xenorat | hxxps://www[.]youtube[.]com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega[.]nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM

Analysis

max time kernel
373s
max time network
368s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega.nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM

Score

10^/10

xenorat defense_evasion discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xenorat

quite-cam.gl.at.ply.gg

Mutex

MSNetServiceMutex

Attributes

delay
5000
install_path
nothingset
port
16226
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1868-1131-0x0000000000670000-0x0000000000682000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5208	powershell.exe
5032	powershell.exe
2816	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
5004	nitrogen.exe
2552	nitrogen.exe
1868	Windows Dependencies.exe

Loads dropped DLL 17 IoCs

pid	Process
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe
2552	nitrogen.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5916	icacls.exe
5656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Dependencies\\Windows Dependencies.exe"	nitrogen.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
234	raw.githubusercontent.com
235	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
228	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4652	cmd.exe
6060	cmd.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_794278535\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_299143456\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2114334641\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2114334641\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2031918045\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2031918045\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_794278535\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_299143456\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2114334641\nav_config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_299143456\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2031918045\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2031918045\smart_switch_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\LICENSE	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001b35e-1023.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Dependencies.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2752	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880581255856459"	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{7C632588-6BBE-4D7B-B326-492A7BB63341}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{78533D40-D595-415E-9024-E387DD66A9BA}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{99CB2361-F560-433E-AECE-8CA546811E04}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4228	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
3800	msedge.exe
3800	msedge.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
1420	msedge.exe
1420	msedge.exe
4264	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4228	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1204	AUDIODG.EXE
Token: SeRestorePrivilege	4044	7zG.exe
Token: 35	4044	7zG.exe
Token: SeSecurityPrivilege	4044	7zG.exe
Token: SeSecurityPrivilege	4044	7zG.exe
Token: SeIncreaseQuotaPrivilege	4852	WMIC.exe
Token: SeSecurityPrivilege	4852	WMIC.exe
Token: SeTakeOwnershipPrivilege	4852	WMIC.exe
Token: SeLoadDriverPrivilege	4852	WMIC.exe
Token: SeSystemProfilePrivilege	4852	WMIC.exe
Token: SeSystemtimePrivilege	4852	WMIC.exe
Token: SeProfSingleProcessPrivilege	4852	WMIC.exe
Token: SeIncBasePriorityPrivilege	4852	WMIC.exe
Token: SeCreatePagefilePrivilege	4852	WMIC.exe
Token: SeBackupPrivilege	4852	WMIC.exe
Token: SeRestorePrivilege	4852	WMIC.exe
Token: SeShutdownPrivilege	4852	WMIC.exe
Token: SeDebugPrivilege	4852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4852	WMIC.exe
Token: SeRemoteShutdownPrivilege	4852	WMIC.exe
Token: SeUndockPrivilege	4852	WMIC.exe
Token: SeManageVolumePrivilege	4852	WMIC.exe
Token: 33	4852	WMIC.exe
Token: 34	4852	WMIC.exe
Token: 35	4852	WMIC.exe
Token: 36	4852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4852	WMIC.exe
Token: SeSecurityPrivilege	4852	WMIC.exe
Token: SeTakeOwnershipPrivilege	4852	WMIC.exe
Token: SeLoadDriverPrivilege	4852	WMIC.exe
Token: SeSystemProfilePrivilege	4852	WMIC.exe
Token: SeSystemtimePrivilege	4852	WMIC.exe
Token: SeProfSingleProcessPrivilege	4852	WMIC.exe
Token: SeIncBasePriorityPrivilege	4852	WMIC.exe
Token: SeCreatePagefilePrivilege	4852	WMIC.exe
Token: SeBackupPrivilege	4852	WMIC.exe
Token: SeRestorePrivilege	4852	WMIC.exe
Token: SeShutdownPrivilege	4852	WMIC.exe
Token: SeDebugPrivilege	4852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4852	WMIC.exe
Token: SeRemoteShutdownPrivilege	4852	WMIC.exe
Token: SeUndockPrivilege	4852	WMIC.exe
Token: SeManageVolumePrivilege	4852	WMIC.exe
Token: 33	4852	WMIC.exe
Token: 34	4852	WMIC.exe
Token: 35	4852	WMIC.exe
Token: 36	4852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
2824	msedge.exe
4044	7zG.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4228	vlc.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe
4264	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4756	SystemSettingsAdminFlows.exe
860	OpenWith.exe
860	OpenWith.exe
860	OpenWith.exe
860	OpenWith.exe
860	OpenWith.exe
4228	vlc.exe
5004	nitrogen.exe
2552	nitrogen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4316	2824	msedge.exe	86
PID 2824 wrote to memory of 4316	2824	msedge.exe	86
PID 2824 wrote to memory of 4500	2824	msedge.exe	87
PID 2824 wrote to memory of 4500	2824	msedge.exe	87
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 892	2824	msedge.exe	88
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89
PID 2824 wrote to memory of 2376	2824	msedge.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4880	attrib.exe
4668	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega.nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x258,0x7ffd2043f208,0x7ffd2043f214,0x7ffd2043f220
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:3
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2616,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=2608 /prefetch:2
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4192,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4268,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5164,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3680,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2032,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6080,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6400,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3560,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6472,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3520,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7048,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=3616,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4416,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4408,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4376,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5376,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7100,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6988,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6940,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,1991829170064360793,9406285550334908372,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7d9b2b03h46abh447bh8670hac343a3479e5
1⤵
PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7d9b2b03h46abh447bh8670hac343a3479e5 --edge-skip-compat-layer-relaunch
  2⤵
  PID:1924

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" CamSystemGlobalSwitch 344 262 90 31 webcam
1⤵
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x3e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:860
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\nitrogen.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1724

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11643:78:7zEvent14685
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4044

C:\Users\Admin\Downloads\nitrogen.exe
"C:\Users\Admin\Downloads\nitrogen.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5004
- C:\Users\Admin\Downloads\nitrogen.exe
  "C:\Users\Admin\Downloads\nitrogen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic cpu get caption"
    3⤵
    PID:2016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:4864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe""
    3⤵
    PID:3568
  - - C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe
      "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:3032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4652
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies"
      4⤵
      Views/modifies file attributes
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:6060
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
      4⤵
      Views/modifies file attributes
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies" /deny Admin:F"
    3⤵
    PID:5832
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies" /deny Admin:F
      4⤵
      Modifies file permissions
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe" /deny Admin:F"
    3⤵
    PID:5580
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe" /deny Admin:F
      4⤵
      Modifies file permissions
      PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe
1⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\a5520cf74cedd2462ce392906afc\2010_x64.log.html
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f4,0x7ffd2043f208,0x7ffd2043f214,0x7ffd2043f220
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2576,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4868,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4880,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6016,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6152,i,715361067883569078,15403812785327185107,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x294,0x7ffd2043f208,0x7ffd2043f214,0x7ffd2043f220
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1848,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2140,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2532,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:8
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4380,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4380,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4484,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
    3⤵
    PID:3972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4612,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
    3⤵
    PID:5140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:8
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4564,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4496 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3476,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:8
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4948,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:8
    3⤵
    PID:500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3468,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=760,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:8
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4716,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4424,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3744,i,10664579818194493249,17512842944215647100,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
    3⤵
    PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3800_1683266080\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_2031918045\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_299143456\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_678682026\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_794278535\manifest.fingerprint

Filesize
66B

MD5
3fb5233616491df0ec229ba9f42efdb8

SHA1
18a8116e2df9805accd7901d2321c3fa92da1af4

SHA256
946f3a9e019b0d80f5671de782f295132341f663f74aebad7628f22e528d6d52

SHA512
e9b17ac626bf6508db9a686825411e90d316a0f1dacbf63dbec5baaaf6b96af4dbc9a7332975b6d5c16c43757d79fddca6b888ea97bc07a8dffb1b3a06366b4d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3800_794278535\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
17a01db02ef16b0a2b4329d826843bf6

SHA1
c9551c02ca70e3a31df4c97753fdbd2bf5abd87f

SHA256
9891b66df70fd81b3820a93fca429df18833cf52a63302d20e8445edd060d7c6

SHA512
705d7b5cd8b60278592afaabba37ada857a45e7fb50fc3ec9f1123a5355ac14ee0e44c507a8ffba9314abbcb136ce7c304c2665c9d3fba9e00f5163f8ddcdc65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
77d0224aca8b132986a3349a86d709f9

SHA1
7a12124e92e366c0cde04bb4ae0b38562c85b12a

SHA256
19e5e0a96908b6e6d9f95d20a544b43f228764cffcf730bf8e429ffe39c793cf

SHA512
a0892177560e51b076810057ddbe791879b04c80f772f345bc9ea7ef6dffd4444d62210f3d7a79b248c2862e5cf7ac73abbd11b992f36348cf954aaf6ccdab41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ecc7b8ac4194023c7465038c410f8ce0

SHA1
682c7ba813b284d6103aa30e1267d7a6f1d27925

SHA256
7297ec941dfb26c41143cfd9189404df8716eb18b64187454a85e6728dbea145

SHA512
6c3140024f56ddebc4acebdd12fc3513ebf6942748698c97bc9ea4693799b186fbedca88db1753f5bc7b4e1a7f6f7169fb81c94e8179f68e6addd24839866537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\27f346cb-11dd-405b-a0f0-96d4d379ec79.tmp

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ca176d3911b3824874f3dbb07ab8f44f

SHA1
daf0297438661d6c9fb6672154e88f319c0e0c71

SHA256
99f06b6d6b3c2716736a69f3b39cab512ffae31ef6abe17bcb69b58c14383b01

SHA512
7378eb117249ef3aeec6507f82440f13282ca04340679764d1a98903d96e596353f1496f631b6ccd9f83975b566704c7ed5280009a695162c0cd5691b504ebae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5800e5.TMP

Filesize
3KB

MD5
b44c73fc8b07514ec2fa3e5427303e0b

SHA1
c636f91e7b6e428a88afc4e75081e55b2d95b523

SHA256
dafc07c4d2a02b7017cc072a554cc5058531c0811cfe0d7b3817ce46baa2764a

SHA512
12ef0d793f376d9bd1ff29f6d47602144305fb025281d1f8ac9ae3006a987b7db8fb50f43c22e7f1e6083dfb6ecb331dc17fcd8832acf1553f1684f552009d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
fe8b613cb6f0d553eed8f7c58080e3c4

SHA1
4abe8a579b682247423a55e338d905adfd0035fb

SHA256
2f7a289c089967aa74394584c4df9400525ad6ba3cdecb9f7871622abdeab4ea

SHA512
1c6a3230de3661694b347b9c1bde25d3ff584a241802b7918fcb48777f7903a2a571deff0ad37a3f607b701ef62c053db3c52628fae25c02065b057d1dbc224b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\98305a23-58cd-43c9-afca-a79bdee31c1d.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\2b461762-f4f4-4195-8513-7785dfb78f31.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ef59ba160492bab4b62ab2a707346bda

SHA1
24a312bb0f5d7810f415bca33f4a46a573967bd5

SHA256
d45943dd7f078ae5f7dbd8fda0fb34c0e278aff1042759bdd0a4f260e6b7c5c7

SHA512
9c3e6eee6b146511dfb94823ed745ed72bfdd9eb77b861962827906b36dc36790fe5a3705daccd000542edffe3e2db5240c4ef3b8dfcc6b4cacecd789b0fd4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9f004a42b50df746dbe6086b91a46482

SHA1
9867cdc0f074f94f0967248474071cb08836ad70

SHA256
00236149ed19f35838e08bd2973876c52ff5e43735405ffdd02e3897c2a7cb92

SHA512
084ae7645178a2abb4758cbe6f13c08568ce35a3b91af0bb11ca7e23f8b975648b12f0364d45672a5a113e4f919d77c66cdb7109a5631876801ccad0dab2927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d8df1657bb059f583c88962e1decc750

SHA1
1e6b7fe1bf684e9bc54d453190c1b86d651535c1

SHA256
2b18116ad1f910d35f5b9e459c5ce27383aad2711dae8950ab4a01ed11311476

SHA512
ff4b8f94a800a1157353a56bc8e949d4cbbe5cb10389ced3e8ce2908118ed4b13396958290f6d027a61f3e8f34a9a657c08e45efac8a8d53b376a5975344fc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
864140e755dff67ee843a9dab2ec893a

SHA1
7273f8a173c04c13b1cc500858aa92a5d326b867

SHA256
022d3ea271086246f5d19d702242863a1b04e7771902a5c3fb6bda9132302b47

SHA512
1835a808b634df55744fae82e278084301b53ac36d031a255298227b6e82459fc4928af0ab89f2c9d4dac00fb56dff699ee0d99c1b89b268cea13a67db63f962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
16923e6b5199c496f4f353ddeae7e67c

SHA1
950bfb94904c542e690e8756db95e55e62beaa3e

SHA256
ce92b225227c2a2a85cdd9468fa3f759f81ffbdd3d0b3f5fd048cd4a15cceda3

SHA512
a66982236ccf4da9675759a2c88a891452899d23294d2dbe8cdabab5736f19de84a69fdc0ac421ba171f7d03e1198fa8c978963f840f75493f42a496eba38e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
72ccf28995b22e3262a8e5f252bfa460

SHA1
1ef453dd033982150be712d6199ccb20649ac17e

SHA256
06ea7b9ba8b9c429b6b000efef20e2ecd11a8dbf2421c10d033ffc39ea5d75cc

SHA512
f34fba73ded233d1d53a26cfb277d5a088366665a0c3bda73e9dfe6926ca3174cd6ca311ed2885e8e68a578ba35e9bc80c810fc9e8779f77e1f7f77ddbd69561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
29d89b1d5874095b2f939dd3ca24ddf7

SHA1
e5d024818b49131838b1b526863b3b39161c610a

SHA256
4d82b21428eebc4902604ccaf64fa36da91ee9124ad899df51b19e06f5248cfa

SHA512
47ab47d8e2eb7107d6250f16238cddcebe951f1267f93f762789717ece4d02aecc8bda8a721e5ec26f3b23702aa75f1312c6ffc9df00bf96989069bbbdcb2bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
fb8ef7abbca0656a8b1f47eeec1a8dea

SHA1
2589a91171f50e91bba8134ed95eb73f2b5ebf76

SHA256
d49008bbe089334c90191f19348a564745de85f6d5b25d02164ccb891d05ce9d

SHA512
49fb9d5eb53ad3f8bf6631d5a9f36f586eaaafd9386f08fa0280b5e1d6f9bd5c92b7ed49a6879ed2c606d62800f5b2b1612385f8a509cba0ecb0b7e81ca73cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
c380a0941cc2a6f5acb05f4b52277d5e

SHA1
6f05c494c9084c9afa91eaf8590989058685e9a7

SHA256
8fd00f29b97542eb5f03859719130c18f2ba8e5d343b590e3f9549307d3a8f17

SHA512
d889f091e3cfb21a00086c0c9b46692477fb0f20abdf69607325a668508293795679901bd5d12429e6f7c85137ca6d3f72fea1a108c05cdaa25028df64039111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1594f65cd646928590561018a786d847

SHA1
18a98e8fdfdbaff6519f1daf739429ac1539749e

SHA256
fb9b910558e3dfdfea19902cd68320643d189606f916b15ea49e808c75cd5a5c

SHA512
603c776b8bb1d2a0d81589c9319b70f4d4de0b5b9c857b719ee27399fab6d4828022dcfb138b31a56f043728ae0ff30eeba2ed1b9ba3c13075580c69d427751d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ed9c.TMP

Filesize
48B

MD5
f92385ded3596cd58fab201f72ab6fd9

SHA1
656f8b8cf6336fe6cd082ad553a9c98369cf8492

SHA256
c424086d35066b745c10266843d4b850e1e87ef0909653aa97bb135bd2c64941

SHA512
2b69ed7bfabb5f22bdc28768e182e4848f3ded6c08fd86fce203ff2bbeebabb8a76ad45cf459f534135d0a7dd83d9c4ce24e226981e485d16641220f455325f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
806fe51cd8d95a09965509113604140d

SHA1
30ae86855bcd9b6d625df4a8de4f0163900bd84a

SHA256
c994071fc92e9d71d9062ec31d7b9c053238dc4f3dbc30b33f00f9520d2c1444

SHA512
d9b74374845907d676cdbfeecd0a6d2d5c2b4d33cdb171ee6dff8f7a2f652740e6c9ac1ab9a766b375eb9ced84d6ef6ac388999dd5cc62895ad7666f6720c34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
22395e8ac76d9b737199e576ff6bb791

SHA1
395511903f0fab951a3f79a630b95d5dbfdd836c

SHA256
5ad9aeec4c41b11b39a56ee1c6bd9f86945d94696d5dcf8edc36f0bc753753aa

SHA512
dff9e0dbde5cd8ad5d9a98b4c811f67c850ea1f8e966aac522229a669bd2ff9083df59f1e1f9b33cb3d2dffb01a670f74223c1b8e6c67735147d2a9ef29258ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
864B

MD5
c916932cf34d5c7dfb9344d4fcf1666d

SHA1
b425c79860a059013017a0fd80dcbf353ba39976

SHA256
9ff5837164b34ee54bc09c58d16102aa216fe9d7c8158bf6d235c9f09cf366ce

SHA512
75e5a3c9199abbb131733e0986c8f9e84605d74c6d12a0ec1285398c6e9a37e851a6d84d682765d34936c9c819d3d82bd363a12b1c9215e3b400a55ea25b7333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
458B

MD5
6cf051ce701765cdeb758c44e17a301d

SHA1
85007d6a3547f69160128907075d89922d09363a

SHA256
6b75f25a48f62688b8fc11980ff92d517de80cb7ed32889a5c5ba0571014af5c

SHA512
806312b59e03c5f9a44756fe034890cc66b51c72f6d943207c714fd8337e9de51836f0aa4e25f0e3a5b1773e411133cd579556dc8f55c08e554d8a1321d990a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe586d9a.TMP

Filesize
461B

MD5
7116d6f1ec8f58397860addae46069e4

SHA1
114bf832a9f4314a294949022233d0a66f63fc47

SHA256
1432fa00e26ce0333b297d235ebbee39c3142a000d1844415bdec7ccb7753a3a

SHA512
84cac8a25c1650429114ce7cdea554e3af3ff85a4377ae211e55464445198c5242ccab23aa895dc60e3ac09b68ba3088088499646b89ca8a58f3ca5097d2a81e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
650e9334c4c2b1df2a30de8b71135993

SHA1
0559643b218c43fcce2183a814ac12385b9a80b7

SHA256
a072d79625d42e80c5e634610800f68f8413b2560bef8f2716d3d63cd5841de0

SHA512
47be63d7fe283458928e15ba43df9c18a908dd84be5ebb379db9434004ccceca8aa589f506fbecbe16b1f6840f3d45ca54fc78f087dc32f9b5feea8508ecbdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe586f9d.TMP

Filesize
3KB

MD5
b9c044ce29da6592b5b866f40fa25c4a

SHA1
5e5276f5de07e1523e335a6b785dfa100d0de1cc

SHA256
516dc087651177f039d3430333d5ccea795d72ceb3f10d98a9c9fd488fcdfbe8

SHA512
2ab192b731d51d9d0fc99efb9697d97c7826211216780c79af87377b7b259e92a92bd7d1ec2fabbb08c9197c6cf786992356d48c436ef5731d8ab8d47c093927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
ef32d21a34e6955b7a8f734ad8264412

SHA1
39db82c8e0d7184d341bbe128beeeb57969aa8ea

SHA256
0158d6e87e736990c36449b800ea29f25669a111478d75369c4e8278544d629a

SHA512
c3d5073799054696e9849903deb67d562884055bba43ce8477e6f381ecbd014ba27bf832013712383da1dc2d8f8a640ef55867749fa14913ce8566fe5053f9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
fd61999502004789920b134dbb3da045

SHA1
4c95467ae24c9007bf6359928b668092b4c6a0c1

SHA256
7f741489db3bb328e7bcab7301e23b78c308199f99f19537059f2015b3e9d094

SHA512
a2bb9f74a588ec69221fe492bb5c297de933bf032d05c3f5ca8a647d89bfd929f25cac3a4c1fae105f6dd3ae45651fcc31793bc954efe5e71511c81fb40f39ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
ca1865eb7c59e6a3e300185dad475781

SHA1
1ec866c8a065ab6fa666e2a778d0433c0717d74e

SHA256
26baf8edd13dbcc154213bdec78e7da66676445b49e433c6e52b14338ae1f9dc

SHA512
bc9c32d8701ef5be90547286152c5c67e258008ebd5f76f3fbaf6214f49dea6c9bd72dd9f5a3726ba418a7d6e664e64d41e86cb18e970c35d3ccc1a4e7d5672a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
005ecfccc69355efff9b20429c9567fe

SHA1
1ca615f7f74a0f8e609f19e3ef60aa7bf0f9a6c6

SHA256
af257b7b785641797a615314f4f6d61a6ae6e111a3d25ff2a5e9fceb20c9458d

SHA512
d3d9a73237eb2a92c86d233842f026c8e4deb6ef8b4f396596819e808d638e82683469215b9e2cb75bf92e8226f165a0d76521e4c0ff1e586d90bb55f876341e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
43KB

MD5
377787c6e39a794517298ec6c038fea6

SHA1
2d9bfd17b49420a8111e5851e474b3333885695c

SHA256
446416be79338dad02a6c0b85a5038949ca955cf1d3045331832e588658e65d2

SHA512
2caa08339af2feff6f75224332cd27444d9b5fab11add03c892c0258d5e34cdf17e0124378e87631555850580646230342d8bac717922428eeb2598b2ee6709e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
45KB

MD5
9918091d051c5c2b658aa011d2a50cef

SHA1
d9efc575b6199c19f3c882f771003a194f11a85d

SHA256
3e10a8ce3c3d5bd71766764a267cbced8472d3b49de5d99da4543285ee4a5c44

SHA512
56c6c924d424388602036826e2bf11dc06eb5562bfb0264019af894f56cc0291ecd00a5b3bd5e81cd41faf64967da50b18829017f9139a548d3dd4c71c293364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
7887aa932d5e76990da7996fdc427fd3

SHA1
78c17c529deb5a00a5a648c98701e4fd923241cb

SHA256
53022ad551af2742b9f50a505a75f1fcb127baa98d665d9baa7d1109e2d2ada7

SHA512
62066f94a62e0139a4ee34e6c6f1c03118ea9ed82fa285e134f9a2fa8f985a89c3c7cc287ab3366cca7322f8c36c567fa0212a4957c95fccd4c7d90fb4f06927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e45df399-5cbb-43c0-8a2f-089f3ef5b653.tmp

Filesize
34KB

MD5
535cafc6636fdd38ce7766fbd7b04a4f

SHA1
9daae6fb4ae3133c50b5f7ce6f49980df914bbde

SHA256
51bb0c3284ab88cca29f682b19c72e120ea217364deb8b466396018552dedb8d

SHA512
e32dce6285d31bfa6c761901e7a16c3d5902ecb8368ca204a3dd41f1978ac64a76146918cfe03a74a6af399f8e3b2b91c3b34633f200330a7ae73dc385202eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
0c613179c48a7a8cea621591cee576ca

SHA1
c7c8c26274508035dea97f479d4c3e70a7ea473b

SHA256
aede79b8dc7068aa7446783b06b146770b14d6f8f7e5866da36771d4df10bd91

SHA512
e371a232c0ed088bdb1d235a2e59a3bd14f03fa120e102ec6bc5826b5461bb921f346d6beddd61fcc5a01e5951bce783f3bcc61770406b5ad93ac1bd2abaaac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d0d65fd-8377-4b1f-88d3-3d3fb36323b0.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_asyncio.pyd

Filesize
62KB

MD5
2859c39887921dad2ff41feda44fe174

SHA1
fae62faf96223ce7a3e6f7389a9b14b890c24789

SHA256
aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

SHA512
790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_multiprocessing.pyd

Filesize
32KB

MD5
1386dbc6dcc5e0be6fef05722ae572ec

SHA1
470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

SHA256
0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

SHA512
ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_overlapped.pyd

Filesize
48KB

MD5
01ad7ca8bc27f92355fd2895fc474157

SHA1
15948cd5a601907ff773d0b48e493adf0d38a1a6

SHA256
a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

SHA512
8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\base_library.zip

Filesize
1.4MB

MD5
fa9a6d56ad0bc6e80f0b2e0b72c1e67b

SHA1
dc5f1e742394b6b4c2638187dbd50571b995b57c

SHA256
5c582bf7c05302569f9fe788b229c43133e64c0a9e9ff90359676805be645a49

SHA512
89c566c2d15d3a2c9d307b8b9a61747dfc1d76a3d43a68ecd78832e1c0e77ece26b48188193d88d5fe1e6fa6f79bc02e08aa5d1a1caaf8e82df48eccd684be3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ynnufh2.2wn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2d438d7-8911-45d4-975b-e8fcd4cd0f8f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\c217b698-374f-4062-87ae-1bb910608309.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\Downloads\nitrogen.exe

Filesize
8.3MB

MD5
6cc6edeaa035b7a44e779a7d954a1a10

SHA1
c2417396c5e821fc3ba2189b9964fdcbe5e5e705

SHA256
fcdd01f6d2acbe73024b80ca7a206d8003a7059ab8cf5c74aabf73139dafb621

SHA512
5867bc4569f1afe5cf88e670cab3d06298531ff8c357d9941ae12f7b2272cf5be34f58ef47bb4926d76a8e68fd806a8056fb59f353bb6db97b4c373b2bcc8d8b

Download Submit
C:\Users\Admin\Downloads\nitrogen.rar

Filesize
8.0MB

MD5
db499cb5c108a3329f10bf82365a9852

SHA1
d75ead959224fe33b2cf5373acd44c62573b2765

SHA256
47d0da40aef454e79def303c63906e26d109e8afcf882734b2247b5c712451d5

SHA512
f64396554ea33c30aae0c47fa09677f69fc97c1ec9ef41f3a6f5eea6c306072b31c185344c10932aac15a1370342c286f1d20e1aa8ef8b63f4c1ea25df91efe8

Download Submit
memory/1868-1131-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/4228-959-0x00007FFD1A0B0000-0x00007FFD1A2BB000-memory.dmp

Filesize
2.0MB

Download
memory/4228-955-0x00007FFD1CE60000-0x00007FFD1CE77000-memory.dmp

Filesize
92KB

Download
memory/4228-960-0x00007FFD15760000-0x00007FFD16810000-memory.dmp

Filesize
16.7MB

Download
memory/4228-962-0x00007FFD1CE80000-0x00007FFD1CEA1000-memory.dmp

Filesize
132KB

Download
memory/4228-963-0x00007FFD1BA20000-0x00007FFD1BA38000-memory.dmp

Filesize
96KB

Download
memory/4228-964-0x00007FFD1BA00000-0x00007FFD1BA11000-memory.dmp

Filesize
68KB

Download
memory/4228-965-0x00007FFD1B260000-0x00007FFD1B271000-memory.dmp

Filesize
68KB

Download
memory/4228-966-0x00007FFD1AAD0000-0x00007FFD1AAE1000-memory.dmp

Filesize
68KB

Download
memory/4228-956-0x00007FFD1C860000-0x00007FFD1C871000-memory.dmp

Filesize
68KB

Download
memory/4228-961-0x00007FFD1AAF0000-0x00007FFD1AB31000-memory.dmp

Filesize
260KB

Download
memory/4228-957-0x00007FFD2B230000-0x00007FFD2B24D000-memory.dmp

Filesize
116KB

Download
memory/4228-958-0x00007FFD1CEB0000-0x00007FFD1CEC1000-memory.dmp

Filesize
68KB

Download
memory/4228-953-0x00007FFD1DC30000-0x00007FFD1DC47000-memory.dmp

Filesize
92KB

Download
memory/4228-949-0x00007FF61C150000-0x00007FF61C248000-memory.dmp

Filesize
992KB

Download
memory/4228-950-0x00007FFD1D2B0000-0x00007FFD1D2E4000-memory.dmp

Filesize
208KB

Download
memory/4228-954-0x00007FFD1D4E0000-0x00007FFD1D4F1000-memory.dmp

Filesize
68KB

Download
memory/4228-951-0x00007FFD1AC30000-0x00007FFD1AEE6000-memory.dmp

Filesize
2.7MB

Download
memory/4228-952-0x00007FFD1E010000-0x00007FFD1E028000-memory.dmp

Filesize
96KB

Download
memory/5208-1097-0x000002A17D7C0000-0x000002A17D7E2000-memory.dmp

Filesize
136KB

Download