9c350410ee2

SHA1
b7be87b60ae62c2226b4be7a3d99bcdea14d8246

SHA256
1bcec5c8ff6dccc6a676e13d0e9fba3cf842cd12c571c2dc1b3b3f60c4b22681

SHA512
bbc6b0d83595767c5ae19c5285b83203f802b02cc41103115bb43038deec5dc2130b6bfa2b4d00dba92731e11155370329ce329a05a8734284c65b54a9688c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f6b98a8-4c0d-4493-a515-0f29a1fd3aa1.tmp

Filesize
8KB

MD5
f82f09660b2d22c0178a940d9290a15b

SHA1
0cc84b625da2099b6fab53bfb4e776dad4a7a701

SHA256
9d0d868c6e85fb3949f1333f615cf7d79afbcc9bddef84c1e1156738efa16888

SHA512
944963487d14a8db990c48221d2dccbc7e66ba8a88369fc7a6706894b7fe28e7c7a76cb13d7f1f6be7fa412575345bef665aab39886ac02daf7e61d2eba1ec38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9ded90a9-d290-4b20-9665-bfcba5c8177b.tmp

Filesize
9KB

MD5
e5c0caf26f92062962c99f3b4a145860

SHA1
0f6218345b3e0822c07b8c176db294f2655d3198

SHA256
8fa874050e592d296d362664136c939b751351cac7b396d63028355ba2788f4e

SHA512
c9a106dda3d8f95e422f7a8acb12fd2f0ff11c7b657398ff7e56f7c692b9b637eeeba145603c0727661a98392706660c5137fd93bffd0a5d464183e5ed2b9c9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4f92db434d955f0baf55ed6efcafc5b0

SHA1
2d048106f1eac4f86a6842cd7d3393a313bda53a

SHA256
f4f2ba7aee4c6bf57b4172b9c54344e90c92cb3814e57dda9b335475b151be43

SHA512
eadd52d18702665e5303f08194b53d7bb265e3e73f232832aacdc93266c0d028a4652acdd54636258ac3b637e65a70bff9cdc563aff6faf16cbac2d1082368f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d1d22a6e8f79b9a2066d12a34bf204ce

SHA1
c991915c37cb7491fe063ae5de48b63dc605596b

SHA256
e8bdc6fdf6d2caa3606e1c8de376bfcc82dd13ce8144ae96daf024a761f975bc

SHA512
b9c7a7c8cd4e6f04f2cd39601f4dcaae0d1d58ad0577c03dfaac2d187c6fe58176d2ef5b71abf7acbeda786d24386b31fdc0eefb66cf6f9810472c87bdce28df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
58d6fc2451cd473f464131cad0d2697f

SHA1
cc6138a3d3bb40b7656cbc3451f981c5ee37798e

SHA256
f4d82acbe7f430405268098ffac7fcc5705a7cb36e429b90a184503ac10ffd1c

SHA512
e7139a745513d705a665908e46e2bd462aca7d5f987aed138b6bcf362a626862b320a00983e82739a23e7239f83b4741f78e5ca5dc3190ce5d84b86509c42bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d9d3e18d8960509d952e3c0137172cb9

SHA1
07ec08e50fbe6ac1d1f82b838b71c8cf99a677c2

SHA256
2a01dce232498504e55e3043afa62ae2fe11f33365df426b7e5e0cf308180008

SHA512
11e94e4a5cfc751a9ad3dce3dbfcecb946e7a93d3700040c90723a682b8592a6e478d820a4c20ecf32735ea460998b4a35bbe0e04e5b43e3f196e91f21a3f1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b90be4c1bd88dba8b105384d9456f92

SHA1
6cefbf4ec577c12a7e5822e2d5132e145a85bfd8

SHA256
cbb10b65b11504fe3ea69b092b3c00da6c11e3df6f285251b492ade817f5538b

SHA512
7a3e8c37c68751cdd5a1b39f30c9b675e11f7dda3e1cd3bfbc7f3d281c5e487e9c7e21a57bbf4322375171a21540ae38e27e9543fc9782721ae2eefd4fd71288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70312b6b61724ab8f847df2d85bddf75

SHA1
7900749610204e08992c6fb29ddc405bc9975d7c

SHA256
6f50e9897aba91e0ca6e7bc411ebaf44678ec51742db64a8c745ed0fefdef40c

SHA512
210d7eb8551d4766e06fb82473909492d476082f9e8d3ac3c2b3dfc40e2fae1da21d415f6595dc217b00dccaeb7b67c6d6eb6af221d008560596d027f76fa2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
039db0db8f31c9b7dd9c7bdff763f092

SHA1
e86b822ecf33deb9f130b29cd9b11a0fa835504c

SHA256
7d81d3ff24729e6c22ea90a25d7c48b90e518536e040e6c5e787b9afdf955733

SHA512
1419886802ef2ebac71accf23d301bce69d2ce32d65d5e6910e483ef81f72f38f9a568239ef6133a01a16399beef37c9ad2ed7efc758fb9533da292830d42e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
730b310c46119dd0a9a947181474b15a

SHA1
d4c64d925c3a6b40edfe8c908f08ae35c89b59e5

SHA256
0707a1ee098b53a8be65e72f045bbc7a73492ae61a0fdcdd1cc71728f302e1fb

SHA512
f3730af4d06a47dbdd0c4076747f59047c27166306e3badfb5231e4ed8d4a5705ca7370fdfb19d677fa127f493123331a4142efe33ceaa1c2e32a22755fe4c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee5c07b5b39bfb58c1b401b39cada86d

SHA1
7c25af84e3aca0f44bd74c5a1823254491ebd6fa

SHA256
900f02ca4b436bf18bdf5c1395c6b6fe934960abefb50dcd05728c1fb78e9a1c

SHA512
1593c3c63809fa73463a973add1c14372845d55c2caa950e0ca12048ce17f47d4e5bfd2dffc38b47a3ce4ef257e05d86a2843080e6155e0762ce51541fbbdfa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad64b10dd4d3528f743db54999aa4569

SHA1
81f7fee0d6985bb39020c382047d3a62581e0131

SHA256
ecaee1a610d375cc25337c4231a3a1d6c699ad3dbab1145c724b6a8158fa7e62

SHA512
ebeffb6287184baad5ea774465925fbf4ef06237c4ac3b652c75b18cb95dd2ad00d87345232afcb6f5af5c1b63c9ec74c7b6f61c20f745fc4c7e78f5bd15c7d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cad4c403df6df09babfd62b4c3eed8aa

SHA1
895e3a502c23df88e9ba54992495222e3be116cd

SHA256
e69ab5ba46f47e082f19852000d6c601c89a06801ab4fe1b8436646f247f5904

SHA512
a4969f3d2812f8704679028f317fdd4f05b10d13a95b41fbb1d5be551e44bcab4aa74995cee53233ad826ee9fc8587f57e2fdf6579174e89faac8843c0dc4e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dadcdb1744f32fc8678aaff4d5919142

SHA1
b90a2bce52c78d24de26254dfb68c98a2c098b8f

SHA256
bd54e19a08ec2f3c7e63532a995b4beffe4cbd14bca0a6c667df4abad7f929ff

SHA512
c78e6d049a95ac2e4f6438465a938aa51fba664b5e5e9c4d0a31335d892f3e653666f953243f4dff2a872822b54d7892113e3d0399edd993483311396755bccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5eb7c4e13df9b3ac331f3686d80aa259

SHA1
4a8746d26d92e7e79ef67d5c684e8c99cff358b3

SHA256
b8b50b7a5561daf06e622b253c4d90a736f4205832d788b9bb13ad77533c0d89

SHA512
fbf5518c10ef09bd40b005fde7baa26f923fa275208c817a7728574708c770431e3b45fcbd1d5d20782bacc4ce38fba3cb87ac085bf60e436c4dc5ee2665fa90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36a1d1cc3ccd880bcac1ee589b55b698

SHA1
5bb379e4b352c772631dba26a733ddc63288f2f6

SHA256
222722df4d6af3a9b8deab2dd95a9e81a00f1de0b479bd10b71dff7770cceecc

SHA512
9b32293452c7be11e0105246afd34bfed9a406032b84a21e84a689df91e15c698d0d6369a8b69d1ca5f7ba10e1dce502931c615a6b26f4df5649a2081781db2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98f356a05c6805d8e04245ce17ea31bd

SHA1
8494a73203db03859588d89935de5571db98caa0

SHA256
68e2d5df0c8e4a36d0502acae7868a8faac31c2fa72ba889dc74578668482b07

SHA512
4d8f9a078439150de807aec7aa034668298fbefd9d9982b941e5a95c6a6aa2a7b8c7adb9d684420bf61f862faaca2251cc643a5744bdb0d7097835e90868b482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
21d113712243ef775ff5325b0ba21e16

SHA1
7268f8485cfc549c5e09427ea10e9e7b0caa006c

SHA256
38320a7f4b98634bbc3b3e77d57ccd1db2ab0a6563e42896d3eb65830d1ccfec

SHA512
29a54d4bd839f0f4fe13965fd4d0199e0be5ab4b08d17914ee2480109fde76bad5a1cd44bd14d81de9296d19ae54be7fe4033179671ea8b275f497d64e7953d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3998669b787084a7e3ac0e25250c2735

SHA1
b855ea0998e2a7eacb7e78046cfc2bf610fedafe

SHA256
e112497c893d257cd804bd3e768d6a26c09d1cfe04af2a66055d6e6da2dcc90d

SHA512
4750362491f8da92f31e5e7ea6c565c8bc9111880ca019030759742d5372e9ee42e2b5fc51352f4ab107085a66b4abd5e3914ec74696bcf6f10691e481e01b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
331fbbcc35803820ed46da4ed0096ba4

SHA1
8ef633284845c960f94a9fb97f595daaaf5cd7f7

SHA256
e4aacecef378b83c61417524aff2e237e90caf5205febd1ba6e23223600a5e07

SHA512
67cf2efa2be2fd99b828467d710d32793197ac26d958220cce93a927313b5568c701afb2f16a899c209166d161d7342a71d7719cda89869fe79f64a861237e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
438746a6b8f570733cbaaaa0ca7c1204

SHA1
fe25d642ad49f395c302d02d136b2a326a64d8b3

SHA256
b76c5c6f715c8f93e142ee807d5e8ac6c7b1d09e77c5dee36f99000e5bc094c7

SHA512
9c71e7b024bfc349d3bfc96116f52a7e3330a537c8382db88f4704cece0a6ac7cbcccc338d590d82e71e2faed533e8b01138833ba8248a83a0d422e7dbd31a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e40ac32d6a911de72eb3b2ec6fd0b35

SHA1
f03557c3e8a4daeca24e67fcd85626d77e714d69

SHA256
1a15c074ac1ea9c9a3980c25843f7c1f636fbbd5c377984e676237bbf0aab753

SHA512
35c8795b5526a9abd8bd0cf876d710120ce337d361f8f542045ed89dc8067ccf3af212125f425870d5f00cd11e4eb15275b9372d4c1952c5caef47f104381e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f12804b2f755a623375ca44553348a1

SHA1
4276f9e3c149a65afef224e3bed4c17addf19c45

SHA256
bf1b25fbf875bf787c1ccc9d4e9f5b3e547da0e44f07887b7d4201ef0e0dd225

SHA512
331ce653a010a36cd5f2aa835370a14926a3b3b77a7a2ebb89ccc035a0414de1078f8d6989ea358f6fb54cc41f97c02c0c2e02fc8a377f9d19de275ca221c013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5bc83ee1d4fd49f3a26913f294b714d1

SHA1
549162177c265571ae018ad7d7b66252f329035d

SHA256
99ad186d3b24507b7428d1a63609716aa504f9d2659817f1318c85cab8ac2e57

SHA512
3abc1c0634d74b2e104870d930d4fc761edb62d9b4a55b9f6ac80e187712379d70b221e26fdac2488444aca01bb4fbebc0d30ac1905fb7a259faf26ee14ff0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47409cff3c3081aad69f2c438282b338

SHA1
564153dd76857a056deed47e7aa780e4c6bad1da

SHA256
646d11724eceff70ee6672599a6181bcfdd3e1f0618709de35b7610750fdb814

SHA512
4b479ded34760d367941894be0676705fa94bbb8d6ba120abe9034df5bf4f1f52809ffe0a6479303dde1ff7b322d5695821c4e3c7f3b76144deea416d3f2eddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec153746d466f2f96cfa2aa4e3a32573

SHA1
a573bace3ff7598aa7f5941b4d2f2d3f16b3575d

SHA256
08996242f0e5882b1407a6f224a871b68e087f6e1c1fefe9408a38affb624390

SHA512
cf4623d8a6033b51406d043a94f7d984730f533feb141f65700b93bbae0eaf105702d09f01b8d1926417711aa0e0bf040501a355c1a45fc007bcbe269b5e3af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77ca2c6edacaf00fb04751775480c467

SHA1
c070a5d6ef06fc291071592ab44aa737421b6355

SHA256
7fc0d1c00e3d2152208dfff4b3be78e6abd028ab074079320c3736a79f7f5525

SHA512
683e7093098ed20f1676a37443a1b05de04b09b37a6cbc160ee4b7d91e7863a4dae87379d421f8d7a29895700ef68dbfeb653a097026becfb89e205e9536f649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3109c02915a100120dcf13a5e83521d9

SHA1
c7bf9842ac7dae77ab5bf74b4922e85507f84d91

SHA256
c15056ed406c6a04e23d159a408a296a0d2090fafe189cbdde7091062cbcfe74

SHA512
11764a817f84261f889c4f9da38a47d368992e11c0c5ffb74dcb5ee7f4cb8dec16090964563be51411df6aac3226fa061ae968b34770143dd89c89d4573d9be2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
097802a1e21f2b7a2c39fb8652c321e0

SHA1
617c1b4076b148a06d8125b95175ed815550863d

SHA256
9ae860553f22dbcce46b60277f42ad3df50dad6e05aca03dc968d9bd7d1aee7f

SHA512
0fa545e557f6307b855e81ed5f06ea4d82b8e1cdec968b01849bafe81546c67e9cd9e69dc9eec5871356bb1cd42d910608b1d0c02fd49216366f61bf05cb83b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
2f42789a2dce7612a78b5c4451cdf1e1

SHA1
e20fe159497172eae7aade3b996dc99ff94ae7ea

SHA256
55de021c03a334ed8aae102fbdd0b064fc82ec90885f6bc99aafea5606092449

SHA512
81a358496dbd96f8fb1beecf0702e8471201c458c432e3cb557301e5a41d38a6fd6d9139d889b3ea663858c8e31c57eb0f8b43f9c28b7715e6830be71026f9d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
b6020b77ba8ced0e7e6be08ec5dd702f

SHA1
667a1151cd70e6faca149c7d71bc0cc5850006b2

SHA256
0067c9a579921a0fb7c7708286a3759efd4c3601581624e37609750702ab30b1

SHA512
b5f1720db1517e9bc87bb3ab1272258365460273e2fb7fd1f58f67004b555fe70465f9308ccb38509a0d2f8ef818b8dcc2551bacaa72c5bd86a7f63d4b8ed4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6ac738763ef5a0b65ed8a3dfa247d8e0

SHA1
fe10f59ea34914112641b108aa9dd8794be625ff

SHA256
1f2f1245727a2817b753440362afb0dcb7219fea8f9fdbabc47cd064e3410ec6

SHA512
4b5e173a6fb942f9e5a9afa4120598a9cb3b5c574995dc590bc1a93e25699fce71adf3be22e5209dd03f84ecb58026f6d1af56b3e5ee8ff423265250221dafd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
290f01199789bc2238b426accf194e2e

SHA1
bdac1ed6dbe3fc35d0fa70beac48c96ea6fa7816

SHA256
fdbfee81f488cf164f951e38fb1398dafc312c36f47a762601ed5bfb755fb34e

SHA512
95614302d8f8ac28da66724f594e5f6568a119d547477fe3cabe4374cf462b2e052aabbff6bc41c5bd80b182ae577b98e003ac9a2c23be22804a85d45b96d189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\252467e1-2176-44d9-bd52-6a7367c31726.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\77f5cedc-d1c3-46da-96f6-8757ba1be50e.tmp

Filesize
7KB

MD5
4019766cdc53da7e38ab9227f00e3bde

SHA1
f4c21500eaa23c83161feeef5e925125ee460a7e

SHA256
468ba154a856cd251da0f8960252304b9eb482de84c6b58b090036bb4b06eea6

SHA512
563941fd6c105e94190cfae8b97f62eae47a207828991a42af00dd77648d1c0497b5dda81fc5d26ba5ec5f097724dd81c3b470c5778cfaa4257fcb63d9dd77ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
215KB

MD5
2ffbc848f8c11b8001782b35f38f045b

SHA1
c3113ed8cd351fe8cac0ef5886c932c5109697cf

SHA256
1a22ece5cbc8097e6664269cbd2db64329a600f517b646f896f291c0919fbbef

SHA512
e4c037be5075c784fd1f4c64ff6d6cd69737667ec9b1676270e2ed8c0341e14f9d6b92fde332c3d629b53ae38e19b59f05a587c8a86de445e9d65ccfa2bd9c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
10d672edd2f1a53ed5dcd5f4349e77c0

SHA1
ddc3b7e8cf4d360dd113260521c1f74d3858b4d8

SHA256
2b5fa271bc3994975d11799c3418f16ef22503ae3887386bbce298a0dea418e3

SHA512
650f36ce66f4859828dc71229178ba8cff1167f95882062d19299b2bf97fdb5bd5d5fa08c139b939045959b4fefb8d23aaa1439ef74e0ace0b2a286e6e403bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
94d38ae000069f0a42bc2cde64702a5e

SHA1
7d5b830c2f3c9d0d519439b4bf4410f1975e5212

SHA256
042ea83837618c59b61ad1e48204ea846b3010b9953cd062c554911a44053105

SHA512
e8bb2ccef84e6d54a31d1336bc2012bb48c538328e7fdaad8a26ae0c09669f4a2f00bb07311e55a2ec6864e50ed71ba32ddc55ab9beb4dd49b63eab746566829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
92e297bb4904f3414fbf7ad9e618756c

SHA1
e8ba2d8abb18ae1af9cbefdb1af27fcc778d7f98

SHA256
25c9a52f538f7560c3d9cfe2a2261eefac85d34bbca5a977758e4aeeee1b6dbf

SHA512
503842e1e23190f3a76f2ce42c93b9e5846718e2fd5cb221aa3df5300e0afebc299c55cc23aa615fe9fdf7a1e8586c8f09be560eb3e7976ddc26ab66f9a23ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
e4bbcdbfa69443e1dcc156d32fdf449d

SHA1
3a2360fd5843b32d2fdfb933924fdc58ee015a60

SHA256
a42c242bcac4c8cf09d91054457344a6be5d39466461661235607adad9fd2016

SHA512
62adf1c2ca645d96d76e4854698779394aa3615253a76b65789c6a7c885771cd4a4a264d17bc29220253adf2b902e781dbe1765eb78cdb74be8866b3ef65b205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d061eb300b0b42c661cc0dcdd6439eae

SHA1
2d077b5534569b080c741d8edcc21570dac504c5

SHA256
3ccbb0caedfc6902a0219e91a22734bde64a9a528c8726414943301f451542fc

SHA512
df2d612be24e103182dacfb745dedb23364828d313d579c26745d0e4320c9094e8f9f7db817f288deb9a8439610b2ff1e5ad5040af493a13cbd5c6d55417ae10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
782B

MD5
9f467e36cc8d816009c9c9f8f6e9c194

SHA1
a891851c4b16ac40cf614af14ccd0b152d12ea44

SHA256
5ff4a2e8420a970653d131330dd6f7765ba5c15081e6cdff089fddba8d82960b

SHA512
a174df71afd10d168a72ab63771dc9502c0a694bc4a5d4b2785c72c04bfca3a02269312630476bf326eaaa092620484eed91f0983163e544a8447a35505bf696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
7dba5048eb7228725755bc76c7e1b2f1

SHA1
5cc25797b30c27db6d7a2e181bd9e31e95de5b72

SHA256
69a33c88ceba3a39da0e081298fbad52a5588888a52bb0bdace680f0f19ef83e

SHA512
7259577b2bda33b40ec7a9e7daada9cdfe31186f935c6e0ed952dadc5006050be33139189717cbf027a69bc037cfff911bcd94622f25d1984cf8923774dcea61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f4c6711957013dfda6ae1679d08aae12

SHA1
1fe875be925213b5af59085bf1bbac06b3069eb9

SHA256
0189aaad02105994c819949f4650859859f00db0339fbe9f40defc3bebe0f0de

SHA512
91debf67a13081bce3abb231a8a664cc475c0f4b3a8510d494d259980a64c9814bb28b82b6dce8dafce37bb2abc19f3895d4998101b760be1ae61593f9b399bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0514bd2adfe84bac0f020a5a4e94dd01

SHA1
ab8ae414e5b043693d2253241992414eb3437cea

SHA256
b2732d6a0d4cfe7ef832f45348c2446076605ce15138ce553db44b311fcc97ef

SHA512
495dcb97c15bb963290c7df804557f2c787b898fbeff5e742e39fc4b42b5e608af24576e64f4a625cb1530037fa877913d52f1d082d73e9caedba910020f2b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1aecef982b2ef0a1bb828e0593db4f5f

SHA1
ab7fa330fe7707a3795b8a4aa50c4ec1f2089f7e

SHA256
0cc0de13e6bd04e9a1ceeb8b9b185c338612728924c8d29134718bf17b90de08

SHA512
a0ec455ba5a6818ef755822fc0134e69a85a0734cd41f2dadd59c5c5ed5b498aa37921f0fd06338b96adbfcca1934e3189b9bad6bfea1f6bcaae0766520993f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5514d52e8a408d237e04e9028a1d20b2

SHA1
16520742d4af637138d45252827d1706609afb99

SHA256
003fabd7154d25341937a0b209b001072cd9dc594117183fe40c6e4e92de22b5

SHA512
04bb3463f26e79e83f4d25d0579cdc294a3b7904be0affd6f30228b519391bc84253ddc4ff29427c3af1a33db6c9a24fccd9820faad6252797f0814b4c64be2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3d39cee3e1de1e3f535ae58c923c533

SHA1
4dd91729d9f1231601c35296995651b33d405ee4

SHA256
a43b9c9a019225449376bf5ac5403090c23fef08d039134db62a9b75d01e6b8f

SHA512
c1ac47cfa9331b725c9b2e592099c68556443e30e46aa695f9e4c81744aaa19745bf782bb81e4e75f2edf0cc55adde401cdc8635479e0785760a2dcef0be3fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23f9b7691a5b5cf63d5f18b981ada109

SHA1
6f65a9b1dc4acbcb03552f53aab1d72d6dc9c0ef

SHA256
a017fe59d1e289ac9fc6aa123e4258166cd89a0b34b185fd79e74534a9a46094

SHA512
a0ee5894f92d42cb5aa14ea7843286749a590b8173d36a552ab4e367d2464acc32ef539d74135ce34b7814a6ae7f472ef036fc3a26d3199facc924408fe3149d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f5613392f923940826d3fb0d9f4276e9

SHA1
0a00e168bfae947295caebe7951a851552608d65

SHA256
12b531e9121081de0b804cba7c4803d283dcc4a7c040f071e53d7ad5a0006568

SHA512
d1f9c069ff5cea33faafed63819d3f3ddac217f8bb45fb53a104bad7e94e903daeeaf37ae37ddd1b98765f89b3a08863fcd0788e070672558c59f756fe0f2b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
341ca26984c7e7e4f4c37b22989829f4

SHA1
5bd4a1fb054d8b6567c3aec167da410bf1d83068

SHA256
37458ddd4c2ec033c96c34812523f442201c35a1e6b491d2bbdcf49f6faefdfc

SHA512
fbe701b54cd660f95643c05448f2f89f2dda9eeed26fec46489725848e6859537f84beaba627eb924ea96161fc103c64b728ce2e5da8e049935a42f496b69306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
98bafd5533269c0655ea49ff4b5f9e99

SHA1
0350663d5cd6325bda260d216c63e921471df474

SHA256
5d4f3c4373454a6725389dc45c3ae20bb1802bc4c292a5e38ce2d04a3032163e

SHA512
83003c69cb983276c671d67716a15bd66989a91cceff35fbb7dd48170c2350b34549905217ae10b20bb444b782f59c08dbfd90670bd2f4f05817d5e8f87258de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff39d0cf6119197bd330572076aa1925

SHA1
0e6cae4d4a081a18f1b2c9be18b495457e6be46b

SHA256
8628097558f9b76930dea86f2afb24e292a70a0154e8b494db2428af648834a1

SHA512
4b88a75740e7f759cf24adca25e0db437f4f9d6904f6ebe115280fa46b3a78c0ee1f9130f833e9be05de32f80c2b79310c636a7ace0282393bfbd7fa0fac0eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c040bd93c4c8ab5ab87b6b9f5c104b44

SHA1
e67da355193af06a0a5f073ce56a703cd0650540

SHA256
63cd6cb9c011e9a5742a74822956e8746c61b1ef31d78a40b87fd2b3709598fa

SHA512
96fdd4543bb5247e72cacf0d8bf8bbb38a0a9593aeaacbf7e642291c2a03b632c55ff2714b66e6941c9919330d539e0d4a21935d118111873c05e20108b5a320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e924fe5b4edcb0bb584fe33b9f322f81

SHA1
4d970c9114488ab2bb7bbb143084f00f6cfd35e5

SHA256
42626b45b0850bc0c877796877811e443095bd98d7db27c83eb6809a8f444da8

SHA512
e7f2e8bbc9ea3fa7885f2b64686b68f4311e962ab5d6ffcaa8711b3f39382aea3c4f54721cf1172999e79a1dc7f4b498cdc2da0e7339b7f2e1f07f6307f99ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\849f4bf7-446f-40b7-9bf8-71a52962d6e9\index-dir\the-real-index

Filesize
2KB

MD5
e0f5f9d2adb2d8e39c81cca8f61c94bb

SHA1
3e7c321fe66e362fc9f568ef7b3a5ce158afca11

SHA256
01f09be8439f4f8b15bc5f8826c498d7c8c279a76857baa4a924524b4b6009f9

SHA512
201e74e7ee8423b30403adeef1dcc95f96ebe29d7cea0a72b9c31362ac9c30fedca35f62bf740a22ac49f81f477aa507356376b38adad9cbf0a6420e176ca719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\849f4bf7-446f-40b7-9bf8-71a52962d6e9\index-dir\the-real-index~RFe5cba6e.TMP

Filesize
48B

MD5
84c2bee31c1bf51fdf03b1a210fe28e8

SHA1
d8af6b28d3dabb1ccb929bd444e7b2a32bd3cf94

SHA256
e611a5b1e5efd1e16759804086c49dc7f9e95b5ec7f2980ad63771848e015a75

SHA512
cbaf522fc09adaa8fddfb7ac80b1643f99ea70a2f0f74379434c7e1388e26bd5bbf5df7a835045bc3135627c12d4b66c762de24d9079ce1afd3f143aaafcf94d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
115027bf139b3bc6a8fe3dcc75d4a4bf

SHA1
a8f2ac98e535f55e6e6253a57f2a07ece1016803

SHA256
c9938868008969e050f8349eeb8bda196121eabca025caebff41fd49921a1be0

SHA512
636480797c7c77a61f075f5515754c7c5c21fca5207cb86152e01e2642201680bd2a97220b02285dfbaf10a6b5ae29ee95e1d4bf010986308b5d03935b8151ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
530337d8c64f9396e03a253bb14343dd

SHA1
4a967b2deb01164af5ea9e1452e7caaa3df88548

SHA256
3d4e0ebeb13ea01417bb5bd609c11f272bf5afafe1bc1a7f608708be115392d1

SHA512
aec86bd685e530193ea7b49abce72ad3ec25ff2fc813e862c94ffc560cfa8a56b9cc1435ea97bf3879d055d33752683cb700796c2c43206ffb8b9b63938f242b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c9fb86a4c60aa91c017704073028837e

SHA1
00fab5e233b23724d194af5ec7640b80195f4e11

SHA256
cd4cf7e579121433e1d168b2c8d9e9142391016db1c59475405c86616f48c9f8

SHA512
ed9cff25fbeb0794355ff250cde81afdd3ca8f914ab649ffd6db0cddfff7133b40e3d963f98b65ebfb7a6892106e34b47a3aae4381c9edddd018e5dca3156f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f98b7bbf7d8deedfee95d59679f0713a

SHA1
6f32396d858fabdfd8c68a3ea8b57d48a8071855

SHA256
b9e26a682a35191911b9b46c67a7bce61d1857a1c4b66da25240ff3910ea27f4

SHA512
78e629be3a4e87f108a1c1ab235e66eb5b7f62852a6f63c20fe8ef81614ac314ed4e961e137c9cd69107724c24622f14902854733514a5b68a5b2c944f11075b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
bdefa3cf325e957de38c1530d792ab46

SHA1
bec033925ae9137c58f01348507a1b3a114daaa6

SHA256
3c1385acff2df155f5c8d943694ab06bc318d22520b1af62e1fb3c72713b9ec9

SHA512
2813e265689ab585b69cce4aef35aa5eddc476fb9545d49c0aa6da99e2d5b06df3311908c6642e2e0687c838169af07745b1ef1d4cf173a30a0fdc4e14e35a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cba6e.TMP

Filesize
48B

MD5
199fe9762ef6cac77a4c1ad5477c807e

SHA1
e6d367f9d482363d732e8f611adb683722080b9a

SHA256
1f7f7e6eb5fe72ac4011e370c083096ea51ff72074970ae111d165cde9fa7e12

SHA512
deb7929c464fa312bf4a459f3f00f3a2ea4279426e4b6a8a8d290a54d92198763afdde2d8f343121cfe2a703e630a175b645d4949f5fab0cf9ae0cece45af52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13383336574882677

Filesize
6KB

MD5
018a7de09f492f9da9828d1de2a059e6

SHA1
b0e581444ef22201851389fc99084e8545520cee

SHA256
85f620efdc7eaca1792f22356f71fca59c8dc69d6a4eed37c672b130a13e7086

SHA512
694b380dd2ac3c5958ec9b5b6b582e6e703d8bf46c495e1c7fce6ed1c4e479c06b371dda45eb668f4353f1198b4faf8d201858ab9003ba30673850a6bd7d8b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
100B

MD5
613a5cd82b1767378999207477f88e84

SHA1
b0c66e125178fc683e207f738acd2acc3d59da2c

SHA256
311389f0fd827d9f1b52f7378674607228abb6418231153241595373a99b21f8

SHA512
297a775e48519f55249cb8dda02ebbe833e728c9b643260f32b01ce7300a3f4fe58a62e61c4e3b3ba36d05fbeb570207082c8e33a35e9caf5deaa139f0eca388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
91ac275fd09c9b57d813ae249268825d

SHA1
504e9fc994defc171eabd786cda5120458a7b320

SHA256
b524d0464cd7a1f68b566b3dd1dd48d5c377d049d8838c016b343ec4a2fda819

SHA512
6b2dbf028ff6f02ebada7c438058697fb77e2da58f96baa0dc0c80bb0f186449ad3a5308f155af14ca716db0dced20681859788f67edbc20b1031871a9cf9aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
500ed1f0679dcb0ed544637ba1469a5f

SHA1
4512743ecdd9a80f57e68488cefa7b780445cdaf

SHA256
cededeedabda47e0efc6f1bc0a3b9e299910b04fd39264ff7652d3de3f71b7be

SHA512
772e30eb76d8c854cb84729f548ace944e428e52b21336fbe36654ef670d420de36849574c6acca9c20add2994191db350f5947e43d3782acb36713cb6bcc658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
348f63e0394ef7cc7418b9dca82cdba1

SHA1
2941087ad668e85997e31e23ff39df4c8282a546

SHA256
1c84fa7fd12808569e6388fad8bf7de53a4c018100ef058c9014bc33601f3498

SHA512
50fd2dba90c9db954ba4bdeebdce0d90b7e8161df82250267de6f9a67c0a38af111af609d447943401a5826a7e43bd7f8bad5d777350695fed39ebc38ebbdd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
be1e95cfe2f2806b66b8dc2aeb6e334d

SHA1
b71916ace42aa5c71f234ec0f1855efe479ea6af

SHA256
3a79d23bc7ad6b17bd656248edadea3747f6c57979ee7f883e539557be8d6408

SHA512
d3d66401b94b0872ca103204740c51f36fb905d6f2674d6c832f0287aa0b8dfd56a0bd052eb1c7d6887963ffe9225861a5826e4cadd4db1e85c675d8c3331897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
ec86a4f02f8e7cc5c3e36857fc8622b3

SHA1
1db3ae5b170f37d9ea90424eb505594cfb9bdd71

SHA256
d5ca8500eb5b02fc2c7ea68e6c74086bb473647c2ba220d34188f86d08dae27f

SHA512
7b8ca6fd98c7dc027cb7ef27d15654315b0ea9fd7c2fafb9b882b9c2142dd38661a02ef399380965c1dbb6242679d8b52504292d28f7e02573b24f84c386b90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2a74877db64557ef7a5b64c5d2c91a93

SHA1
1b2dabbae7aabce8c4c1adb2c16253cc6aa98873

SHA256
ee78ed5914f0e1aa04c484f4ce6f09983c097afcae3f2b441e7d74ca17a3dc8e

SHA512
28c911159e2b0cbd96ff4b2325a81758cd7256c47a30ba37772896cf8bdad9e50e860d5f19437d809c591bf016b5b86d4231509355a17e12cecc96137cb22552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
31ef5506d803f8a055bcbeee4d83dfe9

SHA1
7cc5fdc70891bc48df9a792803b478c083695592

SHA256
0e5681b89eb29f133f2ca595a6e9e9fac61ab81ad00532b26ccaa6914fde4ab0

SHA512
0b81ec741328584f5042fa571d5ebea810413abb234dc629da1d47b9210e4c0a5c682e072e3ebcf2d4ab247a4fc3cfee40b4a364a77888ab6fb25151247d92ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ca9a7c2dac1ce3d06bb7d651782e921

SHA1
0374a273e33afddc6b895d81ade38f660bbf8d95

SHA256
10b1dcdf64a9e3eaf818572ed22eb3d38c39199093591d94265fbd01725130fd

SHA512
d94909d61d772eb0eccac76c4a6acc433074a83e2f61ebae6ead02d12a542fce82fedd117583cdbcc25f44a269768b40aa3296f4e1ec95cc627fa1e352f24a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a9074e6854f42d642d1f5e5e65f9a945

SHA1
ed0ee99d11d84f51f2b7981f2ca74eaff7ffc4f9

SHA256
539dc2df970b96466e2e850002cdf94e3aac450369831fcb649766fae1ee72cd

SHA512
54b40553e6d44adc1b453becd20c298b86e9052a8c947ab4ffe3f627d2ba31c3765937f7331de96092767db1a1416f1652e8275d5641d5fafd15ea2de4f136a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D0CC3011-DFCE-45E6-9E25-CBF93EC67C8D

Filesize
177KB

MD5
5733e7a1d48581a1aa0401640c176841

SHA1
b250b6ccbd7e221277f52b39dfc2f21c1550b8e0

SHA256
e45628fd89fb1701436d053e10af0312773945f7495dd3b25361538a937834f9

SHA512
a3be0062a72f19cb18ade801e6b147c895391379353d78c4c29567889f0681471ea0919abd94e97a831392965d63ce3d28ce902dbb6f532cd70c3cef714e6196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
321KB

MD5
b2f6e37b9e2ecb984da45b0bc3236fc7

SHA1
b890bed54918fe99428a313d0eed671241444bf0

SHA256
a9b0808bf6ad5d3ce667bf32d759c4548bd88bf0e00b5e866395e1da2b1604c9

SHA512
6a0257ce8dfab8cfcff2d952b1f455876984fd3d6e46ca031a39122f7557184dcc9e7b0866c8c802627b3e84bf2992ed2a54499bfa7e40e7faeaaf156cddc478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
103d4761b604f0f6a4ac02bc22afd944

SHA1
b7fa8678e85e4c545a961b8ca70dff1e5a77f1ca

SHA256
dfa24f6d14da8c0a6e7712604a9caf3a449f7465217900b296534d25aceefddc

SHA512
ebae5a27251f7e49449bc34a3502c5936aa6450b60eb9b1fa8e31308f890ac0df3044d7cd675602b9e66b98911ac6a5912d7ec16b1e05a55ce2606d478f1a009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
16KB

MD5
523674cf99aa91a6530b4d6cecb60159

SHA1
bb3fbdecfc57c1e4e13518fc56f9b8618e99505c

SHA256
38d932ea0a3c6dc3718efd551b2779ce71a786be52653ba7754941876997ddf8

SHA512
e1b7e81b771ef6abd73d3f248ac6c9712ef40d52eff54adb0e14070b93d72e44995e8bb780535bd154c60a56dd6a69acb8498e95f93d8a0edbedd2af684397ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ab7760ef89b142e36f90e6cf5c55035a

SHA1
2e343dff477bb313e6c265f66b6c0b8510d750eb

SHA256
3ecf90d859ea76b51a1633b8ca989645baf59507710429ef6d450de944cfcd54

SHA512
72595f575f8cc6bdb6de20468cbb7e6a51832e0868fd6b34bdc5232c674f1e24de26b6e2256d6075a408df9a0801a8e572dc4dbe0204c117f86db6b79d097f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ee3fead055e89de66c770f93e455891b

SHA1
e4527544021a10c276b43d066b4723940ff13b52

SHA256
703006e905a00d057748352d427f3d389598d1d8c4878a38d488187693fcc84e

SHA512
7c92105c091b18ac788c9751a672d8c164ad98f8e4a14590c78e4066e5e64048c535009dab744a251b48859e3edf9dca50626b0df837ac49bf4c90428927fd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FPMDI6CZ\microsoft.windows[1].xml

Filesize
1KB

MD5
97ce53a7d4d76d165a4ef1abeabafe4b

SHA1
d503eba464d4bd3bb4a13c00906f8d85b8690ed2

SHA256
c812a8203fbb75161f9958a6621f5bdc90285780b8245d29179edb43a83c1918

SHA512
6dbbd7e4e2f794c98b3771d8ef903afe2e24bd79b7f5183865a582e35cf8b4fd68d93e3585fe60c7a0eef2c8ec5911d9a0d9ae0f0eca532bc98115d652059916

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{60b33735-f417-4c8d-a931-1bc4daafac81}\Apps.ft

Filesize
41KB

MD5
23910e25bbd723c35c6302dfad660874

SHA1
6e3aeedae807221c0294d399540c3cbf3f5482df

SHA256
b8374a4dfdb67379ad2dbcbc8ac022355aa71a6f665784d510b2ff7a8df15163

SHA512
83ef8220ea49abe3ca8d200944fa70a3489a83a11d363b38861a5c6c0df610cf5f3e1de52d010397f068da9dc00a0c5a340e461ab9a4a3c8932a95aec855ee35

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{60b33735-f417-4c8d-a931-1bc4daafac81}\Apps.index

Filesize
1.0MB

MD5
ac0db37743b95375d20d717987e96a3d

SHA1
6b4421bdfea386d2cdfd089db76fbb419fb65d34

SHA256
bf7e9ffa4733d214ab48493802e5bcdc878f8d32688c0379255a5bfdae3850d5

SHA512
ad5eb1a11613176342cb4c943da71ef8bb250437dcc806d0f1d40955934be33de21a4e061f812bf7d407e42671a64a84e541e1f2cb3a012bbc6e8ae016e5f9a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ff9b2f5d-979d-4170-87dc-0694496cde86}\0.0.filtertrie.intermediate.txt

Filesize
30KB

MD5
a1819453b7b750c26e92ad7cba12dba8

SHA1
dac2f1c9a122c73ac166532a541b9c1318df4e5c

SHA256
998772a6e01abdea69cf6cc6c9dd18be6232009e341354005b8f317d55eda301

SHA512
82df0d9b9cc1c9ea61445e3e0aa727eb93c96a0a51704418f9924405346efad9a21fdb6366627edad84651320f3b11325223147869951158ad9c62da7f4eaf3d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ff9b2f5d-979d-4170-87dc-0694496cde86}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ff9b2f5d-979d-4170-87dc-0694496cde86}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133833363003455655.txt

Filesize
83KB

MD5
d22bc4e5feb84322ac45fb5ddee0387f

SHA1
543bb49fd5e0f167377b604b348a07d4c3d5b8ad

SHA256
5008cccef212db2342e07dbe08f6a3f85c98171018b9c0ac425ca31a41fbae5f

SHA512
f9425377c0b50a84d894b1d0f39892534dd9ca3433b6ac741d509d4fd6eac3371108f6820fee089ff670700ee340cf7f983f53b5b88f2369bdb94d81a4e08929

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20F8.tmp

Filesize
1KB

MD5
c54378774fd450bebd95a47048f57b1a

SHA1
74504ca53c931ba37c6d1f656060b17c919b3054

SHA256
9c277e532b789531887642d84fb601680dc4df1f6f9e8240f142413781fea7ce

SHA512
8b888b9229ef5ff2738bff69d52fc3cb710f40b2675658a783dd9dae30f78c783d23e97dd2e33b0bcf165f131f82cd368302a4d05367beee05ef026196c28a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4ik00pq\k4ik00pq.exe

Filesize
3KB

MD5
b349e5692c8ca05f5b7bcdd561c46a51

SHA1
4757885e4301fd3e43ad9abda51cf49ea1342bb4

SHA256
d90de56ebcc758b8d5d0c9c4c1f3a77de50efea30b90d8555480699862088e65

SHA512
ab629d48a59c5d0be521a2aa083f478273574310c555417ce79dadfe14b2316ac4de59d0e2d0aa5303ffb9847322c7f410da7a555ad9e27a48477643a8c27ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
301B

MD5
30410078e5c742978b3e76999a41875d

SHA1
54cea0abd87988efda0b950b2f831c15f93acd6d

SHA256
117a96d81a0b13544d40912d2f114efae90525ecc18a20d634866aa4c30417e3

SHA512
48d9a64542b2a9c2478a643763ac666e5729bb85dcb5a2019ec58af6a65148adac6f7970bba2e3aed2bc9b941cd0f7fd1ef1695c59b7cf71886d23497a75f109

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
ba23b5c35bd58f1f5b51deacc572d90c

SHA1
b9956f31ae45b1048548f83f6d8d07df5ef53ee3

SHA256
edfbd6b98d287cabc6655d2d4e740d95ad5ea7cd1315715d1f9156a57e92739b

SHA512
3e3b80f04f842676084dbf7087320a2a13731fd0417b84843272b6cf0a6100257c5f9c216142d5fb545ffd6574ebc4ff66c0dd006e56cb284140b90db887e0cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
720f1ff4aa38bd0e368b303ece13d256

SHA1
67de5939ecf6a87aad68f5d7ef16d5dd602f953c

SHA256
e15655f8c5b55671d95e161effbf2b8e03a2d857af7933413536c6a39dde422f

SHA512
6c26b9816667d7c01fe482e90c3bb0c398c67264612e7c88ebcd3d641d0c16b1b95e2580c9fcfefa327763998b17f8d7721249ffb2716935449b1ad4c1826d95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
c8711a2aabd44da7a729ce39a0300069

SHA1
da5580cfb5e6128696d5be6c02f92b248ad94f17

SHA256
3a40c768cf9069b80c7574b4acdff56d89cbef96fecf7fb96923d3db0d3f62cd

SHA512
aefd4aad317fb0f99425cd4b66d92ca7ecedbf7a93f9dcc4cdc7a7368b5846e5c392f40bdcfaff6b89bd2db842c420060b9f67a1c4844cf5fca4cd186681058b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
eee1b0e107b20eb9c06ad41c581d54b9

SHA1
bd276023e9d64e0edfb0bde88b65bbdb6965ff0f

SHA256
2cede9ba503a546fba0be09651a782adfa894ee60b82d7902cc1ac64bea3719a

SHA512
e5ba8ebbccb032ed67e51173ba867136c1a6c00fe89d002427c8dff2a5e33277791a60e04b13c2518c68a1e4dac18f97710726ccf86116b4d0dc29dd34898f42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4ik00pq\CSC4A53366ED89D478D81A0E5D098761147.TMP

Filesize
1KB

MD5
9bc3b7bcd01ee00a90ec98bca25d0751

SHA1
f3a25a994ed680aa4a72a8b885aa18e16daf50b4

SHA256
7eb28d84456ff6fae1d4f1b20b284a7b521f6c8dbea8573ac7f2af83b0fb0960

SHA512
81b63f08cc00ce1690aafc9d1b06d23f07425b0bc9146c080917809eaf0cf375d69991ce5578801e9f61fa4ce272d370f2f244435f3241a5ffc45bc9ba15b69b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4ik00pq\k4ik00pq.0.cs

Filesize
286B

MD5
0a5659e1f3fce6725172e1ebe051b8ba

SHA1
85bfc4133bf2458a02a11f342cea4b5315ded013

SHA256
1e1c13e27911215252573bcb9085effdaef891eeb50245d51640923aa0a58588

SHA512
9f8d32be4ea26a9b93a41f96cddcdd2349a278903af404e417e7727640904f14243a185fd11e8cd1e5b9185877d5b568cfb0beb1c3ab4e03d44e6b9445638eef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4ik00pq\k4ik00pq.cmdline

Filesize
334B

MD5
c1e785878bee2104915f88511a9b4933

SHA1
3686966bab70a09e1292f7e1485c5b84a780b333

SHA256
2d880dcfc19dda4178f94f4fba2378430a150432e8434a8614b1c35413d5e0e6

SHA512
45e3b63c6e6203afa79c363c0fe0895dfad3701064a1975adaa778e4e4b79fa7c8de0a0a267f0d3d2ab241caf9a426cd34000143bb644523c7f1d97b04f92204

Download Submit
memory/616-1450-0x000001F777310000-0x000001F777410000-memory.dmp

Filesize
1024KB

Download
memory/616-1448-0x000001F777640000-0x000001F777660000-memory.dmp

Filesize
128KB

Download
memory/616-11-0x000001F75A500000-0x000001F75A600000-memory.dmp

Filesize
1024KB

Download
memory/616-129-0x000001F76DD20000-0x000001F76DE20000-memory.dmp

Filesize
1024KB

Download
memory/616-43-0x000001F75C140000-0x000001F75C160000-memory.dmp

Filesize
128KB

Download
memory/616-1447-0x000001F777640000-0x000001F777660000-memory.dmp

Filesize
128KB

Download
memory/616-27-0x000001F75BE70000-0x000001F75BE90000-memory.dmp

Filesize
128KB

Download
memory/616-1453-0x000001F777660000-0x000001F777680000-memory.dmp

Filesize
128KB

Download
memory/616-1452-0x000001F777310000-0x000001F777410000-memory.dmp

Filesize
1024KB

Download
memory/616-58-0x000001F76F080000-0x000001F76F180000-memory.dmp

Filesize
1024KB

Download
memory/616-1340-0x000001F7720B0000-0x000001F7721B0000-memory.dmp

Filesize
1024KB

Download
memory/616-1101-0x000001F7720B0000-0x000001F7721B0000-memory.dmp

Filesize
1024KB

Download
memory/616-44-0x000001F75BE90000-0x000001F75BEB0000-memory.dmp

Filesize
128KB

Download
memory/788-274-0x00000000033D0000-0x00000000033E2000-memory.dmp

Filesize
72KB

Download
memory/788-2-0x00007FFA99820000-0x00007FFA9A2E2000-memory.dmp

Filesize
10.8MB

Download
memory/788-210-0x0000000001820000-0x000000000182E000-memory.dmp

Filesize
56KB

Download
memory/788-215-0x0000000003270000-0x0000000003292000-memory.dmp

Filesize
136KB

Download
memory/788-2006-0x00007FFA99820000-0x00007FFA9A2E2000-memory.dmp

Filesize
10.8MB

Download
memory/788-216-0x000000001CFF0000-0x000000001D01A000-memory.dmp

Filesize
168KB

Download
memory/788-0-0x00007FFA99823000-0x00007FFA99825000-memory.dmp

Filesize
8KB

Download
memory/788-873-0x000000001D090000-0x000000001D098000-memory.dmp

Filesize
32KB

Download
memory/788-207-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/788-860-0x000000001D070000-0x000000001D086000-memory.dmp

Filesize
88KB

Download
memory/788-5-0x00007FFA99823000-0x00007FFA99825000-memory.dmp

Filesize
8KB

Download
memory/788-6-0x00007FFA99820000-0x00007FFA9A2E2000-memory.dmp

Filesize
10.8MB

Download
memory/788-217-0x000000001D020000-0x000000001D076000-memory.dmp

Filesize
344KB

Download
memory/788-1-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/788-1646-0x000000001D1A0000-0x000000001D1C0000-memory.dmp

Filesize
128KB

Download
memory/788-7-0x00000000031F0000-0x0000000003208000-memory.dmp

Filesize
96KB

Download
memory/788-1618-0x000000001D190000-0x000000001D19E000-memory.dmp

Filesize
56KB

Download
memory/1560-10-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/3492-158-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/3492-161-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/3492-160-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/3492-159-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/3492-162-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/3492-165-0x00007FFA75A80000-0x00007FFA75A90000-memory.dmp

Filesize
64KB

Download
memory/3492-166-0x00007FFA75A80000-0x00007FFA75A90000-memory.dmp

Filesize
64KB

Download
memory/4152-255-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/4152-256-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/4152-257-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download
memory/4152-254-0x00007FFA77FB0000-0x00007FFA77FC0000-memory.dmp

Filesize
64KB

Download