exelastealer | b72330d80e92063db94fb321e42789dd870b8580d40d44ef17c77ee6b23cc5d1

Resubmissions

17/03/2025, 09:19

250317-lajz9swvbv 4

14/03/2025, 20:12

250314-yy3tha1rs4 10

Analysis

max time kernel
135s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
14/03/2025, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free.panel.rar.html
Size

9KB
MD5

87eed16d3517b84785e333076f2f1db1
SHA1

9cf5fa92b7c84b583760e64b71df8e28fd54d891
SHA256

b72330d80e92063db94fb321e42789dd870b8580d40d44ef17c77ee6b23cc5d1
SHA512

95d08591cd029d8455f489839dc034dba96a68674f477281fb82b57e8fa76f69756aad911bb2681776cf3280072bde767f59129ab006a4a874f54b32d1c1158b
SSDEEP

192:WHQs+W33+IQZBftXI3AXSIdSrHhAEtwFlQYx+bPiqlc2Db1:WHQs+23+nZBftGeh6HgbWPlc2Db1

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2080	netsh.exe
5628	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5104	cmd.exe
5220	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
4624	OperaSetup.exe
4648	setup.exe
568	setup.exe
2232	setup.exe
5280	Assistant_117.0.5408.35_Setup.exe_sfx.exe
4964	assistant_installer.exe
3720	assistant_installer.exe
460	sorgupanel.exe
2136	sorgupanel.exe

Loads dropped DLL 39 IoCs

pid	Process
4648	setup.exe
568	setup.exe
2232	setup.exe
4964	assistant_installer.exe
4964	assistant_installer.exe
3720	assistant_installer.exe
3720	assistant_installer.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe
2136	sorgupanel.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
63	api.gofile.io
311	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
206	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4804	cmd.exe
4496	ARP.EXE

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5468	tasklist.exe
4164	tasklist.exe
4488	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-1956-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp	upx
behavioral1/memory/2136-1958-0x00007FFBCE190000-0x00007FFBCE19F000-memory.dmp	upx
behavioral1/memory/2136-1957-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp	upx
behavioral1/memory/2136-1959-0x00007FFBC3970000-0x00007FFBC3989000-memory.dmp	upx
behavioral1/memory/2136-1960-0x00007FFBC7FC0000-0x00007FFBC7FCD000-memory.dmp	upx
behavioral1/memory/2136-1961-0x00007FFBC3920000-0x00007FFBC3939000-memory.dmp	upx
behavioral1/memory/2136-1962-0x00007FFBB3720000-0x00007FFBB374D000-memory.dmp	upx
behavioral1/memory/2136-1964-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp	upx
behavioral1/memory/2136-1963-0x00007FFBB1FB0000-0x00007FFBB1FD3000-memory.dmp	upx
behavioral1/memory/2136-1969-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp	upx
behavioral1/memory/2136-1968-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp	upx
behavioral1/memory/2136-1967-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp	upx
behavioral1/memory/2136-1966-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp	upx
behavioral1/memory/2136-1965-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp	upx
behavioral1/memory/2136-1970-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp	upx
behavioral1/memory/2136-1971-0x00007FFBB91A0000-0x00007FFBB91B2000-memory.dmp	upx
behavioral1/memory/2136-1972-0x00007FFBC3970000-0x00007FFBC3989000-memory.dmp	upx
behavioral1/memory/2136-1974-0x00007FFBB1EA0000-0x00007FFBB1EB4000-memory.dmp	upx
behavioral1/memory/2136-1976-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp	upx
behavioral1/memory/2136-1975-0x00007FFBB0DE0000-0x00007FFBB0EFC000-memory.dmp	upx
behavioral1/memory/2136-1973-0x00007FFBB90C0000-0x00007FFBB90D4000-memory.dmp	upx
behavioral1/memory/2136-1978-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp	upx
behavioral1/memory/2136-1979-0x00007FFBB3720000-0x00007FFBB374D000-memory.dmp	upx
behavioral1/memory/2136-1983-0x00007FFBB2410000-0x00007FFBB244F000-memory.dmp	upx
behavioral1/memory/2136-1984-0x00007FFBC7F40000-0x00007FFBC7F4E000-memory.dmp	upx
behavioral1/memory/2136-1982-0x00007FFBB1FB0000-0x00007FFBB1FD3000-memory.dmp	upx
behavioral1/memory/2136-1981-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp	upx
behavioral1/memory/2136-1980-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp	upx
behavioral1/memory/2136-1986-0x00007FFBC7CB0000-0x00007FFBC7CBA000-memory.dmp	upx
behavioral1/memory/2136-1985-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp	upx
behavioral1/memory/2136-1987-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp	upx
behavioral1/memory/2136-1991-0x00007FFBB23C0000-0x00007FFBB23E6000-memory.dmp	upx
behavioral1/memory/2136-1993-0x00007FFBC77D0000-0x00007FFBC77DB000-memory.dmp	upx
behavioral1/memory/2136-1992-0x00007FFBAFA70000-0x00007FFBB00D8000-memory.dmp	upx
behavioral1/memory/2136-1990-0x00007FFBB23F0000-0x00007FFBB240C000-memory.dmp	upx
behavioral1/memory/2136-1989-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp	upx
behavioral1/memory/2136-1988-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp	upx
behavioral1/memory/2136-1994-0x00007FFBB2380000-0x00007FFBB23B8000-memory.dmp	upx
behavioral1/memory/2136-2019-0x00007FFBC4B00000-0x00007FFBC4B0D000-memory.dmp	upx
behavioral1/memory/2136-2035-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp	upx
behavioral1/memory/2136-2036-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp	upx
behavioral1/memory/2136-2037-0x00007FFBB2410000-0x00007FFBB244F000-memory.dmp	upx
behavioral1/memory/2136-2050-0x00007FFBAFA70000-0x00007FFBB00D8000-memory.dmp	upx
behavioral1/memory/2136-2085-0x00007FFBB2380000-0x00007FFBB23B8000-memory.dmp	upx
behavioral1/memory/2136-2084-0x00007FFBC4B00000-0x00007FFBC4B0D000-memory.dmp	upx
behavioral1/memory/2136-2056-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp	upx
behavioral1/memory/2136-2074-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp	upx
behavioral1/memory/2136-2073-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp	upx
behavioral1/memory/2136-2069-0x00007FFBB91A0000-0x00007FFBB91B2000-memory.dmp	upx
behavioral1/memory/2136-2068-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp	upx
behavioral1/memory/2136-2064-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp	upx
behavioral1/memory/2136-2057-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp	upx
behavioral1/memory/2136-2101-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp	upx
behavioral1/memory/2136-2110-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp	upx
behavioral1/memory/2136-2108-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp	upx
behavioral1/memory/2136-2103-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp	upx
behavioral1/memory/2136-2102-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp	upx
behavioral1/memory/2136-2100-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp	upx
behavioral1/memory/2136-2091-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1216983401\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1954756234\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1954756234\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1954756234\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1216983401\manifest.json	msedge.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5580	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\sorgupanel.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002500000002af50-1467.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_117.0.5408.35_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3488	cmd.exe
5264	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5692	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1268	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
228	ipconfig.exe
5692	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5244	systeminfo.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3136	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133864567689881875"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{23D71A26-957D-49D2-ADA8-D545B178516C}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{9AA44599-90CB-4D45-A9C0-048387D798EA}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\sorgupanel.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5524	WMIC.exe
Token: SeSecurityPrivilege	5524	WMIC.exe
Token: SeTakeOwnershipPrivilege	5524	WMIC.exe
Token: SeLoadDriverPrivilege	5524	WMIC.exe
Token: SeSystemProfilePrivilege	5524	WMIC.exe
Token: SeSystemtimePrivilege	5524	WMIC.exe
Token: SeProfSingleProcessPrivilege	5524	WMIC.exe
Token: SeIncBasePriorityPrivilege	5524	WMIC.exe
Token: SeCreatePagefilePrivilege	5524	WMIC.exe
Token: SeBackupPrivilege	5524	WMIC.exe
Token: SeRestorePrivilege	5524	WMIC.exe
Token: SeShutdownPrivilege	5524	WMIC.exe
Token: SeDebugPrivilege	5524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5524	WMIC.exe
Token: SeRemoteShutdownPrivilege	5524	WMIC.exe
Token: SeUndockPrivilege	5524	WMIC.exe
Token: SeManageVolumePrivilege	5524	WMIC.exe
Token: 33	5524	WMIC.exe
Token: 34	5524	WMIC.exe
Token: 35	5524	WMIC.exe
Token: 36	5524	WMIC.exe
Token: SeDebugPrivilege	5468	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5524	WMIC.exe
Token: SeSecurityPrivilege	5524	WMIC.exe
Token: SeTakeOwnershipPrivilege	5524	WMIC.exe
Token: SeLoadDriverPrivilege	5524	WMIC.exe
Token: SeSystemProfilePrivilege	5524	WMIC.exe
Token: SeSystemtimePrivilege	5524	WMIC.exe
Token: SeProfSingleProcessPrivilege	5524	WMIC.exe
Token: SeIncBasePriorityPrivilege	5524	WMIC.exe
Token: SeCreatePagefilePrivilege	5524	WMIC.exe
Token: SeBackupPrivilege	5524	WMIC.exe
Token: SeRestorePrivilege	5524	WMIC.exe
Token: SeShutdownPrivilege	5524	WMIC.exe
Token: SeDebugPrivilege	5524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5524	WMIC.exe
Token: SeRemoteShutdownPrivilege	5524	WMIC.exe
Token: SeUndockPrivilege	5524	WMIC.exe
Token: SeManageVolumePrivilege	5524	WMIC.exe
Token: 33	5524	WMIC.exe
Token: 34	5524	WMIC.exe
Token: 35	5524	WMIC.exe
Token: 36	5524	WMIC.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4648	setup.exe
5980	MiniSearchHost.exe
4648	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2280	4984	msedge.exe	77
PID 4984 wrote to memory of 2280	4984	msedge.exe	77
PID 4984 wrote to memory of 4348	4984	msedge.exe	78
PID 4984 wrote to memory of 4348	4984	msedge.exe	78
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 1796	4984	msedge.exe	79
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80
PID 4984 wrote to memory of 3660	4984	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\free.panel.rar.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ffbc434f208,0x7ffbc434f214,0x7ffbc434f220
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:11
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2060,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2188,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:13
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4088,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4228,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:9
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4296,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4424,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:9
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4072,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:14
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5188,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:14
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5240,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:14
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:14
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:14
  2⤵
  PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1132
    3⤵
    PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:14
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:14
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:14
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6640 /prefetch:14
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6148,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:14
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:14
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6752 /prefetch:14
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6904,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:14
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:14
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:14
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7120,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6384,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:14
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6888,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6736,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7108,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:14
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7424 /prefetch:14
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7260,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:14
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=5564,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5372,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4544,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=6688,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7460,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4292,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:14
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=7768,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7748 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4448,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:14
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=7780,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7664,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=8112 /prefetch:14
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8116,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=8088 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4456,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=8272 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=3024,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:692
- C:\Users\Admin\Downloads\OperaSetup.exe
  "C:\Users\Admin\Downloads\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\7zS0129B509\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS0129B509\setup.exe --server-tracking-blob=M2IzZDEwMjZlZTJkOTQyNmYxYTc4NmI3OTRkMzQzZTI1MWU3YmRjMGM4ODdkNjg0NzdlNjgwZDk2NTg1MWRlYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPU9GVCZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1hZG5ldCZ1dG1faWQ9dW9zMDhvczRjMDBjd3N3ayZ1dG1fY29udGVudD0zMjc0OF80NTIyODg3LTM3NzU1MjI1ODctMzU3Njk4NjcxMiIsInRpbWVzdGFtcCI6IjE3NDE5ODMyMzcuOTUzMyIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMzMuMC4wLjAgU2FmYXJpLzUzNy4zNiBFZGcvMTMzLjAuMC4wIiwidXRtIjp7ImNhbXBhaWduIjoiYWRuZXQiLCJjb250ZW50IjoiMzI3NDhfNDUyMjg4Ny0zNzc1NTIyNTg3LTM1NzY5ODY3MTIiLCJpZCI6InVvczA4b3M0YzAwY3dzd2siLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiNDA4MDliYWEtMjI3Ni00YWE1LThmNDMtYmQzZDBhNWZjOThhIn0=
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\7zS0129B509\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0129B509\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.93 --initial-client-data=0x33c,0x340,0x344,0x30c,0x348,0x74abb1e4,0x74abb1f0,0x74abb1fc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\Assistant_117.0.5408.35_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\Assistant_117.0.5408.35_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.35 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x743d24,0x743d30,0x743d3c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,5811585438972270346,11931279959520879101,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:14
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffbc434f208,0x7ffbc434f214,0x7ffbc434f220
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1680,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:11
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2164,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:5656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1388,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:13
    3⤵
    PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4172,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:14
    3⤵
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4472,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:14
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4472,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:14
    3⤵
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:14
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4528,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:14
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4496,i,15314760334190982865,6046246163920734352,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:14
    3⤵
    PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5780

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Users\Admin\Desktop\sorgupanel.exe
"C:\Users\Admin\Desktop\sorgupanel.exe"
1⤵
- Executes dropped EXE
PID:460
- C:\Users\Admin\Desktop\sorgupanel.exe
  "C:\Users\Admin\Desktop\sorgupanel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1080
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
    3⤵
    PID:6064
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp"
    3⤵
    PID:4908
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp"
    3⤵
    PID:424
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3488
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4804
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5244
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2444
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2688
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2844
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4788
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3616
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2620
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4268
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3772
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4488
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:228
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:5008
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4496
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:5692
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5580
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2080
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3844

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0cbd86d7-89b1-4e72-96be-b11a010f2e57.tmp

Filesize
392B

MD5
713f09ba9f524e8e89f953e37a212377

SHA1
3a60cf7c0388e11eccc5525410c1d81b4b98eaed

SHA256
b689579a4db75207defca8abbd32d0123eb68c95176e35b0a116cc8027672fbd

SHA512
44686a9012862d00ad2e8e550a72423e5d8c698d8fe0c84aa7c67f6c2eae3b6ffd1e4fbf68cebb406c0227bdc3c4191924bc978ceaf681cbedc4f3ce26a5ce00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
768843f41e5b144f0feff379c1b75b8d

SHA1
807fe067351e027d6278224fce44abee0b7041a7

SHA256
b218bb754af9aefda7e0fc3425622bd4eac6bde6b50d65991879e51893a931de

SHA512
309b58451468ef9c4cb6063ca6721354280897c3fb6c4dbdb19d0b6f0ac6185523222b4b566ef7982bb0f35485f96cb533ce62a242e48858d78bed0c47f4d0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a2a1c1306568d7c950883dca53f00dc9

SHA1
2f94bdf9d0444e17f0915fca18e6af7cee468554

SHA256
637bc794d9c77d58cc48778c0d0804253409d72458de00d50c66f5120a069a0a

SHA512
7c61783460f178abb2468ae75ed3aa24be708b350588a0517b60824a995d65b59ca3ad5535df4a202757fd353b7791235209043710cec9d28569754650bf2276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
02cf1313b32a8ab2f031cee39bee8fc3

SHA1
861cc0ab9ff881460dd6433e37075b822aac9355

SHA256
7e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61

SHA512
f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8165d331a65e980c7f75dba657342854

SHA1
44967c0388744de38b07e07e3a9cb174854eb7bf

SHA256
08d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9

SHA512
ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\33819f08-f7be-4a55-a3e7-4c667b75c812.tmp

Filesize
17KB

MD5
36743c941da3b394fd513770d50bed6d

SHA1
93412e2757a2a64baec4de82929212881e870c63

SHA256
165fef263ab99bddf3584d1e15028c7a08ce89ded0f5e50f66d505bbce55ca56

SHA512
6341109d0547b87555dfbbf42c0303b17dcddd2301418b6c741652fe585078efc4709799b15077b3e4b6c7c1c6b9d7ca2084257ccf5c51b9a5b237e247f43ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009e

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009f

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a0

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a1

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
99b337a28c6fc89f42e03c961a1ee247

SHA1
193ee6b8b84664685275fd681df21c1566ba2672

SHA256
dcb1e0758a5141e579dd19a24219e31c53cf613200756326af61528b0a566f37

SHA512
b12ca413bf6ec4c8ccf82ae440f2774fda758b0e78219b03881ebf97a4f5e0aa091d927916bc920095b5c8c142f687da1917350ca31c243e3f174591d2b55ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe592a23.TMP

Filesize
3KB

MD5
67ad73770a91f3a1362f985da6c1e700

SHA1
da22a1ae9cbbbccd9e30c73f98aacb53b6f4750d

SHA256
55e7685668dc559704c5ebee8be88173f386500d7d834a590a86089898a295c0

SHA512
5fde24b69520205569f609610b2e0d9db77ebeaab14fedafbcf58a97dddbaffc37dc5643ffc53172d6b93f50f64d73daf4d2119338415865ca0844d9241e178c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\06fc7df5-9717-4dfb-89b7-4c0c37a32be1.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
fb4fea7d1ec29452e92da3b3fd4b0e04

SHA1
3476d3e5c25e115560a41cc47616dc836e016b01

SHA256
6b4b1f0b5d6999a9d616a148077bfaa620bdb26103b58bf5a353316bd9e6e3da

SHA512
dfa45bbeb581cdc7ad90c4cac63ac6ca240c3e871b6e31bfdace43c8aef3a77489abbc36270723104b490267e5c1031e0a6d16a4795c4d84ada8b20c7f530d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
cb97f6f87181d044b6d16fbd9f3f7c22

SHA1
5e9302860fb70c34da248c173ec5064f5a47623d

SHA256
12afff99c7673809c063f1db47954ad91e068fbd5f03722c6ea96d684f840282

SHA512
8a709bd5afa17ed5a80d9ba083d7ba90ffc88c0c7d2c6d64c9eb62a874e748ebf384dc89099cc7c0c289df874d1f9479ede4b837f41b50f8e628d53c19ecae61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
1a0265934f2638e0c3117f671b6e9612

SHA1
bcc6836a864d9c87f259250d9592d048ed11b0a9

SHA256
7f5ed69b3df7e0644eb48e487e865d43b440d42ecf18d2fa4d30b98d0f0e2c28

SHA512
4b5b1bd736edd24ca11bef2b0c2c2baab3c5c304cb95ce508e85772a023ed9aa8798f3f969c931d6a275f7cc83500572b7a0699d79a1295f6d7d5b7cefb7b7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
1bfff172e855b471af16bd95ac55404f

SHA1
b1756abc274a1b1dc62290fd90a4e85edcf52b43

SHA256
2b65717dac6783e3703c8c2636e0b9c70caf6f892dcd895dd4eb76d1c03290ca

SHA512
e67a974e959220d0b0fec38a693afc81be6110d9f8da406c9aeed52a7ada865ea23d42b5a3c51a54306a8bec9b495d308f5e960152797d8a71ae1e6969d64c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe58770f.TMP

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
5742d67a53a8787d9eebdd8ec5aa2111

SHA1
8e820ab12cec3b9405d7551b7bfa9893cdc06aa9

SHA256
35dead7a6f797d31a284651f4b83635316ccefd7547d6bb266b255c2767bc8b4

SHA512
269359444c0a504fcd02a3abf11261b8a87404c180c986d044c96ea736447c97213962fa1d08c3156aab964c2aaa6798dc618c01cb6615e39219a34e588ca988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
ad2de6bc10a05d0bb8780ee7c4294141

SHA1
4a95c842994618a3e18e404fe69a8c9ab3762fb4

SHA256
333a6be28efcca15172b4134b61382ce4d51772fc954233c57292cd8618c3870

SHA512
0f3550e1e7652ffd029fc78987ebb9418584b28851be5f5fc5317011d36aae223394a8340818dd1efbd1c9301f838b705c138f4517373fe187c20585d5fcc59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
bde0dce81c146f2f7fcade99153a7b2e

SHA1
d85b31e869d3913fec8fe0ea4a53f0227e632070

SHA256
0795a894154640821448fb9353bda99e05af84037ace5f62b6506f3b76f68e32

SHA512
a6f2072afed1671f1fc4919c42405940813013ebb3e5763b7c345da913ef7d5ba1b4a24efc1c7d4097dbfdddcb55772ca0062179d7b6b7e31471716a86b2ad7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
7eba85710b4c2c840328514aa3561307

SHA1
37734d523500fb30af387174990ed634992e9e76

SHA256
174a41e6dabbddc2ad327bc096698c99dfad944c621eb0fbd92092663dbb2fea

SHA512
ba40a436b79995074d122f1c49e96e0a03a89f30a69ef876c63c40f91572eebd38cef1bf4da0144c91aee630796c866b3632f4520b012d72777d1386e78c5bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
1c1ff1dc3182958f7fdf659d5a29a9e9

SHA1
11a38b0eff9e9197959c3476d5b69cefe0a29894

SHA256
819b8ee000871b8d1b739f16ad7d39ff5158c9af644fd0738c9b1337c0358cf7

SHA512
8014a1af8b0f7d0601ff18f16fd1508f88d2c54589cc6fed3ca29ebaabcb2b8d3f048e27c658d87759f7331e30f279ec1e56f3c9efd0ba7aa6911346149f4f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\04ed89ee-515f-45eb-9065-1544ab48f761\index-dir\the-real-index

Filesize
72B

MD5
ad37378ee79da27bfbce515b0b0f23e3

SHA1
8b4c7c2304ad49efcea89d83fefef7dd17bb3246

SHA256
e4cedcf35c54710885ee284267042f611c3fbd717fca24a0cdad32d697c6db9d

SHA512
310c95553113aa143dcbae37d2c69cffc956de8c7941ce0c843866fdeb91b9218b7eb396966ecf8a033ac16c036d2f44f909d4be27d157627718e2c1789dff44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\04ed89ee-515f-45eb-9065-1544ab48f761\index-dir\the-real-index

Filesize
72B

MD5
9afe9138bf90fea1e67143fbae0b463d

SHA1
2a50e34bbb056f4752ea7b4596fd15b777bb37a0

SHA256
b324d724aac6140c0ce351ab0fcc3a00d0480bff69233c22701af1cade568ba6

SHA512
5c37668ed4f59ceb6a17d1f588af23c73e6d356580758c4f3c5a2a09aadb8818b8d809f8e343251abb722fc0ef3126dbc0da002cd1688640fb59e3a878f38f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index

Filesize
2KB

MD5
45c8b8321b98571798661249ee9c0ad0

SHA1
a0910599b917b9e9156775f633c4ba75b3ea121f

SHA256
aecdce1f7f7ce8ff6a7cf9422c47401584c3d4e553f9eded8c5cd13b08452740

SHA512
7609341fe864c6b6c82398b4082cc0664cd588d1b9d38b906118951c336574ceed63af38fe42e508d487346a939118097c63c1ce11f5d7875c89fbf356a9a5bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index

Filesize
744B

MD5
64fe748ec0bc703d6cc0a1a4176abb42

SHA1
1ee0dca6f6847d7e0d62c3a77a028485d3564fdb

SHA256
7b0b843de1b23ed941ed7f380fc1a625b3d50eb785cf4995dcabb5295aab6fd9

SHA512
e5e2d0ab677e26cc22b67f291f1876132cc41ea9fd94245851de4ecb6b250f40ba7607bb8e8ba2856884417b3f6ba3e89292f247d8bf9c89dcebb454e49a06ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index~RFe5823fe.TMP

Filesize
744B

MD5
b537f8eccf8e9f7c56773a786cd52237

SHA1
12998e60ca80bf649c499a854431f13855ac6142

SHA256
138017a032bf0a184c6ad5774b0899a6fc1c1f5b8742a9ef1c65a6cf939544d1

SHA512
ce67dd89dc23416f3711f8024fdbc2b984e5a2cedf42837fc31be6b575b78179e0b80d8c39cb8cff7d10bef2c291dfec0a827789efde51143dcd7500bf442fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt.tmp

Filesize
253B

MD5
a5d9f432178caeb9e5486f48ec4ddb64

SHA1
7eaeec665e06f9a3a948aacddc2089ac1174bd7c

SHA256
6db436f2efc25eeb7d66c2426a7f178b4de438f29ef7c904d3e31ac4febbc4e1

SHA512
d47e762354de2b73781e5b468f40c8f10fa28f16b97349b3e04448e7f27c250f20d6331845c7cd1176f83bba1dc4585655957cb460b3c8afbe2fff32c4cde605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7297fc7913781d2bcb550a2bcbe749c4

SHA1
14eff706d90b482b22df7cc2078d16019566466d

SHA256
8dce57a877cacdf13481a91d24aead599705efcdbb81072f658bf0aa38f7ed92

SHA512
d1b346643d19522383c3833365a4d515c01ed4e0e73004e80471bc7f1f55d8a1f983d1e5ee07d4235e46cbaeec882758b01d91a03fcaafb513beab55b5428f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587a5b.TMP

Filesize
48B

MD5
239feedd135d4740f3ed5a530dbb2139

SHA1
0dcf39d9b8454da3c4bfb5c58e9af0dc76a2f1df

SHA256
ab6f9cf8b1e71661b369a3bc836e9bcfcc15605415915f557e17a08d9424ae0a

SHA512
661c237362cdddfcefffd1e3e6e9497f6e3ec1bc9039050fc8f5c63f7696decab90ccfd679f73792b4cb3bfcef8593538948e2f64b2f608f09d48bc446b5c41a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
2591c204f9dbc70b64f1c5d95830a2ac

SHA1
bb0fa1e6b28fadaf40fb3111406d0d05b2b8a878

SHA256
25b5165bec6605ca6c952c72bc8fa8d8125252e9907b33545651f03a2cae5897

SHA512
6f8a685f952238cfab57f8683f181579af18ce142f7b4d3c413a5d7ddcb87413d81a30be3dd26e9f1ff7f87eb4a3670d17ed35a3b88758823202bd9a19484845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
9844e0ee98ae997fb2d3bb5595391715

SHA1
0397dc0db47e5a8b5c2b00ffb314e47477115061

SHA256
46a8734e882128cebf56efccc99eb736dc2228234d9b47418b611f1126bd510d

SHA512
b51d1a56675a24ede9235dd8078a0bd6289d3f15707347ee127a9b0c7110eb06c527b2b032750e685032adc9efb674dcfcff4afb50c884181c6e56020323973b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
878B

MD5
030ff89d887bcd95e0695300aa093b77

SHA1
4331413f4fefb40805833bef652f055773fdc959

SHA256
5ab80ea97f0eee918bdebb6c99c5f34554f3fa8d05e68326ca46baf2913e4543

SHA512
f16c4f7b665c99dbd05f9482ba56e2f889add2cd4cfbc13a904e1d65eb1f25c517e03fa217c4fa8d77e63d084421eb82ee2fd28aa4cbce6eefef522aa4f32c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58e72f.TMP

Filesize
469B

MD5
b2875e05c986fd54942dfd2abe1b6734

SHA1
316998f91da8b14e0d52442f1b6b001c4ae3480a

SHA256
ba307da68f09bcfe73c71228de1f652f599d102d7ad8fbf32b1f6bd5567153e1

SHA512
a2f10f58fa81649c0ec03646351ae17d310e7a19cf75ba033860b69c90908e21689fcfd82d4e88afce3c856b938caf01d90bbb568c2a6e614ad1feb34c22bf8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\a8c59dd8-4d36-422b-8359-c6460bf5dee4.tmp

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
2833b897feafaf209c654115ecbb15c0

SHA1
efc3d1ae31fddef3333ca7845c5e4e0540e913c8

SHA256
a580ba4d405cd2da0cc346077b6f8a2c11868d99ed9c2d69b3e10aabdae863d3

SHA512
a36156fa4f823cba664799a6a3a7546bd7581cb3265b06b4428caf075588abdfbd41011f7d6b98d6ead7e24c4ebeff0a6424ca25ab5a9e6c87cbf6e1bc30b36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
3a550662c97b71714a7dd00e38fc5d6d

SHA1
db65b3d248a67babfee5fb969ec1b0a79456bbf1

SHA256
76d6989fcbd5b9d1e5b0cdb5f7b052f4ff85717f23ff895cfacbc62557242e2a

SHA512
dffeacb1e0e4e719ca467a15b886a2677973cc27871fc1abd4bb52ff0808ef029a1dcb3d35a4b402342d95c0d06f91ceb8ecbd179096ee68a3f2eb6fd2c339aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e27ec468b05311e56595e6176cded714

SHA1
b5e74b0baa3a45d2b2451f33919753f9173f330a

SHA256
80ea4db95f5584d32ec4a93dff5b8ad5bb88cb2653667e18cba99ba11f9129de

SHA512
2f56b92200097250f7164327cc890be2ab2ecb25533a79fe6b474457c67e8d25e44b7df6e04193986fc8e8ec14cdb99a084fbe4cbd607f6f0df74bcce10a94e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
9861bf19d1401775811d48204d74c727

SHA1
6f78e0f4a21f6cb9bf8c67167256157416e9e18e

SHA256
4376186b396a22da49724bea2569c3cdddf53c8369c08e8d0a619ccac8a3e8d3

SHA512
323b349cdb52391d36e773a1671f820702b1cd95764c61387f8efed008d896e1d09a70b177f912a67bb65eab327de5d5d17cb222eb51fd8e935f09d8cbabed4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
e957f318c5757fd1bf88f2c8f7eef842

SHA1
a495f8014ad355f3640bbd69f8f0a6e2f1924718

SHA256
a8b481eebbb496b68b2fdad60545aba2b478da6a9fbd80cccd726182cb11008c

SHA512
ab98138b773f37113120639aede8833a8a37f189b8fc0c586c69c85e1fc7c5dc7c457a247a193c7a12e80f62c2cf811810a60c9482c747cedbf2ae950a7fad33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
62beebf0b23bd85707313d51bdfd25eb

SHA1
cca172cb82417e2d6c7426d4bcfb9193e7a38f27

SHA256
dedc15d2f9c585eeec4bbb54325d82ba6a2110b02f2508a7d2268aafe9711c14

SHA512
11c13c902845f803533458efb1e34a3d31a47d066c160dea7eaeb1f753c2afa86028a53eb7e720cbc24f43c32e7e38bafa4aa1e159f31634b9cbf07cb24c1cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
47KB

MD5
b76ed6204b56f2e34c9c9a9e9dffd17d

SHA1
ea469101b6ea40035ac438f7257a1eb3ab5329d6

SHA256
ec7acdaf01154aae48013ba4424f2f58332bafd20ec178a1ff0e20329ea0d166

SHA512
bafff7f180534fed16d09c7cb3be4043709687bd1a9168bba677e46d16e890e7c47cd02655b0b30088137399c33f2816a67f766a708e981d0eb3dfa66edabbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
47KB

MD5
c4c31fe9d678b0ebc5cc396bffbb7710

SHA1
4e1607b6d1777cd05c6e856bb84ef843763914c8

SHA256
10ea8a7424a779f3931b0addfe936a940928f98542f6549614cd81d0beaf929d

SHA512
35a53f7d7ab61208af01d318d0c256b981720e3a8d2b7cb81d83916c5987a365f497e0e1be61a35b62efe54ac4f2aa3ca18c733962aadbeb170d8bb3faea0247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
a3f9719b203abd11714a4e813a1b4082

SHA1
a571147bef356c1d651e2b80015c8a96b1c66e3a

SHA256
7615fb997bb32da2d8803304c62581473a2c9fefb477704ed0fda7dec8816b43

SHA512
a96fb7c7a6fef4710193841968c5617ae18c6a51e17deb99f02c9c34b6914cb134549f38acf9d83e415b8542adf01fbafbe3c774d78e7a7e69b113c6e72af376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
7e753c82e09e739cdbd825177e34fda6

SHA1
363017c42fe51d6ecccf8d34f87730a3944cf30d

SHA256
cba0b3c46c23886faa4bc2b3439e0dd5ae39417cf96fba041991ea8d5aabed33

SHA512
93b1a5ecfeb4aef17be3db7909470e993c7af064634ecba7a27787e909afd05b36ee78f5bec13da37e658d4c173a55c06e686f3680eb27321c33c2f6fd0c3fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ff55ad5fa522ea644a508102b29b5336

SHA1
fc609440569df5c01ee06c8f2c5336da1d13aabd

SHA256
38cdc87172db1aaf17f596ace9071b756b75b6649742636e60a52b4aa3ada769

SHA512
74206aaa331c209518c17afcfa610ee753ff6a0ce8214a626365f2e8a518b5fc680111802eb54f62e851d6e0fdc5ebfa34df1f051d55853812ed061cf7c98480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe586d6b.TMP

Filesize
392B

MD5
882b59eade9ed88059715b9925033576

SHA1
a5c8962a2afca37e3090a65a0d648545fdbd5f77

SHA256
cd5fde739a5a02a5c4d7307a209a18646d3ef62b68afa45d94f471f01e659c96

SHA512
7ca0ab64b76f477ddfb8e4379c21dcc0cb0d3f491ad912fd8fcceb016d594a3ea33423eb39d2d951ec346114c3ad9825cc6b54b880d418a45c37bda24821f825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
eba88df17e025e66ddad21a8fa139c90

SHA1
0deae22791195c6e80ee7c41a9301af5703a1ec7

SHA256
0c700438eec897ec96485d7c451346c978fcc19f9713fe61b5e8947456fadaa1

SHA512
c77c55669e1529a42235debccb9f59435f91006da4a6b451401332476e4f2ef03352e3cad3b12549eb5302b07028f5ad9c32d9ac8e47dad384806a47841bc3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\66c37781-3649-4c4b-a178-5ded74c32d7a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503142014071\additional_file0.tmp

Filesize
2.4MB

MD5
def6e15d8b63743747e8bbcd18857ea5

SHA1
61991c54069f5a8c6c075ef6543ba2faabca8233

SHA256
84e13eccbeb2d7620c683dd5d76df9ccb3522f5babd833c6efc2291df5e02e87

SHA512
5f82ca7236c40726701b77e8275e4eff27d4f13964dc20c268fa84a7589c5109b6535a7735a0c547fa0aa8ad47c777dda5a6eb2d33782b28f0dfe59d408a265b

Download Submit
C:\Users\Admin\AppData\Local\Temp\65aca92d-3d83-4836-8da0-dc5ea306bb10.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0129B509\setup.exe

Filesize
5.6MB

MD5
7483cfc57d51cdb72ec469456470792c

SHA1
d1a14c8e45db515cf45c04f2ec761a140eba4209

SHA256
e5797d1b2671b717c992d8aabe576c7f8ab5753c919e76436910a08da2826fac

SHA512
75d162b900b8fcbcc38568486c5ee3c716441db0d62ed214c67383e6807ac6e32ac7b4fafb4b2d73c4bafde6093d1d149144ffdb07ce2f78932782fe2e6bfc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2503142014053314648.dll

Filesize
5.0MB

MD5
90102d9fbb09ef08cd0b06af0fa7b46b

SHA1
264c5ded705a20b61f490fb256cba812fda1be2f

SHA256
9231872570c66b08c5ef8c476421b6f0dfc91d76bb346fbda6d3b64d46e76a16

SHA512
4e510f224fd854a8816d83cb85b8b0882eee81fc346dbb03baf385eff32113d499d751d1e6ad0ad6ddd5527615b0d69951c67b2b973ed086aaeaa586d896665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejgmdi2u.ckx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd56906b-bada-4a18-b455-157a78bb3f07.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4984_157334414\f6148818-d348-4817-b9cc-21d7c8401b95.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
487aa025ca944dbcb0890416e9347124

SHA1
bd91af78f04e99ec9d7871d9a541550ccd46810b

SHA256
0bd6fe89ae83ccfe1fe9fa47092e1520dafe0d604b8d82f0952818d0e6cfc403

SHA512
216edab319652071acd789d51b84a0bcc073b2191a06e1dddf5495e7dd3a96fe262924822adb0d5c610f093e4e35c81bdfa5ba793704c8887d4af072ccff2eb3

Download Submit
C:\Users\Admin\Downloads\OperaSetup.exe

Filesize
2.2MB

MD5
1421cbe9e5c010d0f83e6c38c56ea76a

SHA1
4c4251c554f00edbdd36002312bc48eb718b7c29

SHA256
599afdc12f6d5cae443cca17364a04f3752042cbd8424f6e86cac0d1ab269b50

SHA512
06deb57935f4814b8af0485d327610d1ba7619c7b72a4ccd346c1b96504671d2cab8b93086c27a3a81f1bbf46c6c05b94ada29f50811284305ae12ae4c18aa09

Download Submit
C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\sorgupanel.exe.crdownload

Filesize
10.7MB

MD5
c0f69fb134291d4203e7b938cff9a7ea

SHA1
91d3154e582a1a49039c29e674ff593467ec0244

SHA256
e29981588d7fc7a8d3b14f1cfb0acf75ddf80620bf7af5cc8547ffd7ee4b3a06

SHA512
80cd3f98dee7b8b8ce0e0ce637dcdb3ecc6f9d4a35aca7f82785e8006f5d93b7dd224d505575ff8ee0d331abe6dc62ea6225076443cf31e623bde09f9ec55950

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1216983401\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4984_1954756234\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
memory/2136-1976-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp

Filesize
108KB

Download
memory/2136-1991-0x00007FFBB23C0000-0x00007FFBB23E6000-memory.dmp

Filesize
152KB

Download
memory/2136-1960-0x00007FFBC7FC0000-0x00007FFBC7FCD000-memory.dmp

Filesize
52KB

Download
memory/2136-1961-0x00007FFBC3920000-0x00007FFBC3939000-memory.dmp

Filesize
100KB

Download
memory/2136-1962-0x00007FFBB3720000-0x00007FFBB374D000-memory.dmp

Filesize
180KB

Download
memory/2136-1964-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp

Filesize
1.4MB

Download
memory/2136-1963-0x00007FFBB1FB0000-0x00007FFBB1FD3000-memory.dmp

Filesize
140KB

Download
memory/2136-1969-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp

Filesize
736KB

Download
memory/2136-1968-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp

Filesize
144KB

Download
memory/2136-1967-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp

Filesize
3.5MB

Download
memory/2136-1966-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp

Filesize
184KB

Download
memory/2136-1965-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp

Filesize
5.9MB

Download
memory/2136-1970-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp

Filesize
84KB

Download
memory/2136-1971-0x00007FFBB91A0000-0x00007FFBB91B2000-memory.dmp

Filesize
72KB

Download
memory/2136-1972-0x00007FFBC3970000-0x00007FFBC3989000-memory.dmp

Filesize
100KB

Download
memory/2136-1974-0x00007FFBB1EA0000-0x00007FFBB1EB4000-memory.dmp

Filesize
80KB

Download
memory/2136-1957-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp

Filesize
144KB

Download
memory/2136-1975-0x00007FFBB0DE0000-0x00007FFBB0EFC000-memory.dmp

Filesize
1.1MB

Download
memory/2136-1973-0x00007FFBB90C0000-0x00007FFBB90D4000-memory.dmp

Filesize
80KB

Download
memory/2136-1978-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp

Filesize
72KB

Download
memory/2136-1979-0x00007FFBB3720000-0x00007FFBB374D000-memory.dmp

Filesize
180KB

Download
memory/2136-1983-0x00007FFBB2410000-0x00007FFBB244F000-memory.dmp

Filesize
252KB

Download
memory/2136-1984-0x00007FFBC7F40000-0x00007FFBC7F4E000-memory.dmp

Filesize
56KB

Download
memory/2136-1982-0x00007FFBB1FB0000-0x00007FFBB1FD3000-memory.dmp

Filesize
140KB

Download
memory/2136-1981-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp

Filesize
1.4MB

Download
memory/2136-1980-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp

Filesize
84KB

Download
memory/2136-1986-0x00007FFBC7CB0000-0x00007FFBC7CBA000-memory.dmp

Filesize
40KB

Download
memory/2136-1985-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp

Filesize
184KB

Download
memory/2136-1987-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp

Filesize
3.5MB

Download
memory/2136-1959-0x00007FFBC3970000-0x00007FFBC3989000-memory.dmp

Filesize
100KB

Download
memory/2136-1993-0x00007FFBC77D0000-0x00007FFBC77DB000-memory.dmp

Filesize
44KB

Download
memory/2136-1992-0x00007FFBAFA70000-0x00007FFBB00D8000-memory.dmp

Filesize
6.4MB

Download
memory/2136-1990-0x00007FFBB23F0000-0x00007FFBB240C000-memory.dmp

Filesize
112KB

Download
memory/2136-1989-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp

Filesize
84KB

Download
memory/2136-1988-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp

Filesize
736KB

Download
memory/2136-1994-0x00007FFBB2380000-0x00007FFBB23B8000-memory.dmp

Filesize
224KB

Download
memory/2136-2019-0x00007FFBC4B00000-0x00007FFBC4B0D000-memory.dmp

Filesize
52KB

Download
memory/2136-1956-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp

Filesize
5.9MB

Download
memory/2136-1958-0x00007FFBCE190000-0x00007FFBCE19F000-memory.dmp

Filesize
60KB

Download
memory/2136-2035-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp

Filesize
72KB

Download
memory/2136-2036-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp

Filesize
84KB

Download
memory/2136-2037-0x00007FFBB2410000-0x00007FFBB244F000-memory.dmp

Filesize
252KB

Download
memory/2136-2050-0x00007FFBAFA70000-0x00007FFBB00D8000-memory.dmp

Filesize
6.4MB

Download
memory/2136-2085-0x00007FFBB2380000-0x00007FFBB23B8000-memory.dmp

Filesize
224KB

Download
memory/2136-2084-0x00007FFBC4B00000-0x00007FFBC4B0D000-memory.dmp

Filesize
52KB

Download
memory/2136-2056-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp

Filesize
5.9MB

Download
memory/2136-2074-0x00007FFBB2470000-0x00007FFBB2482000-memory.dmp

Filesize
72KB

Download
memory/2136-2073-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp

Filesize
108KB

Download
memory/2136-2069-0x00007FFBB91A0000-0x00007FFBB91B2000-memory.dmp

Filesize
72KB

Download
memory/2136-2068-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp

Filesize
84KB

Download
memory/2136-2064-0x00007FFBB16C0000-0x00007FFBB1833000-memory.dmp

Filesize
1.4MB

Download
memory/2136-2057-0x00007FFBC3A40000-0x00007FFBC3A64000-memory.dmp

Filesize
144KB

Download
memory/2136-2101-0x00007FFBB00E0000-0x00007FFBB0455000-memory.dmp

Filesize
3.5MB

Download
memory/2136-2110-0x00007FFBB2450000-0x00007FFBB2465000-memory.dmp

Filesize
84KB

Download
memory/2136-2108-0x00007FFBB1E80000-0x00007FFBB1E9B000-memory.dmp

Filesize
108KB

Download
memory/2136-2103-0x00007FFBC1570000-0x00007FFBC1585000-memory.dmp

Filesize
84KB

Download
memory/2136-2102-0x00007FFBB1EC0000-0x00007FFBB1F78000-memory.dmp

Filesize
736KB

Download
memory/2136-2100-0x00007FFBB1F80000-0x00007FFBB1FAE000-memory.dmp

Filesize
184KB

Download
memory/2136-2091-0x00007FFBB0460000-0x00007FFBB0A48000-memory.dmp

Filesize
5.9MB

Download
memory/5220-2020-0x0000023F3A420000-0x0000023F3A442000-memory.dmp

Filesize
136KB

Download