akira | hxxps://pixeldrain[.]com/u/TcV2BREC

Analysis

max time kernel
156s
max time network
273s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/TcV2BREC

Score

10^/10

akira lockbit credential_access defense_evasion discovery execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\lH0RuaZei.README.txt

Ransom Note

~~~ LockBit 3.0~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything but your money. If you do what we want, we will provide you with a program to decrypt and we will delete your data. Life is too short to be sad. Do not be sad, my request is only easy. If we do not give you the decryption, or we do not delete your data after you do our orders. Therefore, for us your reputation is very important. We attack companies that we have targeted and there are no dissatisfied victims after doing my orders. You can get information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\PerfLogs\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/0628191501-BDPUC 3. Use this code - 0420-QN-PBZC-TZDI - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/0628191501-BDPUC

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7788	7800	powershell.exe	170

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002b2b0-996.dat	family_lockbit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
7788	powershell.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 4 IoCs

pid	Process
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
5584	C85D.tmp
3808	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
4748	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2081498128-3109241912-2948996266-1000\desktop.ini	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2081498128-3109241912-2948996266-1000\desktop.ini	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\S:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\G:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\B:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\M:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\P:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\Z:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\D:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\U:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\H:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\J:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\K:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\X:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\V:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\N:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\E:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\T:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\L:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\F:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\Y:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\I:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened (read-only)	\??\O:	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPw9jt7s0we0vf3j9zicdaxqt9d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP14l0tbbor1vasgp45vkruiuyb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP6fhayhcvo69xt5jh8b77kq1q.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\lH0RuaZei.bmp"	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\lH0RuaZei.bmp"	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5584	C85D.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 4748	3808	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe	156

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.8466e1282a70	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.66385d7a04b2	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.5a174e5a5892	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.eb03eb898fe1	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt.567e2bc6cc9e	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\rt.jar.e289689e80d6	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.443077686690	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.dbee364b4933	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.1c302f909e68	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.b1d567677d8f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.69f89205fbad	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.245f78f8fa30	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.19cdd78f8537	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.7af38afaf8b2	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.13d0c09f9127	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.dd6ab4714339	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.05babc999b51	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.84eb6c383a70	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\cacerts.adc36d47519f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.3923195b5d13	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.7097e4243e4c	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.d365b5417329	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.1f85997d8735	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.9ae17836386e	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.b41aade8ea80	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\UseConvertTo.jpg.29d4fecdcb25	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.ff8e72afa5d7	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.5fd589ddc795	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt.91d547071daf	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml.b7c2765f5587	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.3f516df5ff0d	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.b9e65c5d2795	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.e52bcd9f99d7	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.61b8da7d03b5	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.8f109ce3eddb	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.29775dcbb5e3	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.33c4f4e7d10f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.6491f6080670	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.542572787ea0	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\Restore-My-Files.txt	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api.2b1e367b7923	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api.dc19c6d0ce18	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.2ab09946487e	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.ad238dc7d19f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.83ec6c37214f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.15382e899761	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.6f55390d37e5	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.cb10d8a7a91f	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.d47aad484a20	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.37f7c3a5bb0d	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.bd0cb2d1e799	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\default.vlt.c923e9ebed03	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\133.0.3065.69.manifest.043235a8aa50	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\EdgeUpdate.dat.8669ec3a2472	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_387808381\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_280874362\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_1323772978\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_329052119\smart_switch_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\sets.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_387808381\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_280874362\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_1323772978\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_1323772978\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_329052119\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_329052119\office_endpoints_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_280874362\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_329052119\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7692	4748	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85D.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Control Panel\Desktop	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Control Panel\Desktop\WallpaperStyle = "10"	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875590416777750"	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lH0RuaZei\ = "lH0RuaZei"	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lH0RuaZei\DefaultIcon	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lH0RuaZei	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lH0RuaZei\DefaultIcon\ = "C:\\ProgramData\\lH0RuaZei.ico"	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2081498128-3109241912-2948996266-1000\{591FB961-89B8-4A8C-9F44-B68B3FD462EE}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lH0RuaZei	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6096	ONENOTE.EXE
6096	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2508	7zG.exe
Token: 35	2508	7zG.exe
Token: SeSecurityPrivilege	2508	7zG.exe
Token: SeSecurityPrivilege	2508	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeDebugPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: 36	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeImpersonatePrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeIncBasePriorityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeIncreaseQuotaPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: 33	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeManageVolumePrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeProfSingleProcessPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeRestorePrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSystemProfilePrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeTakeOwnershipPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeShutdownPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeDebugPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeBackupPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
Token: SeSecurityPrivilege	2120	3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2508	7zG.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
6696	7zG.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE
6096	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1084	2956	msedge.exe	81
PID 2956 wrote to memory of 1084	2956	msedge.exe	81
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 4336	2956	msedge.exe	83
PID 2956 wrote to memory of 4336	2956	msedge.exe	83
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 912	2956	msedge.exe	82
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84
PID 2956 wrote to memory of 920	2956	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/TcV2BREC
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ffd232df208,0x7ffd232df214,0x7ffd232df220
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1964,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1992,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=2008 /prefetch:11
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1824,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=2592 /prefetch:13
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4140,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4172,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:9
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4192,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4200,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:9
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5044,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:14
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4940,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:14
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:14
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4480,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:14
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:14
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6188,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:14
  2⤵
  PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:14
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:14
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6696,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6704 /prefetch:14
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6852,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6864 /prefetch:14
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6888,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:14
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:14
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:14
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5288,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:14
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6992,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:14
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6860,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7104,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6384,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6720,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6104,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4316,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:14
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:14
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:14
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7248,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:14
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=3664,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2264,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3636,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:14
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:14
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3692,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=8012 /prefetch:14
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:14
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=6912,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5804,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6276,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:14
  2⤵
  PID:6224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6920,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:10
  2⤵
  PID:6456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:14
  2⤵
  PID:7000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5716,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=6380 /prefetch:14
  2⤵
  PID:6764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=7484,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3448,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:14
  2⤵
  PID:7156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3736,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7352 /prefetch:14
  2⤵
  PID:6308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=6052,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=3452,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:6588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3564,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14
  2⤵
  PID:7600
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7188,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:14
  2⤵
  PID:9400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=4308,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:6840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=1696,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=5380,i,1650962126843162392,13672619912676261234,262144 --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:1
  2⤵
  PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13193:190:7zEvent10346
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2508

C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe
"C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5236
- C:\ProgramData\C85D.tmp
  "C:\ProgramData\C85D.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C85D.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5308

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:6948
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{21B52F0C-14A0-42D3-8692-3FF24ECB6E80}.xps" 133875591318810000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6096

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap633:190:7zEvent8514
1⤵
- Suspicious use of FindShellTrayWindow
PID:6696

C:\Users\Admin\Downloads\67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
"C:\Users\Admin\Downloads\67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3808
- C:\Users\Admin\Downloads\67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe
  "C:\Users\Admin\Downloads\67ac04c1b7526288194e53da33cc0e9661687fd4fbbf12156e5ef6dd2a4108eb.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1112
    3⤵
    - Program crash
    PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4748 -ip 4748
1⤵
PID:6412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7244:190:7zEvent9430
1⤵
PID:7560

C:\Users\Admin\Downloads\ae455890e2123a9d011e47065828b0a03c08fd66570fab9d0340d2f5d5eb40c3.exe
"C:\Users\Admin\Downloads\ae455890e2123a9d011e47065828b0a03c08fd66570fab9d0340d2f5d5eb40c3.exe"
1⤵
PID:8088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
PID:7788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30134:190:7zEvent15471
1⤵
PID:6332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2081498128-3109241912-2948996266-1000\UUUUUUUUUUU

Filesize
129B

MD5
bce5996577c0ec617d89366f78463571

SHA1
6337c139c3f9e835172885df9059939a8c90dc4b

SHA256
ffe2ce79f8dcc3fcfa865e32401edf7ae0d6889cd20d27a6f7707de36541b72b

SHA512
690ba20f476a41fd80a625da294e725a9beaa7f7c54af76b5f1e7afa94b1ab2b87339b87f53101ac95b0374b57c0378dc7d4b9deb09dd5f9dd5fba89d18bc6ef

Download Submit
C:\PerfLogs\akira_readme.txt

Filesize
2KB

MD5
8d5c0c4b3f8ba6154f269d41fb4ae0bf

SHA1
f54c99106823a57fd6ef31d5c43767f4ce580d4f

SHA256
92bfe213fc85dea5d8248570b32dc4c82fc934ed6a03b842643171465de20bbd

SHA512
ee76730461711aba1427b3e2ce884a916582379a345b31a59e2ba6a952f4863489ad08256f42aec3b2ab3c3df5ffc3a90ad735de732d77f47c2c42af07264961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

Filesize
105KB

MD5
e777bde1afc679b89c7102b8cfb9b35d

SHA1
3deec1b5f9eee777d12853bba30e4c16287cb94c

SHA256
2db3a91744672b47fc0a77d458c4a0dffc5311c873f5daf274f69a99248f1cc6

SHA512
9b7e60925172257a56781395369e3b813144d698b998ee8767aebe3ac765917a9e80f34864f5d196a927e93d5f34073897b6fb38e96b4864759c5a8927a3715e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0364f1fb-b89f-4086-9e9e-ae7549857f28.dmp

Filesize
4.1MB

MD5
e2db74ed77e8a1255d71fdb1a4c201a3

SHA1
1f9722677448bf4044dce1d89666d953a85de9f0

SHA256
a39521d2637a7ad070c7171c3b060d81b4632a7e8a8e3c0d4140f4b1cad82ee2

SHA512
11e19d2d54b69864de05758ba0997b542ab623c091d9a2f60e67c8df2b6af0d7a5dc7007f64b552800c8f470258795f999807a055412b734db251d0ffc55efa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\15c6f491-fe7b-49eb-8e9b-cda45dbb0cae.dmp

Filesize
4.1MB

MD5
bce3e341edbaac087d22bb795ff1151a

SHA1
ad4d3679a5f71568166a780735bf9a2f99bf9b1e

SHA256
3c0c1956356cca0fd2ca4fd696b4fde035615a48f1fecdf291c093368f97933c

SHA512
485f0af15700aa2e03d9b54c3c8b3a208715eb28beacdcbb5d5751953de59a537991189938f5d63111dd1d59e0da2525dadd9f0346070f4299878c88faa90484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1a22d647-a95e-4fba-abf9-66544efa340e.dmp

Filesize
4.1MB

MD5
eacca74fd37983606e27cceedd7a7d35

SHA1
e3353ac4935fe4a1d477cadbac08f17c2de9b4d9

SHA256
b093cd2c6000bb3fe66c9b8e5566521e19c04e11f931dd4ee1f41c9a1bdf748b

SHA512
a857f6ddfe8690ff52961f9a4462cf0e10443afac40eed334dec3704507ebc879153849487029a00d167d73a01f386609310dfbc359a648d7bb4e1bf90f51064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\29682cb4-6c53-4533-8449-635025801b90.dmp

Filesize
4.1MB

MD5
bc9f1a536bfe348494c6cfedc2ef5b13

SHA1
e4a90d07677c376cd2ffb5762f8f31e634bdcedd

SHA256
fefe4fd80e356684182d716e9c2fbec2d72ae3ceea4678b9dfbebeccdc4687a3

SHA512
7f8df927941c1291c64a17f39d11002fa595ccb01a69098afef70bc130c989c23c6483d84cb3b07fffcc419aaddb1cf932a85f682f1ced96dc56093e44c9f788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\37148d4c-b7dd-4be4-8355-71b1ad1ba563.dmp

Filesize
4.1MB

MD5
df33697f344ec5148fd35a11f63b4681

SHA1
04ac109874c90b3f6b57639dff5a360d6bd539ae

SHA256
e05df5940e7b0e92c0bb8bda7f577206c51f70e8f22abe9aba4ec2c0c1566537

SHA512
8e596791c036db6676628f4ef4f1e0e1abd9c272f34b549632458b03eff8a58c802149c4c9c9e764efc9b0e9ce35aac1f16781c0057d9c93997931848fb80bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a5c1c4ad-a72a-4a6a-97de-f8fb5fcacfa2.dmp

Filesize
4.4MB

MD5
2e5f2aae55b602a52d16705967b2879a

SHA1
aa216682bd6a25da884db3c2494ea4f6e1d9ac25

SHA256
d5c11249a997802618b469676ed72d6495d00a99a62a73c1ef6e1d13ddaf449d

SHA512
3412c0f16f57a2db3adaf772b22d6408ab1b3afcd28fbe44c937a6bda1ca0ce757d4e38e8ca940e07b9b289f4acdf76d977e1907324143a704699ec6169d9894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b5dcb4cc-6b8c-4bd8-a961-fc3176d9e1e5.dmp

Filesize
4.1MB

MD5
5e818486889f4c117b139ba31dba4991

SHA1
d56602c998335ec48f19606b042d2d7ee48da967

SHA256
7a8847c6496c1dda40c58c40c394541c78b2f37c317a06a21d2089bbc0b29d24

SHA512
6ee9c15db30e8ca899be8cb2366fadcd8f083f1a7692bb4bb37a79bcca5180b0c0d1107e15b7dcb310532a2f8bce57dfd0ddb411fdbdc762929f488dce69efd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b64bc88f-728d-4ed2-a5a9-b167b091f6e7.dmp

Filesize
4.1MB

MD5
dbe3aa1d96515cfb386120cfd2556879

SHA1
e587cf98be1b2507ad83133a0f99e6ab5fe19e91

SHA256
f95b6d654929ea7a14c2929a2ab42b5469d4f6c055560e7657fe9321d97639cc

SHA512
58ecfade9783a0965c329e5f9d851d6fa23156f80872aa012379392359dcd6f46ef0052759c68c534bc81a9834b12d4693fa24b6ef640e91c0aa0074303aead3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\cd5952e8-bd47-4979-a3c8-90d9c46a4d11.dmp

Filesize
4.1MB

MD5
c3c08f13d40f89f279756e69729577ec

SHA1
8a993916ccccfb34e451c01134aa112ad73ed0da

SHA256
ca89314d1b237e44e6256804d658a396644a4b5839e50d0293c9aa26d59dec58

SHA512
0a8993c1b38e9ce583c670ac11d212abc80f1b44731dc59cc56a838a60491f1c375d7c33f89020dc25addd1f88879c5a1ebdbd340c368dbc2105770c951e7b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e3957139-d9c2-49df-ba1e-04b85df519ed.dmp

Filesize
4.1MB

MD5
2af7a041b590915423f3880b26196c9e

SHA1
c56e48ca5b681000e289060d9add5faf3a732c07

SHA256
79ca98d7e43d0970f90b681ca8ddf302be17ead11d616ca00dc9d345985f4579

SHA512
594571c0483020f17e5fc1014b965359b698fd24503474d752032572e4692660ad3e2dc3d269c92d9c301a01efdf0129f9351380def879ca45bd7293d60e35f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
9bd0ac5b007ad73dc64fc096c2ad7c12

SHA1
2e81931337b2e69341a3f31946cb8b463d60d5c8

SHA256
57275605c03afcbaa07c202b492035c33d8d464990545e3f145ca58d73d9ba01

SHA512
6eb273c5d4e831b16dd00979151e4fafa17f896668ab6dbdd54aa5930ab9ef92f57fc7cb0b4bda34f40969bd8e7e1816fe511c429d281e54e3c17b43b7e4af1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d3339f3c7c06719b57f1fb5cd95ef414

SHA1
ec9d4328ef42a3ff1e667a021640f4d8cc7b36e3

SHA256
f1bc9ab87cbb0c609e6d15aff5267bd69c17065060230a7696832c461dafecea

SHA512
79c4b4f6256e588b3af9fa4808f9a298ccb78432debc24b8ecbbd43176aba93b71454ec8c57cca32c34e907ff399dce667240588c1ddbd2a6c319f4c7b1a68f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000082

Filesize
174KB

MD5
21f277f6116e70f60e75b5f3cdb5ad35

SHA1
8ad28612e051b29f15335aaa10b58d082df616a9

SHA256
1537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4

SHA512
e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000086

Filesize
119KB

MD5
b78c208c87201efefbde1b05e311fe3f

SHA1
438bab4f023ecbc7d3d136b01966930823587804

SHA256
f6c6a469101626531293f2a4c594e86f5b8a620b9d351278d10b061e6b2b62fa

SHA512
09dd8ee68af111edebc0826a1de3bb525607828c97c377da2098522c2218bcbcbdf2eac6f58296409100a5985770f524fe5ce53fed3f6baa119b0c0eeebe1720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000087

Filesize
32KB

MD5
f7f68d7f579941cbd66024856105a134

SHA1
bc899a2d91af9d9bcea0dd311e719ffe0567b2db

SHA256
78c402fc3e57fecbbb754297137e2f57426389f1068a564f058cf7babd14e66e

SHA512
f998ae548f29973c010172697b9f8a280a8753beaa638fee668b0234cbcb9d83d490fa4404321c2cdcba7c442581e0b656abd39359b486088ddeb4064e18a277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000088

Filesize
38KB

MD5
79caf5906324cb85f7d28bf7c75aebe0

SHA1
da198e27f423a49bb433c2d3ecbcbd19bfef0732

SHA256
ee3e2c3449d73e1e5142b7a2c48ddc6b5fd3558bae949732ab1d65dfecb96902

SHA512
987bbb02571eb86da1d9048de20c9e0de9af69f855f4f31f8dd2dbd2c2dbd3c08bc28aa93d8d9ab8f0b0d65761d7e6bde5c1b9e4ce2b763857c02adbccad6023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000089

Filesize
34KB

MD5
04833ecad3785bb9dc94bf315b3f8ad8

SHA1
acbfead54b36dcf4e64d0375312fa005637c7054

SHA256
48b723270fb4c1a5a59d7c8d3e8718dcce379f874187869e64561756ab3d7a3f

SHA512
19df8e472a43fff346ecb6c061b5c4d99be12164fbbc57106755371bb0086bd524c6257043c65e713b042ea5926359babc4e1ccc27923888baa1d662be7aeab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
214KB

MD5
59cd93e78422c682829b695087aa750b

SHA1
09995899c2eefa4aef3d19383098a051a5095c9d

SHA256
52110a0e17e8ee782f45a44f1224fa6f4f2a4ad51357886d08180fa2158033b9

SHA512
c6c85107258ed8a84689dd564d441d6fa56f0d930ca082d7e48731194e20fa151bc45ad899c6d9635e568b6d9870fd3657d28003969ca9b11343d38c8713e7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008b

Filesize
20KB

MD5
5433fe77257723b25c1b7f859d78a6f7

SHA1
58a9d0317e444db9d5060be96ed665277e0b87c1

SHA256
cf309e88060ea8eee5e621da298967bc60ea95e4e595b28301d138fb463645d7

SHA512
7acef96910a748b50177812ed46bda521da7ffa1c90a36c169a5f388ff3374688c70effc0df3f0f55c3d23e7ffd014c598edee1d6025ad0693c5dd6e35bb9b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008c

Filesize
332KB

MD5
7ec96d238a70af04c512d663c8003468

SHA1
b1374878b112f03c0ff9fba33fe5f082e19f3edd

SHA256
355d924e484d2e10c45191f1d444a4881ce08af9538bdb51874319a923053644

SHA512
88ec658590faee82a136147e4aaf66d65185d6754cf6dd0279b5f26f9a4b3da66295b55bb8af3fff870721b55722a0dcc69693db54cda0db1ea0e15116a8afe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008d

Filesize
229KB

MD5
c6334512044b038e1299c4edd3654bb7

SHA1
490f7cd5c7fdd875227c49344de31a2ca58f9335

SHA256
3724e559397032d8851ed76802b57fe479e56925d63e5d760aff536b9249df47

SHA512
b4c9d98a802525ee82dd8a0de6f07fc77c0243f7d001aca5d54b2ec71325119be45aa4e1ef5d1d035d6237ea9dcf2c976fa170550942c50b568326157d7bfd7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
dbcb682fe0e68452061883c2781de112

SHA1
1657b2d69a5eaffe959a88845ca6b78b4b4cef1d

SHA256
22cad666897f242ddc10ef9107d9285a55a6576240859646474814ae06a3fc8c

SHA512
a65902acc15a0a67f71f1c75244b063a4f3ce93bf6acab284c9339c71bb7076df4773c9ca3751864153c855a9e0f4a7e678d80a4dcded20394a5eabdf8b03787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5853a9.TMP

Filesize
3KB

MD5
980ce3dc53c32fd10dfafa6cef7290c1

SHA1
3a1fbd500f2fc6fa8f60ef89591939eccbf34f96

SHA256
2de992b80e2dbf2c762c32c62fe9c599f0cad0703db790dd2f601bebb3055121

SHA512
372c6246ea552b2d5e41100ee5e0b633eee247dbad9e15ef9dead69202730096100ca9310abf2016f7b1a445abcc0c732f2536001f8c2ba7c828cfc3e45f7a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
95a45afc22cba9c7af8ee733056e9180

SHA1
a7fc47e407884d2b60785c1fda79f042e7e6ff78

SHA256
84ebbca7483eb1e6f22d8a08cf4b54563e42140f804a2c6cb0f752737fef1697

SHA512
5c64422e88ce02e051d9fa15e664d4b0b65a2389b2de4f5a96d258e6bcda6ef35298cf95260e982c112fd49cb86ee5292f2920a1c0f8841ed6ddaadd90448d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4175a188458dae8720dfe117c92ea4c5

SHA1
864631e12ce19b467f3893f547a039f42909ceb3

SHA256
11da6b5586dfda7320ee2f8a2878b6bb33c6bdc3b5de22d351e3ef3d91bb98ee

SHA512
6357460d669cb9ac5febf7006208209958c24c4a2ff609d86c4206904bb78933698016e963bc39d7cbada6c15f61036418cc1f06336205c51909c451de8e667d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
1affad28fa17b265af9251c69c39cd0a

SHA1
42cf6cade7b989e417d9ebd7ebc7cfb89106428a

SHA256
1c7d8b24441c6c301b1187d5c634b8945225ef0a7dcfae4c454ee854ceef8d12

SHA512
9c553bc7b9e119a0962853807f577c15c96bfd01b951a67271bf4005963fed9e3b1128a5d6c41ce112cc09f92c64653432cb6b14b3d7e0a4fa6ec826b800faca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe57ae51.TMP

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
ee397aacd81767ec4a6076adab42dc8c

SHA1
690e0b2c8dfc8ed5bc6d97ea60d27c77dbc40fd7

SHA256
66ef4dc61ed202085d1067460280b16718add5739744876b72344935f2c89089

SHA512
1863502397a28602517f1d468a2105109fa8b248ab77d4aa018c3afa74ccb31fdf629cd9c8ee62d4133751a09f0c3ca57d3e5810760b270c15e57a5f42e49c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
72b4e359db7970f570f664b6389ca719

SHA1
774a963116d55d9b7f83fc065a60de3caa1a096c

SHA256
a563a10b12c67c1661850b0b2cc91de98104d4cd675f2e684f84dea6ecc82532

SHA512
b7e13ab100d87a8a3c197a1781647239008dfe1c383018b184e346ff651ec959ee2f88f747e2ea3edb0fde61c2702b7e960694c5775a1415cf88d4a404529d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
51019bb3fdbb5da3f38f048798bf85de

SHA1
33dbb860a218b1b8ba1ae4d324b2a7d27e0dcbbb

SHA256
24266da12ee433dad8d902ce4039f62777866e31d3851427fb03457d6ce873c5

SHA512
d904f8adb430f9d4440ef276c8b48a0fc7fe073f52e9f25b217995c6810df438dda609573ebaf3e4463950e6349ff100f4438518811b304f0f8a0d1048723d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a31abe3654b4529fb4951cc2b499013f

SHA1
21e5af3402f609e78fba76563049adf32726d996

SHA256
fba4645486f4ff006af66aa1e87a89a28bc99dbb979a3877f9897fd971112f19

SHA512
9e0a396fe2aefc4bc3a008b021a5c70ece77620b7a1105e8413166419bfcdb57cd855693c71789899d6d995233855001c491d08e7669d3bf562f8c627453563e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a41fd141d9226fe6132fc2afa4a16463

SHA1
a00eca9c446e56e1fb69ab5dce6d87964f28c1d8

SHA256
fda043bce87ef28bc4e6e9dace0347f78df049f2fe0d0ac704dbbb1ba1f7e408

SHA512
e22daad6094397d3d375623e4e4597ca9883109a3027a72bdf83cc3bcb96a9a7e0b43d49c2a744678ada4eec5143f47dc5f803d6b45e57f90d7556f1b48633ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
d67e0bc823a5011c75f7e4bbbf767912

SHA1
b7de8d9f0a1a02b20f8ed7c0936bad2729af138b

SHA256
51404156d7e92fa670b4c0426f04d1392ead4db0e66f3736061a2c43176a60e6

SHA512
b990db8bf65c404179924d02a18ddb77497dbbda868ee09c0dd544d8cf05078a13f3912f29db080a2a70bf3cdef587d0247bc731dcdf772a51b0bca66ed09fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
bf85b465f2c3b17fbb7bc36565fa1dec

SHA1
853b4adcee4fb046cf70b19a3459741db6c4979d

SHA256
43ea0bb92b62c6e2b631b26f9b8945e8a03774529a03bc6a52c4c8f7179b3216

SHA512
fccc6dcd9020ff9bd34138e05dfda90848052d61c3bdcd3a484d3e752b8947537431111434acc88435adddd9c1a613fe49d0a704c7cdd45a470439b8c4340107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
6bbf575b4915cc151c161439af3ae56a

SHA1
2eb264f7edcc732da9a504cf5e01cd18150f7c80

SHA256
8c241804eedbc41624010018743ecaeff43ad2540e551cf6b9e2483f7ac7e431

SHA512
7f11bbb2e8d34d41430bea72f3a50349ebd2e376a7ce665de967e91eadcd2f89ff66a693b08504790c66be942b4567590e51e0337f50e93d8ddb8b7a893b078f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
0518731831876a242bd1667e5de361de

SHA1
5394aa998f617c100610a928bd21e25ee4b8883f

SHA256
7d11392e36ec976f8cc41d25e763861d801b7d8c6a0af132e71a2d3c1ee706e3

SHA512
6e4695ccf139ec1aab87ed83b9160b40099d4f99c15f6c08e7381dbbe94a21922a2228d3356b1a5d3076b2580880a1ee6336819d4508d359aed9c8882f0c846b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
46355dfbf96ac6f65cf367d0a6688dcc

SHA1
9eda9d01a5efe6d912e1eab2bf9da38c13a427f4

SHA256
5fb53b7209f2c1c57b50b573bcdb360d39fc8ef54a3ba6be1ad762b7fd69172a

SHA512
491b0289f429a9bf3b1e5cae8c6cd7cb28862498f2ec578cf5870b6237bd36fa934b1938e8bb5f0beb660b03de9ba28458257f9bcf554e5c43736447b2e589ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
880B

MD5
c5b4bd5ee2f62ce4637cb1b88cafd377

SHA1
10d55ac9d5faf08528cab661cf5361a897e1f224

SHA256
12ca81ae95dc2710453c5c5ee96892b6df85acc07ec59f37b02c50bcc7262df0

SHA512
801fb80dfcaea480a4c91bbc618455235c4a002d2cb87858defcc1ec8034d9d3759f30b40f852c6ee5a71da5490894cf60ae39ac5a1df855c78a1e3dda43a2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
6c95e3e181805c38298e7dded9b866a4

SHA1
fac37aa143f270aeebe99904d86f8b9425ebc067

SHA256
7333bc38dd51ffa792460b7a4080ad605adcd5535b5212ce4dda5f7d0436c210

SHA512
79f7324fbde929d441d2a9c378b8fcd8d259dc0cefa28995308549fdf0bb302a581cb10f1c733cbcdf3eb989ba7f7c870a808f664e0034893022ac0b1d69c89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
06592b86d8ab6309c77426804f7b590e

SHA1
d63f876ab8d1dcbd92e052769cbf13f9a983534f

SHA256
43920eeafa84fd526a2e7c9bbe5de63b5306fdc17595bbc4e8ad1370f53d225d

SHA512
f2e4e7e937cdb486fa9d524b46d3a97a02624e4f612325da590fbc46ad337e063b771c8370cd389e581f1b16450c410850bf1979a46a118ded4a491fddb56ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58318b.TMP

Filesize
3KB

MD5
c7569efb2fa9fe93c0ea2f0896f54036

SHA1
e231c700b778b624f6065b035e5803fdd8b4db4b

SHA256
2422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f

SHA512
c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
bddf968a198b414d17b284fe054e5a3d

SHA1
b9878a1a4294f477d0b93bf99e798da72bd760c6

SHA256
d44564425720493f6c2c3ca3f0ddcbc6256ee481766f41f07801650a8609fc93

SHA512
7e18ea1a5ce520c55470d5339022951bae9f1fc22e16db38083248f2335bcc51501761995e3259170ac509c21d5916dc10c0cb63a3b582b64b0ce2b337db0a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2f78d1253d8673b03244bda06f08015c

SHA1
9346ae25983584171dabffefb05c056a7070c731

SHA256
6a9520280fc2b3103a4dd88e0d6a05038fc17c248d30fa27ac80d861130422b2

SHA512
1e993112573ba69c9004d05343182eea9a6d0b87c82b67952fe0ac86e2f3e3ed61d67d3f9bf34efbbc38ce0db6a5244c22af33bb4f2ba0e6375d82e19f2192bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
83ecd20ac1032e1222d9ec6c3a34c09b

SHA1
29bbd4ce6465fd20ac0c8beee1fbca4c83050aaf

SHA256
58423a2ee5baf476d83d4b0ba6790a7a9f7e33ea94e8eceed28458dd57ddf2bb

SHA512
353b41d489a606ead4c625b666014cc54f7531788fecbf7b4b44d576d7d3f67886907e857d6ab6c5a63b31941585a0e26bddc64608e04f85b69877eba4b75671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
634c7bcbcd9777227dab6a3dcfdd7608

SHA1
4cf83a27438908773f4bd3ed08a38190d29385fb

SHA256
80e472b7d5d92b526e50576d67802520d8d11a03ba24a32aab5fdfd0c2152e75

SHA512
07d1b6708b50d4c8cd4ef67a5581b07d39ab806e665765c1659a0284083bc26085b8066448ea77d7cd9f35ed8f8abebfda4d28ab4007c9f7447295faae5a052e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b70cdafa9e5a7424079332094b25b69a

SHA1
259564a8b4dd15c2dbd36b523d1ffc805a0ea200

SHA256
056de6757f0bac1bca0eab1bd5d30844c94f599b60112b27e1913e7cc6b08c25

SHA512
e9753f7c76cfc1255f59f1e9ec629f77e6bfa65000d35758981c4b280777247cfcc5831777a7cc686530ec299558b74432e3ab9205b6fc8a9fc5d41ae73f13d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
c038662eef92a58468e546c52038882f

SHA1
10839c15b397873efed2f77da60c262ab7ce4c9f

SHA256
2f4efd5507825abadef87609093856d726259519e21d9e0eacb907219a03a389

SHA512
19d8c22ee727bba57a277f5418d04631e361b839f5600a07967ba3fac61b2c6991222296c3cf2fc532b8fa5da7a411f97b0b807ee1b0d2658a9ec14de532ae16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
8748efd20c3e6356206c4ea35c714370

SHA1
d4265f123811133d8db116d60bf6f91ac180c6f5

SHA256
3cfca8178321b77ffef80205a307043cf9e6f6d8307f07bedde448bfd96618f0

SHA512
c53f2b881f4feb0c729b992597777bcb2d86ddd1c3ef6230a817272e132b6701b1046a0ac57fa3949b7ea4b6f09b2a47db34e1f713f66f043d8b36f96e2c9feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
9a220bb317c56fcbec9889ad0fa4458e

SHA1
d9b5da8a7b4ca261eac146a0d4818998101abdb7

SHA256
6c92ea9dccc03bf0b4ffa66c26a64faf8d76fe64f1bd9ddebb17ca82afcd4fc7

SHA512
302b1a5bc852cca116ac4b457ff22d92208f5ad8d68926c9421f7ff043d916c70ed02807a62dc583aaa53121c0f5b7b38b641dfaa50d6df6f4e80756609ca150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
e28086cce4d0026b93e3ef36a6e4e20c

SHA1
745ad52b9929d796135d489af1fb3c729306baa2

SHA256
8356623206583a8c11462061147ff95a8781cbaf041d573d3bf8efce27e7bc99

SHA512
3b51840b32ef980ee0d95ded03c332cca1f0f229fdd760b22e914a8a0b7b195e307ffc7c98be10baed935f0b394a380c93b40e1fab2eae33707299844c5e1b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
904cc498bdbc4248f33df7ae7c27f1a4

SHA1
4bdb1707e528a7ce9ac2159d669a31b4c908c914

SHA256
70ff589b6f95a0c677369b1fff23b8bf51d994110bbf16bb156698381397462e

SHA512
2aa7534b0db2644d64601198ab185023f3d91571ed751431e207ceb3c01bcd4d28d47fcc4a4abca7fbc5b6e18fbcf531ffc2a25d73a561ec6877772f62a214a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
0d49ffb2fb9134a40c43ed56fc401481

SHA1
8debbda5e062e9b932193ab7f2f239979bc01202

SHA256
7f6489ffb16ac7b21a7fa05fd573addb752ef3bfb40c87b16562386d018d9e2d

SHA512
8d714dcbf332b4c66691d3481a83590277b4e1b0fd7eb5b91f2b2d67cb492ff524bf09a33a5294079a488ab3ef6cbdaa30e763f73fdabb4b99e05c6d1fc04d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f8be262155b74bff0acbd636587b9d92

SHA1
e49aaf106248fa361fff8ac117c3420c138bcfd1

SHA256
800366bb808d1b553cd2e529044ff4dc07be302b909a504e9d0d0ac970eefa26

SHA512
1db95c21472ef848c642aae026a30a66d5dce550b83f6e804da9385551ce0f139686414f3b9719459275cbf4cbbd55c00441d070c1f95b389cb49f6df9c11e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
aafe5832f29e524710fcfec23ae98a6a

SHA1
80589c673319195244b82c120ad72305302cb708

SHA256
19b426522c18906c8c706d1bf85cf3ad078f99466ffdb9b53c1410087e73bda6

SHA512
96515715209f23318e7ec73c40bb0ee0b47945441989159381c312edd255ec5068c5c52b70711eb6b59e4eb04264e7d0b77f28a404deb3d73108a473eb55b141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5836ab.TMP

Filesize
392B

MD5
d9dc1f939cc98d5113245d79a9185283

SHA1
98c30f413646bbb05a1109afbd046c55cd711b5c

SHA256
81e4dba14fa5efeaff1f7dbe0cb1c5fcf4580696b8d052de2d89b4bcc5093ac6

SHA512
6301f6195c0520f5d6c8c2024471d3457d3040442d2b24dd6d7aad8e58bcf686a868810c722c86f4979ce7ecb1fd5c7346959540fd7190c4057d707c6925b317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5afcff.TMP

Filesize
392B

MD5
8870139b06bd6e7085f41a27bc39e4dd

SHA1
044ffd0156f659eedc7c465da2bdeb6e4f145cb6

SHA256
26b0c9772e458d5ea8ecea06b3fb93a2038633bfe0252117b589100d9f73a0e7

SHA512
4962c2b60264936f00183b4884a116a15e2b4515c941e85a51b902a490befb9ed6a7bef01259d97698e4b0ad9654613bce586b90e13584ee3069797eb9d5fe56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Temp\58a70019-7454-4084-8b7c-11ee0056b2b9.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d8606f8-46fe-4e72-a675-49dde4bc58d1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xt0iuuis.plc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2956_1415074038\066f3fa0-8053-47d4-a226-90b9caa69d50.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9C586C53-1A81-4F81-8290-DA7D996650D2}

Filesize
4KB

MD5
dbb8fbd133437da42b18f8fc596690cf

SHA1
35daf8062283fbc2022ed9543affe6d09c2c323f

SHA256
79836fd81e56f873f7b470e19658b6d44da5ffb2dd093cbf51defcbf630fc5a2

SHA512
706795915eabab124bc9f9d4e23da3030f39ad621b1cd417b186de7050e885535fdc2d31ed20f8d10e61832229fe797d906eda37b7feae3e0fb3841d45b8aee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
2a10d28535d677508ad6679938fd6c95

SHA1
c848f5ecad87819bf752b6c56eb6b6d9c6cdee7d

SHA256
bd45c4c9836e786498675614681d1dfba0f1e399b44ec413b70068b8e25e3498

SHA512
0894c081b2512b06531489cbf58f9086eedc3ee50545d60e1942039d1d1a349892e7b6c1ba08fea52b56dc262a5ac42264f46a849dc097a0a12948b94dbb03eb

Download Submit
C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.exe

Filesize
150KB

MD5
222eab3f409f97b1a3442411676ca689

SHA1
f10f511b30ce28a817a53228adf77a6e4dd80c8f

SHA256
3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61

SHA512
184a2f4696dceb401e9d0b6bbd2747f8dd005e708cd979f8cfffb60c49160ce7f834e29505a194f26ade68e0818683333a7d5dd7fe52f3d9d0469a429c40ed53

Download Submit
C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.zip

Filesize
97KB

MD5
22e318f1c8f71a5e7ba803d9d827e975

SHA1
58904934464e07ae7eaf089359049f4bd612b76d

SHA256
17eea31219c5ee4c80022bd9edf017ba1a1ee89778bed8f8329a5406562d3fa8

SHA512
af8bb0d09dba06fa4164043d602d0c79fcb80b118892ae60f07f157bff964c8cecf728c4663494131e3f24bd091f2a2c6e3d8d859093bbab3d960ae2f724482d

Download Submit
C:\Users\Admin\Downloads\3e239b8776d380eb691c859a376977409546903eba4ecd02dba754bbf7d6db61.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
150KB

MD5
b15fbd43354ec5a3cde1fb9065c43af5

SHA1
97eb142ee5681d98ec169cd778e54261272260bd

SHA256
4109f1005cdd6fdd97e26a9889294614d31498af3aac27015a8e8aa688951bab

SHA512
c8e1999ce95461c5e2b459b2956f6d70b4a34f145ae53f4509372a526aed7de5533062f4914169b10aeb053edafbe6b6a00bed832cb35ec229d7fa93658c97e8

Download Submit
C:\Users\Admin\Downloads\ae455890e2123a9d011e47065828b0a03c08fd66570fab9d0340d2f5d5eb40c3.zip

Filesize
415KB

MD5
b7df4069eebecd7ccfc3a35e5282caf6

SHA1
2005d798504fdf8ad7b557a39685111d0a6eaf77

SHA256
46c8e083631cd5ca89825b81f554119a35a2215c4d62cca93c3638cbfdd8cc3c

SHA512
b062944038e0fbb9efd1ef9ca1c8d25fdf5c997c59ad512ee47c953fb991602d5622a59792d4fd26e18f03f36abd18af7f1f172d98d69bd3ebf5b0aacc3450b4

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_1323772978\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_329052119\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_387808381\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2956_429203048\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\lH0RuaZei.README.txt

Filesize
3KB

MD5
65db5ae077a794215bbdb09d32687b14

SHA1
094996df9288f29c43602fa43a0ac33aee7b2848

SHA256
1bfdb412aa3f1073218d92b6f81a10fbd764eb96b1cce29aecc6502f19f0a646

SHA512
2a138eaea63d3b41fe6539e99edf855463ad0bec8c752aaf43fe4b176186cb2e2b2a29f0f5587761c01fc0d30cdcf1af3d4f0879fc618eb170537c130c92b8a6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2081498128-3109241912-2948996266-1000\DDDDDDDDDDD

Filesize
129B

MD5
d6d754746d4acbbb17139d257e6317cf

SHA1
f59b444b6c50a0ab1c9df3c92d7d61c781f151b4

SHA256
c21bbb6705937744b854076253f7c418d524e11482ba5b7cd6ea41bf67910f0f

SHA512
6fee7fa3cad838f74b68eb62199283f0bfca27b3c5ad540f8ebc9c3c8343fceb5dc25ebe019f9a8a0c5d3a26bffb3e47e0c8ede56a97e99bc2c1eee007efb3b2

Download Submit
F:\Restore-My-Files.txt

Filesize
6KB

MD5
6d1e6377acc50d4aace1a772134aba52

SHA1
fd94f2265a116003aba54c32205b00ff7616f93b

SHA256
ffa250dcbc39604f3095f020c3adeaf7dbd0503e5554edd5832d3d1f2bc793bf

SHA512
5556c3fad3839b28b1545dc6d29ba16296714474453765896d7ebaf7dbe49eafee5884a25f598987d8451b0febc1b60b8f704aecedc825d5d48a36accf388043

Download Submit
memory/4748-5145-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5149-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-11414-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-13880-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5147-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-16662-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5148-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5303-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-18803-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-7976-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-19309-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-7978-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5165-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4748-5302-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/6096-4968-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-4963-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-4965-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-4964-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-4967-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-5063-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-5064-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-5062-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-5061-0x00007FFD03730000-0x00007FFD03740000-memory.dmp

Filesize
64KB

Download
memory/6096-4999-0x00007FFD00CB0000-0x00007FFD00CC0000-memory.dmp

Filesize
64KB

Download
memory/6096-4998-0x00007FFD00CB0000-0x00007FFD00CC0000-memory.dmp

Filesize
64KB

Download
memory/7788-19383-0x000001616A210000-0x000001616A232000-memory.dmp

Filesize
136KB

Download