darkcomet | hxxps://files[.]catbox[.]moe/u6ag3a[.]rar

Analysis

max time kernel
630s
max time network
632s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/u6ag3a.rar

Score

10^/10

darkcomet nanocore guest16 defense_evasion discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-XRPJ1DD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
pTznB8ghEqA5
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JVJJVJJ.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4416	attrib.exe
1396	attrib.exe

Executes dropped EXE 64 IoCs

pid	Process
3276	Free robux.exe
2984	JVJJVJJ.EXE
5496	POO.EXE
1412	msdcsc.exe
3364	msdcsc.exe
4736	msdcsc.exe
5360	msdcsc.exe
2412	msdcsc.exe
5740	msdcsc.exe
2604	msdcsc.exe
4456	msdcsc.exe
1316	msdcsc.exe
2336	msdcsc.exe
3224	msdcsc.exe
4916	msdcsc.exe
4664	msdcsc.exe
5768	msdcsc.exe
5116	msdcsc.exe
440	msdcsc.exe
2028	msdcsc.exe
6136	msdcsc.exe
5888	msdcsc.exe
5492	msdcsc.exe
5888	msdcsc.exe
2940	msdcsc.exe
496	msdcsc.exe
4416	ButterflyOnDesktop.exe
5940	msdcsc.exe
2260	msdcsc.exe
1064	msdcsc.exe
820	msdcsc.exe
2524	msdcsc.exe
4824	msdcsc.exe
5280	msdcsc.exe
4776	msdcsc.exe
2376	msdcsc.exe
1708	msdcsc.exe
4604	msdcsc.exe
2844	msdcsc.exe
4736	msdcsc.exe
3932	msdcsc.exe
4824	msdcsc.exe
1672	msdcsc.exe
3080	msdcsc.exe
4452	msdcsc.exe
6028	msdcsc.exe
5964	msdcsc.exe
3416	msdcsc.exe
4640	msdcsc.exe
4452	msdcsc.exe
3048	msdcsc.exe
5752	msdcsc.exe
2304	msdcsc.exe
3352	msdcsc.exe
2184	msdcsc.exe
2032	msdcsc.exe
5028	msdcsc.exe
4284	msdcsc.exe
2568	msdcsc.exe
2896	msdcsc.exe
4900	msdcsc.exe
1596	msdcsc.exe
2844	msdcsc.exe
3472	msdcsc.exe

Loads dropped DLL 1 IoCs

pid	Process
5996	msedge.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Users\\Admin\\AppData\\Roaming\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JVJJVJJ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "Dead Fish-GDIOnly.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	POO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "[email protected]"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	POO.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msdcsc.exe
File opened (read-only)	\??\G:	msdcsc.exe
File opened (read-only)	\??\I:	msdcsc.exe
File opened (read-only)	\??\X:	msdcsc.exe
File opened (read-only)	\??\Q:	msdcsc.exe
File opened (read-only)	\??\J:	msdcsc.exe
File opened (read-only)	\??\K:	msdcsc.exe
File opened (read-only)	\??\L:	msdcsc.exe
File opened (read-only)	\??\N:	msdcsc.exe
File opened (read-only)	\??\O:	msdcsc.exe
File opened (read-only)	\??\S:	msdcsc.exe
File opened (read-only)	\??\T:	msdcsc.exe
File opened (read-only)	\??\M:	msdcsc.exe
File opened (read-only)	\??\P:	msdcsc.exe
File opened (read-only)	\??\U:	msdcsc.exe
File opened (read-only)	\??\V:	msdcsc.exe
File opened (read-only)	\??\W:	msdcsc.exe
File opened (read-only)	\??\Z:	msdcsc.exe
File opened (read-only)	\??\A:	msdcsc.exe
File opened (read-only)	\??\B:	msdcsc.exe
File opened (read-only)	\??\H:	msdcsc.exe
File opened (read-only)	\??\R:	msdcsc.exe
File opened (read-only)	\??\Y:	msdcsc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003000000002ae07-1809.dat	upx
behavioral1/memory/2984-1815-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3364-1827-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4736-1828-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5360-1829-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2412-1830-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5740-1831-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2984-1833-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1834-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1838-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2604-1840-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4456-1841-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1316-1882-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1881-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1316-1884-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2336-1928-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1927-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2336-1929-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3224-1930-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4916-1942-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1978-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4664-1980-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5768-1992-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-1991-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5768-1994-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5116-2014-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2013-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5116-2016-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2029-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/440-2031-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2028-2032-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6136-2064-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6136-2066-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2096-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5888-2097-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2395-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5492-2397-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2625-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5888-2627-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2637-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2940-2638-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2940-2639-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/496-2644-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2643-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/496-2646-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2673-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5940-2675-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2692-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2260-2694-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2701-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1064-2702-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1064-2703-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/820-2706-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/820-2709-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2524-2990-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-2989-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2524-2992-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-3007-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4824-3009-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1412-3029-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5280-3031-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4776-3034-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2376-3036-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1708-3067-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	POO.EXE
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	POO.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-shared-components\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\vendor.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-ec\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification-shared\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\wallet\wallet-checkout-eligible-sites-pre-stable.json	msedge.exe
File created	C:\Windows\rescache\_merged\425634766\1745448155.pri	LogonUI.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-it.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\bnpl_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-mobile-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\wallet-webui-792.b1180305c186d50631a2.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_142885172\deny_etld1_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_137568678\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-cu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-el.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-ml.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\cs\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-mobile-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-tokenized-card\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\wallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_717289677\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1980678810\Part-ES	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-mobile-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Notification\notification.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\wallet-webui-560.da6c8914bf5007e1044c.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification-shared\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-hr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-hu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-ru.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Tokenized-Card\tokenized-card.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\wallet_checkout_autofill_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification-shared\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_443335705\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-as.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification-shared\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-en-us.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1980678810\Filtering Rules-AA	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1541825136\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-ec\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification-shared\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Notification\notification_fast.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1541825136\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-ec\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-notification\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-shared-components\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-tokenized-card\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Mini-Wallet\miniwallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_667328062\Microsoft.CognitiveServices.Speech.core.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-ec\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-shared-components\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1254059393\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-ec\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-shared-components\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-mn-cyrl.hyb	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Free robux.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Free robux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JVJJVJJ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133892005854614169"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JVJJVJJ.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2211465213-323295031-1970282057-1000\{D5D34471-93AE-440E-90EC-B4C1B1AB67B1}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\u6ag3a.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\u6ag3a (1).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Free robux.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5212	WINWORD.EXE
5212	WINWORD.EXE
3172	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5996	msedge.exe
5996	msedge.exe
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE
5496	POO.EXE

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5544	msedge.exe
5496	POO.EXE
1412	msdcsc.exe
3172	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2984	JVJJVJJ.EXE
Token: SeSecurityPrivilege	2984	JVJJVJJ.EXE
Token: SeTakeOwnershipPrivilege	2984	JVJJVJJ.EXE
Token: SeLoadDriverPrivilege	2984	JVJJVJJ.EXE
Token: SeSystemProfilePrivilege	2984	JVJJVJJ.EXE
Token: SeSystemtimePrivilege	2984	JVJJVJJ.EXE
Token: SeProfSingleProcessPrivilege	2984	JVJJVJJ.EXE
Token: SeIncBasePriorityPrivilege	2984	JVJJVJJ.EXE
Token: SeCreatePagefilePrivilege	2984	JVJJVJJ.EXE
Token: SeBackupPrivilege	2984	JVJJVJJ.EXE
Token: SeRestorePrivilege	2984	JVJJVJJ.EXE
Token: SeShutdownPrivilege	2984	JVJJVJJ.EXE
Token: SeDebugPrivilege	2984	JVJJVJJ.EXE
Token: SeSystemEnvironmentPrivilege	2984	JVJJVJJ.EXE
Token: SeChangeNotifyPrivilege	2984	JVJJVJJ.EXE
Token: SeRemoteShutdownPrivilege	2984	JVJJVJJ.EXE
Token: SeUndockPrivilege	2984	JVJJVJJ.EXE
Token: SeManageVolumePrivilege	2984	JVJJVJJ.EXE
Token: SeImpersonatePrivilege	2984	JVJJVJJ.EXE
Token: SeCreateGlobalPrivilege	2984	JVJJVJJ.EXE
Token: 33	2984	JVJJVJJ.EXE
Token: 34	2984	JVJJVJJ.EXE
Token: 35	2984	JVJJVJJ.EXE
Token: 36	2984	JVJJVJJ.EXE
Token: SeIncreaseQuotaPrivilege	1412	msdcsc.exe
Token: SeSecurityPrivilege	1412	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1412	msdcsc.exe
Token: SeLoadDriverPrivilege	1412	msdcsc.exe
Token: SeSystemProfilePrivilege	1412	msdcsc.exe
Token: SeSystemtimePrivilege	1412	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1412	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1412	msdcsc.exe
Token: SeCreatePagefilePrivilege	1412	msdcsc.exe
Token: SeBackupPrivilege	1412	msdcsc.exe
Token: SeRestorePrivilege	1412	msdcsc.exe
Token: SeShutdownPrivilege	1412	msdcsc.exe
Token: SeDebugPrivilege	1412	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1412	msdcsc.exe
Token: SeChangeNotifyPrivilege	1412	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1412	msdcsc.exe
Token: SeUndockPrivilege	1412	msdcsc.exe
Token: SeManageVolumePrivilege	1412	msdcsc.exe
Token: SeImpersonatePrivilege	1412	msdcsc.exe
Token: SeCreateGlobalPrivilege	1412	msdcsc.exe
Token: 33	1412	msdcsc.exe
Token: 34	1412	msdcsc.exe
Token: 35	1412	msdcsc.exe
Token: 36	1412	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	3364	msdcsc.exe
Token: SeSecurityPrivilege	3364	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3364	msdcsc.exe
Token: SeLoadDriverPrivilege	3364	msdcsc.exe
Token: SeSystemProfilePrivilege	3364	msdcsc.exe
Token: SeSystemtimePrivilege	3364	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3364	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3364	msdcsc.exe
Token: SeCreatePagefilePrivilege	3364	msdcsc.exe
Token: SeBackupPrivilege	3364	msdcsc.exe
Token: SeRestorePrivilege	3364	msdcsc.exe
Token: SeShutdownPrivilege	3364	msdcsc.exe
Token: SeDebugPrivilege	3364	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3364	msdcsc.exe
Token: SeChangeNotifyPrivilege	3364	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3364	msdcsc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
4416	ButterflyOnDesktop.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
1412	msdcsc.exe
1412	msdcsc.exe
1412	msdcsc.exe
1412	msdcsc.exe
1412	msdcsc.exe
1412	msdcsc.exe
4416	ButterflyOnDesktop.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4416	ButterflyOnDesktop.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
3172	vlc.exe
4416	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2128	msedge.exe
5544	msedge.exe
1412	msdcsc.exe
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
5212	WINWORD.EXE
3172	vlc.exe
4464	MiniSearchHost.exe
2428	LogonUI.exe
2428	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5632 wrote to memory of 1180	5632	msedge.exe	82
PID 5632 wrote to memory of 1180	5632	msedge.exe	82
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 5076	5632	msedge.exe	84
PID 5632 wrote to memory of 5076	5632	msedge.exe	84
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 4996	5632	msedge.exe	83
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86
PID 5632 wrote to memory of 3388	5632	msedge.exe	86

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4416	attrib.exe
1396	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.catbox.moe/u6ag3a.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x310,0x7ff8f19cf208,0x7ff8f19cf214,0x7ff8f19cf220
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2296,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:11
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2144,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:13
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3396,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3416,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:14
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4884,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:14
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5508,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:14
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5528,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:14
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:14
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:14
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:14
  2⤵
  PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=3592,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6416,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3388,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:14
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7276,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7352,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7260,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:14
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7228,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:14
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7324,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:14
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7356,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7448,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5276,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=5288,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=5836,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7180,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=3856,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=3904,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7828,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7740 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=8012,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=8028 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7660,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=7864,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8164,i,17901337079205943713,14594468795113358258,262144 --variations-seed-version --mojo-platform-channel-handle=8196 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2b8,0x7ff8f19cf208,0x7ff8f19cf214,0x7ff8f19cf220
    3⤵
    PID:5720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:11
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2480,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:13
    3⤵
    PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4304,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:14
    3⤵
    PID:784
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4304,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:14
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4416,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:14
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4716,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:14
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4724,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:14
    3⤵
    PID:5288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4732,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:14
    3⤵
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5092,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:14
    3⤵
    PID:5232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4984,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:14
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=756,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4740 /prefetch:14
    3⤵
    PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5096,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:10
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:14
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4044,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:14
    3⤵
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5180,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:14
    3⤵
    PID:2616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:14
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:14
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4048,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:14
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4008,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:14
    3⤵
    PID:6000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:14
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:14
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,9417368179017973211,8745949532728189130,262144 --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:14
    3⤵
    PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1860

C:\Users\Admin\Downloads\Free robux.exe
"C:\Users\Admin\Downloads\Free robux.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276
- C:\Users\Admin\AppData\Local\Temp\JVJJVJJ.EXE
  "C:\Users\Admin\AppData\Local\Temp\JVJJVJJ.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JVJJVJJ.EXE" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\JVJJVJJ.EXE" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1396
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4736
- C:\Users\Admin\AppData\Local\Temp\POO.EXE
  "C:\Users\Admin\AppData\Local\Temp\POO.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5496
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5984
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5772
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Roaming\ButterflyOnDesktop.exe
    "C:\Users\Admin\AppData\Roaming\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4416
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\yt1s.com - ling gang guli guli guli (1).wav"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2028
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\TCP Subsystem\tcpss.exe
1⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4748
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1144
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5528
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3552
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5516
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6072
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4388
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4632
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1160
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4916

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4456
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3976
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1036
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2240
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4804
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4204
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6136

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3464
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:8
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5864
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5096
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2968
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3364
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:708
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5384
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5780
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1064
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:908
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x0000000000000480
1⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:540
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2436
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6120
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5148
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1200
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4412
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4152
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1720
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3012
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2060
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5892
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5380
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3624
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3024
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2348
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5704
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2376
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5380
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1092
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4472
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1048
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2800
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:792
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2128
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5596
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6136
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5368
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5892
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1704
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2296
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2304
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4448
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2096
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3320
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5236
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3932
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3012
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2996
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Dead Fish-GDIOnly.exe
1⤵
PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Dead Fish-GDIOnly.exe
1⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
1⤵
PID:3900

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
1⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
1⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
1⤵
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392c055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ButterflyOnDesktop.exe
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6e90b2d9bc6998c22d128a8db9178c32

SHA1
f15a142244892d78a9c710287a27233a1dfbfd39

SHA256
61f6821ff5bbc6c8c3d9e5c8e2d361ad9909e6a6c7627f4b8673c9788133c862

SHA512
51b4c4f3d467989e1757ed4a53874ff847808ef512f9c877fcecc087763e97aad08ad5b311e0427a0ba6b75105e7ff957a976fd75c4f6583ba6108af106f5bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fa5bc1297e8d76bd37a0a63bbbd70ed2

SHA1
5a2fe5a9d826e1b3d308e82101ddfb5e5d719abf

SHA256
fd6457360464b8c99b4cde26e09a25b1c27adc9b87063734da4206dad7007d22

SHA512
847db0ccfee4266a84e9ea35294350465f04768a81bf2ca9fd641291440d2d7c6e5e0daba9a36988aee0d5b5c931f789899be52b8fb6aa85f07418797859d3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
80KB

MD5
9a28486c6cb840757f62793389121a5c

SHA1
c9840fac66f3bcf16885bf36a7f7bc962ca96459

SHA256
d9aed0bb0662996538d6624e4183e4554a642bbdedfd82d5fc96e654c65478f8

SHA512
8271dfa1afa9276c8ae9cfdead6253aff28cf88cffa865e0a35eb175c3d14ac1f974dbf38ebd1638dbd0c9d1f4b7caa80c61a1eab4a9f945d3448dc920991eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
520KB

MD5
bb4075dd3712b07ae8828c8eda0431ba

SHA1
fe3268079e4c926b9e65485cd96fe498d7d62482

SHA256
b8aafb6d8a4d2ce8d2a45571cc2715698cf8dc798a1bbb73418f101dd7db7454

SHA512
8615bb3e9ff0e23992f3f8c1d15ea5c59bfecd1ba7661b480267181cf806534df7e8c659cfe38a92be5dd9209a2adb2124b43a3b617af6c55db7506fb28b1a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
2.0MB

MD5
a27f13b765bd89c6f93e8e9226c1d002

SHA1
08c35021fcdd100a32c15e14f531296d5ab10646

SHA256
3dc564d6e6b39164809c14e00138bfcae3f969cecd73bde38679e393777e373c

SHA512
f6d0baa0b886c10b572d26186cf60da35eece9483268415722bdc58d22c0b6fe290b28a45e7c2d642aa94508e8e87e291397cc7c4b62f5d9a080e4ed0014f218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
12.0MB

MD5
cb54e3479f5aeba2dc9a0ae7657d320c

SHA1
64b0fdf2bb8bcd764d6323b55f1cc5c2302fb22a

SHA256
091ea970b8f0c5a2a877123c4ed824e26f47fabd3dda61a0d91ec10ad6ed4565

SHA512
def72886c910997b3c4dc3322fbbba8e3980859bab4f27e1d349103566cab408a44fa6a200be37fd0e2f289485d046b7a4f31362824d311549ea812933750d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008f

Filesize
429KB

MD5
7d81f275c455cf2984bb7d1b650e2ab7

SHA1
ed5bb2d485dd20dd0ab0c8ab05478da572ba76c9

SHA256
6c7c6bda83c19aa99a3774d1c377ad3cca27f05efa478f044f1657ece8cde209

SHA512
dd4bdaad6d3d2f0563a9b64434a6aaac6dcf067762d2ea8a256d7c9b6e913b139c1cc044b2a64d8265232350f6c38ad81e0d1625ede383e36ef3094921cbbbd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000090

Filesize
102KB

MD5
6a2298e92f4163f3ae75a1f2a2373bdd

SHA1
3fea68ab27bfc355df8ac421c060e57240c3a32a

SHA256
b3ee43775d0371a665bda8ab4a43206bef23c6ab588fae0b11c6b51815643538

SHA512
2ee61fd022c2041e66beae1b5ae0f8455a0f733eb85475b20c0478a886e8d27af1186ce6e43e1b4dda6fceeb09422af581afdc98c1878942bc4f9cb7cfefaa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000091

Filesize
356KB

MD5
24ecd5653808dbbc55e567a0c3ff4893

SHA1
f9036db4977662ce1c2fd46c87d2db9be0e4f5c0

SHA256
a0c0a0945234095af0711cd1b0ce0d78e0aa36a170713ccb3403a3eb764c1d1c

SHA512
be69ee074040eb973597e92bfbf6583f8b7564e385b9bc3e2f3006877cd01a3f1432715790a130a2a4f4ac5b442affb91fc81d743eab6cb3d9cb939f31882652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000092

Filesize
58KB

MD5
823b990ecdac4a26fcf2643cf19e7c09

SHA1
89582a8b35ae08545f37d5b69b57422cefeab710

SHA256
29f39dd96b437f5230da354f5a0e5861d3016ce9b685216b4556660434800c1b

SHA512
f06aaaa909e8596148186427e587496504d5407cfe40b8f70d80ae9722114b3269124f16d018c578bffe5f455e560b7eb3c04eaa7522518995b8894f003a3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000093

Filesize
19KB

MD5
5e6b051c31199c6614bed20c947bc54d

SHA1
21c5847d89fe9abf79366f242d7369eef1675485

SHA256
597b0f330bc6b91a1a4f02de5b88c45f94d632b4abf32ec981fbaf27e3fe8fc6

SHA512
7d128c4254b2395a1123ae6d5fa2b8546036aaddd3ad8c8ba60fb7292496ebb8eddf22041be0b4919bee845575ecfcbd9d874610ffb4693f9d2c19a088b11dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000094

Filesize
65KB

MD5
d25109c9249b77c7cf2a90dcd2e88db2

SHA1
e12430ee61c1698aff70939b795e96a2ab1a51be

SHA256
7d041b993ab544156abba66cd25edf215aa063fa84d5742d5dafa781f92e762d

SHA512
7b0c7dafa6b1add8befc416474414681fbf077844d227dc3e4862fc04723a030749113114f0780401ab383ae595b3f7c11d8283dd5a7df6d9e6b68f0c72d0bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000095

Filesize
164KB

MD5
14a88c44e570a82faa491bc0ec944440

SHA1
4f48902defa935ae07799829c15f1112e7c80605

SHA256
11784bc87272b8c72aa8828c285f9dddba1faabad64f2b7a6e21474a20b57c81

SHA512
5a10b923a948404439f55684085066124d8a2934302dfe91814a298f8518b331bc3ab3ca321753e6131b898584bf8b444c894cd31b061f0f36ac34dd216f5794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d6

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d7

Filesize
70KB

MD5
638b28824ff7d2a8b5eca31267ffaf3d

SHA1
51c91fb5de5248d6dbbe194565231c4bbbc197fb

SHA256
a2477313b8f9735a83fff20ff6624d26a13c893601a3cf6148bc997022913011

SHA512
0eb506d4d9f7bf3aef60dc2d69135a1eb6c9748eca15f721cf5310a7bfe131e21c3504dd75ad986ddfcde907cedd8522caa64845de1794000c2fe7a477189af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d8

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d9

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00010d

Filesize
67KB

MD5
94a1f80f3781cd036d7962848b38584c

SHA1
79f7943854bba5c954830622298cd41b15896911

SHA256
d7a435160d8ee837ec4cbd8cf6268526b7fc8ca64ea90d528e0c4e6d31fb1030

SHA512
3d27c4830d35b759f68295a00858d8f09bf3f2f47cb9816b7cda9387713d5cdd7ea52dfa8ad7b18388f0098a81985b71abf6387318112efa98824110b720d760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
bd30675a2b72b5789debfad224d40dc9

SHA1
853aafd8732ce00a1cad32d10053dd7ad6752aa5

SHA256
627d4d39df741d791436222f532cf7b0704d46bf9a78dfa8a3da396c9cb71819

SHA512
df5ae81d7961c160a483d3689b104a7d43713ec44e2fdba13c4e1f613e5966141517d14130e7dcb2417c19fc7f619a438589fdc4a0262e3ffe6712893639a8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583e3d.TMP

Filesize
4KB

MD5
36d5392947455f6d5d9d9d855e2befbc

SHA1
f413f856e29625242c5e2e74e5c02d1839ff0c9b

SHA256
09eaaa82316f456cc20c5c006df00763d710b1f373dcb80c53227b301a9d765d

SHA512
b925c8f1c14bf1ab046da6f2e4843fa2aedb2d15d50bd6fa1a3dd4f021531b243dd49e1597e71c40656637a8d64d362f82e5b6149739aa4a8e013adb17cfca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
0eb752402730a71fe57837385986cab3

SHA1
468711642b29d49bff0f97aecf9c9c21c0c9135f

SHA256
d6b130d9716cd71a4895883315316e373c0b8be78296a87d681647030eb07c81

SHA512
7375c58e0cc86ddf3822aef74e6634a7cd4aba9beca91b35973fef3b2f45a0c64d35ae463e8540fb92661f6b6dafe78bd1298a8ae7a7a31ad755266fb1dab8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
85c6a00b48bdc076e7ffd2b1cd9df4d6

SHA1
4a08cefb23e57baeca441f887d0c2d1e360cec91

SHA256
1d615fc39010c3eb352eacb42951da9b0dd756e245f14e75dab4d66a731098c1

SHA512
251d708d4e87be397f1fc92ded63d4301a6636148c721c943c2c2152729204060cebb746e2c767d8d12826736ec25a4dc571f2dac714bddc01a4d27658f6cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
8dc8403f4063aa4134b9fdbc1e4a6352

SHA1
a15b7ff1316d970caf62dee31944c5e4efd1f0d8

SHA256
2b148f88c86bfebd1b44ce1749ee7afaf433d38b81ac06ef7ac92ab967bf8efc

SHA512
e8cdaa1d8832911e73fba93abb3f237d3ab6904d50d1e4f8caee60d31ac8c969abecea777a1821e2a4d4961701401035e6b3258079b3cf3b597b8634ad9ea462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5a124b2a-d144-4a56-8b22-10430cee8377.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
7fb41d73f827ab63636caa8248d84fff

SHA1
6830de8453e0c64c336982741d38f28cb0f540ac

SHA256
32714e7b0460873e0f1f588ca8f4380b0a0e430809c9e73313bc74db5d427b9d

SHA512
2823dcf7dee64fece893a649ed044d527bebfb550f56423fbe907956ffce336cbd1512e8ffc3aa3f9ec66d4ee3788e278abc2a5febb2385c7d5bf70aa5eb92ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
98c861c6883d60b42435f17401d312fe

SHA1
a5c223294165f524e453709a5225c98bc1effa39

SHA256
a622a456e2fe62f39af019d3b15d12575f36eb76a2665b65749bb7dec8606017

SHA512
94b24b689e872f0e7af52f9686f04fe8c5b64d23554f08db8077a94c59f59e58e7a0bc38ea268457961676e54c5b47616f932b1a2ddfebf1ee8810cc5a18c566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
bf1a0e9724b9f2daba3e7f28871443ca

SHA1
e8f379985654c2a0a19f85c1cc50da880f7e0957

SHA256
c2f155ad897d666f154f08a09166b0a282d3908a06c3080115c353bee64f9521

SHA512
9eafef80b9000ef3cecade051a30a0aed777291553283ac1aedebf098bcc4d33189c2e209d09c84a30413a61d4e926164aafee4d52b769c5f6997fa5d3a5f31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
29afca492d62908e510663ef179a552d

SHA1
7569400abc7cdd28776ca830190616a0695a1379

SHA256
59f7bf3cf82ea281c3bf38fb60decc101de4c2bc521800ce511887e745b01cda

SHA512
78c10afc84cdb48826d51d51382f8746701d3e1d523dfb1636f664a3a4099a4fdfb3f66dbdd792886a6ec987a5dd4c6e91a5abb0dab15173f497c0cabb1e0faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1652a893725673712c3e4dcc1a1d363a

SHA1
c42e259ee2782eb39bd2199b9df40dcd7ba92221

SHA256
0a55c26ab7bd89ceb8d18218981678bde3d92bb9158e72f0ce13ff88134ab898

SHA512
7665cdbdd6b655e851ceed85326f802544eebaa84093e0ad608c6c42ee2ca1fdb205ebb82e97d31f63043f78ff59a31f28db2a5a251194034eb4dcbd68cee7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
6d0d9863ff4dc36b18538dc622cdf926

SHA1
ef5f05f7cf6f4b68bb15d7c024bc3e8a45849e5f

SHA256
3acb70c27af63fddf5732384be6df2834694d5a4b1ea2971f222f2567063c08d

SHA512
411df05446d43ba9745b9e6461ae573e23d8666b8ed912e26a57868e94762daf8a356e2216489f83b776eb6a709fc48120548601ff2f5b938dd77b025f3537d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
385e00c5c7958b2255d034750c8e1b5f

SHA1
932794e5e1fc0e12570117acb223f3fe80e3d96b

SHA256
8c434dd8843be3b90fef48bedafd865c6529a8b6adcaad6c8e0478091934dc0d

SHA512
140e41d19916cb8a6dd785be580c67fe5e6225c033a64f93658c4812cb18da21f7c769ced53395fd3d1a8ff5677e0e84241a9410ea2fff0dce93534dabb681e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
acbf59302d72f688964f17303a9aa1ec

SHA1
bcadd96267231137757f06a40b00113c3e206817

SHA256
9c42b133a2c2cd4819856c758c510c1f2fa00bf21aeaccce256f1e1db1542fb3

SHA512
4f8c949b3f17a1ae8aebbecec754d0d3d345a6e044133fa5b27c4d7946c69d33a9c74b9bc636a71fa59c318cdc3e144fabdfd8044270e105e254e4cf938821ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
c7a872bf7688e2cf0257ad9d96f8aea5

SHA1
88412eb3ff1508c232756216774a0e2792a2c768

SHA256
9c5f9648173233fc5f6568e6d8bbf4ecb6e9b4f8e0cb5e53baa49fde0fd43b6a

SHA512
1b737a71f08dcc63535f56a774576824c5c42f6d9250209199eba4ecfd86abdf87f8b2d4671c6b55747e97a8bcc643345e217a2a2a96e8b28d5be16ab8cf9dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
1eb04302e2ab0270e62cdd746f1ce3c5

SHA1
b9cda1edd61c74d9b070d12e906a12a3275a17fe

SHA256
6cb5361cdb5693434898394bf860e746768aa9999c8921c94c8f5a1cff603039

SHA512
443fb5ca1f6735a4d60f12da6fd610adbeae6fea3d980db3f217dc68a17860e48a0ea1dc6c850bc59e06fb9626f7059a473c42f6e049fbc5c68f8e273f222df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3f0c425e-7f41-45c6-9020-bf2f638d7c26\index-dir\the-real-index

Filesize
72B

MD5
68784a69dc0129f3a14061d3ec484719

SHA1
ae97382d6ee1b6ed3eb3a84681788f136b7ba288

SHA256
62c948ca7d650eaed28c28ab1f5aee0c1ad6d7b1e283719e406516d681c50a81

SHA512
896a956c793d49516925c04d4bdea51c97a2841ccd48688e3093020ecd8f35be28dbf16ace3ec0e7c7a49e135b025cdaa7d3a5c18900a9fc00f06d94a75e9e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3f0c425e-7f41-45c6-9020-bf2f638d7c26\index-dir\the-real-index

Filesize
72B

MD5
f8e10d7e352cc71c1b33a87ea036e11b

SHA1
6ab91e37cf4d3a04ae88074c66e46e22ab2d1424

SHA256
0c6393cb12bc9a746a62224e00f6f7230fae53dba8007fe2679e872ec261e280

SHA512
a9ae6e11aa4e7e2f2323933e232629c964ffb81f479283363bde44f89a7386d7069d7cdb5c5d8c12a133ce2969f3975329e84ca3ca7a60d36a11662fbc310179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\a1055725-fae1-48c8-bdd9-38e1b5bb4dd9\index-dir\the-real-index

Filesize
2KB

MD5
b97cb9750a1adf6a6b7ea1448663c5d7

SHA1
7a891ab84fd47072471cd733ee77e53337a51cef

SHA256
c97338d8b18de7e87f6bb0100ce696112fa7b64cfbbe2822d79096900e5a4229

SHA512
d6d95807fb0af7e411bc21dfa20405ab4f3e0c1e248c8e8a473bc29b285b23a0744891cd52a2de1ec4b0b006c083204a88b12ba03e123b52449bef8fbc34f417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\a1055725-fae1-48c8-bdd9-38e1b5bb4dd9\index-dir\the-real-index

Filesize
2KB

MD5
128fec144f2c5dd04f3147a4cf601597

SHA1
63e200b9a027a75d3db025b267493d747ffd2b5c

SHA256
bbea8879a14d3291ce99113fc97a6054cdf02fdf62126f43ac69fce3ca07a533

SHA512
a946a79a6a4772c9cce1e0f24685839bed1e95b890d580fffef24f9f31daa813283a28c2d4a171c6c4b81019d6b3187a30d3d18339cd77c421c89f270f15d960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\a1055725-fae1-48c8-bdd9-38e1b5bb4dd9\index-dir\the-real-index~RFe57a037.TMP

Filesize
2KB

MD5
52f55bc5fb58c1e3b74f730f09ab4fe2

SHA1
a7af0cfcfa86139e07cc977a421a0ad33999b944

SHA256
266a9229d6273e31e07c8d8e5316fa0d8634de49764092c165ba69c0abe3795b

SHA512
11017bcefd4e1d7bb549fdab6402ed4511ff7e4963e781def5a2ae75d796857e201936ae2492d0fc74cbe72c79a2334978c35b8e50b969ae44c52e70cc53d653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
e2b64da93799adf51301241197e61799

SHA1
71b7a26776efc7cbb59845ac2da9bf8fef048cc5

SHA256
3feb0762abf7717f277e52662bb0a8d42ba874acaa927e48cc57a013b52755cc

SHA512
1fa29c2f4fd87f307466cadafd5ca2d42caf77002d48386047fd8ec8d7f22ce9e56bee4ebf97fc06598cfbe7bcbeceb645779db5bfe9cfcb8d942532d2ef7d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
be541395ff8ba38cd5e8c00621fb16df

SHA1
c199c659e7999d9410be1137f9bbdf0e1e771dfc

SHA256
96b2769bf29c5f7e804bf1bf620a3525833d7dd513bb359a63d8fbf0188c7dff

SHA512
cbf86f9aa77991157c5d655d1da0ec402ce740008778cff0f529f03839d8782050c123335e7d3206cb8b3c95e76b6e94067932286060c1440e947cd22b9baf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
338B

MD5
57a6233e26f997f03377d0da1617b99c

SHA1
41e6c88907d848850307a712adf0177c88bc8f4a

SHA256
db9e30c4a513c4a56fadeb221d5f8cc7517c01a14b7d1c3a8629f9de5332f833

SHA512
e28175ce9ae6717603da1c6bb0c0717b04a1054d2415e28172a4d8053e4d69a5cf5535311d9fcb03f356ef3723ca9dffa66458ce0c787af74eadce525b8c2124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
250901241d6c5765895b66329dc04f79

SHA1
250b35b31d154ec598f12eae5b1655484883b7da

SHA256
8be9e748163ec3349791a9a08cc79ec752d78305edadd5a5146d41d12335b092

SHA512
53ad37cc6367a6c9b5c871d49041fa914dd3b77349488dac023e7840eec846055b024a94460c2f38033161f00cf0c67eacf5e6e601ccaeb3805a3c6ffd516b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f462.TMP

Filesize
48B

MD5
733cdabe5ebf0b1e6ec455f9bd45e0ed

SHA1
95526194dbece8e78ff2f7892c90a712b8b0f559

SHA256
c03de000ccd87c321645fb2db428b743d7595cf6b4c96a4345556486306c0170

SHA512
0bbe24b899c02d3c5bf8834c1573cefd35b8014ced5c573e74142c05fcceb629cf3e208f3352337cf677eae841a1fda4b4b46b19275e6d9da146fbda51d0f2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
256B

MD5
a4dcf121c09ad5b4619e4db69f0cd6e5

SHA1
453460e04be71a8b130970bcfba95100a5e5ed11

SHA256
9c255cf09b48fcfb35305e0c49116ed6948ced6bdbbb64e943cdaef3e8a1f660

SHA512
37222968e17efa3ca2620993604671da6a712a573a036b5c37f255e9bebb933188a37b9111afd2c9d804b5977e8819176c2e5bd91a1fcf8679c240950b8c9e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
e25b57d55b7ca12e62a0f12ea2c2d26d

SHA1
ddda1c3e534df7896a58fe154194727ccc44db13

SHA256
c48a187eb477d3981e5a466a12ba0046739dddea78e20a3fa369c92b6153fd1f

SHA512
3f2ffcbf66d3bf8d35a0bd72c47a04fd4c1336d7860d3e1be9508b19b608acd580cf90e295c4c1bade5fcb4ad7b718d3bc13ec7d3740a838cd200b4f1400f5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
40d67578436d51b9318b96c962442302

SHA1
1517952f7d2a48a501f4e11057a87b4457c7727f

SHA256
009de0fbfa1942df3512bf87e86b86bfe69eef5ca3c38b5da3a26e5daa914d63

SHA512
539a99b76c229191e9e55d12b3f00a016bf3d81e6ac482d6861487c46bfa111e9ac0de7df4f7e9b84b5ada5a2d4a90c1748b425cde6197aab56d4cbdbbb73848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
3827e23d9380341d7091296150996120

SHA1
2fc0125eb7e882ac08277e644ce02feeeb92456f

SHA256
88c45406cd19916bd0b60a4ee86f7f13b4247e566ac665071798190360833ccb

SHA512
cc15a8f989eb75a4f6ddc3cdde4ce63cfd0b042d69eecfe82fc1946118d07f67505e8fd847395985c0f113901b65958f918b5b1eb5d949a3ab7b0ee6afed12b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
04541658d551dc6f58716ffc41f181a0

SHA1
064585096736782110027af2a5207de8a373b51a

SHA256
95a04d890214ede41ae8a3f917e1a699f5b476cdbd4d620f177d1b088f5bef4d

SHA512
7447f927d4335ba13d7f1602146df436483e4ed5b989097056b90a7d38b2e61eb0a8c658b6a8eef000aa4be1bf358209d22070fba2a594b1a3a5a242350cad20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
c2ceb28f1d38dc3f495c3d924de5574d

SHA1
ab138d888caced2dd36bf4bbec8f364a605c7d23

SHA256
c0f4f96d6f3649d14aada67f45cc4c76234189c282de7e7a7a2b3340f23e664e

SHA512
618c1c8b67b5df4c2935ae9cbfb2650b01c2db5b168b59c2e6a2b139dd7defd15bccf1db7d7a2ca03b1d6480591542a9b46b1c380628d30e6e24f94796485aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57ee67.TMP

Filesize
140B

MD5
0484bf6752d9ddb6182d31866ddeb3e4

SHA1
d910c258f6a8345aaf9c261b440d041789812168

SHA256
192f888647b8c2107977934ff8ea91952e2dca59134509b281bf270bc12fba7b

SHA512
7c013964980acfb4dd8dd8294e1bf0f63385cf2a0bb983b1d3cd73ece7dff188eb66ac9b0d02292dce27d6b5ab1593aa9c6204b4ec5853d890a3eed02ed90ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
3f3e12670676d53cd2e8f99f027b6f80

SHA1
9335dccbd44b8858d3fa0f87f9627a6a43944d1f

SHA256
9463e89a1f4dab834749b6a6826b00bfad9da3118474c1121114f8eeec44671c

SHA512
ebdef16dcfc5a6071184a752a938c82b92615e8ec2ab50f580fa8bb05746515319a9fd0d7f54f65db7dafbdd460b7e61ac419bc44144c8696a4a7cf21da6df62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
e224273e59d74358c16aae3e2fb5591e

SHA1
555f30bc8a8df750ccbbf62c043687ef233d6491

SHA256
de902496247ca4c20b2f0a98f94c221a48586b1b988b82bc3ee77a7856d39c19

SHA512
a35246134aad406bb8de0739bb2a4ad66ce7cf1def5bd7a8a189bea85aa231c514898b99e75c859ec9c82de81b43a39e907993dbddcf8be880e77c987e42fb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
544f775bcbed85d2a3009eedf03e5f5a

SHA1
e6e666a371f9bdf220de64ecdd86a7fabbbf7eb8

SHA256
55af3ce26c7be7d4f4ee66cd996d5215b256227dfa9bf9b67455df0d0d3522b5

SHA512
8035f165d17553fd2b139ab8e6d1fd44732c33d38487238faa3db6c761338f624a94d586559c445adb911121fad4f4179d1dd955e66a6aae73627e2ecbab7c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.1.38.0\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
7e5fa4ed6aa17f661f32f60b1528b8cb

SHA1
fb8fde8a15183eabc587e9e141499564c36e73bc

SHA256
5699c475bac8a24c856db71228628d0cfe1a6ba6b1c6be6a14e73d6aa835cd28

SHA512
18968db3a1cd8704ec7e9e619dd025c457085e81c27ffd3ab4af707a2daf8e870790175d93a0e6992181187a62bfa19b818c262bb0a1514ac15b3598a7e91551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18347.18346.65\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18347.18346.65\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18347.18346.65\json\wallet\wallet-stable.json

Filesize
81KB

MD5
05f65948a88bd669597fc3b4e225ecae

SHA1
5397b14065e49ff908c66c51fc09f53fff7caed7

SHA256
0e329e63d8457bef61d0986a521f81d747a09dadf3b1136f2011942ba14d9fc0

SHA512
ed7b767a741d18c0dd35e0311db752120e0f090d39ef976d541cbc5ae78fa32655cb3f9c27cddef6ca8091ca8bf31513254a748bc8b95353897f6198a667cf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18347.18346.65\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
6e922dde33a568a6d0900d6bae600426

SHA1
193e739823affcd3064f887ca7b8c5b1b3c0638d

SHA256
ef9712b0f353896194772ad37fa40f53402673589592c192db4ffa2c0883be73

SHA512
16930fc89d4828de56dd8ea08c559582934c2817e49ac6a1873b0668048b41c035384774474b0b31907a4517f1beb9c1d142e4f71361b68f840418306cb1bbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
4ab4548ab17aa8e9b32426d4d0a9a1d4

SHA1
7e8f81adc5f793b730ee3b7becaf143ef4c42fb4

SHA256
e80bda4ab5343ceefc36c474bba90671de68398a4f06387f8f1cec1b02619f85

SHA512
d2ace9c794448af3236c430c31b03db4feaf80db3f744362f141947c393de65b5b9bfb646409076fe73e41a98826872c71c0b61092a71e01578f0bcb58da5241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
9ea07574c8fc3e971719198a6b0d2af8

SHA1
12057805d37ce84610ec999a9a913ca6233a4966

SHA256
e4d8fcc5227bf5c406c469711a9afbbb6cd3939c8a36d178ba1bfb843ef135e4

SHA512
f3174f00166f63cfc51e6abf269ab590bee0398a00a592a32fb0d1cc1a07fc8a30d72e525445f9ea93eefd49df5745b71f9122ea1982ab60bd3ad4beb5c9bb77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
57KB

MD5
0efa58f59be4920f27abfbaeeef5d725

SHA1
b35fd0bf258cdfb857b95cce7e4954c84d9d8ccc

SHA256
c172d670ce6adab49d80f12eb7031477fb74abcbe32472b5ffd4b460219b221d

SHA512
6a1e7f6648236b0216c6a192800b0d4ee73315fc0fb1dd32a421c75ed0860413bc5fcec632bbd1baf3851eed92c4832b58c5221e1e1dce2da97ba29124d6ad08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
1192782435c387c1261895bf5697ef54

SHA1
22035b0d9bec1b771c5d2f10bf342540dd8939dd

SHA256
f157e76eb6911c0ac793c03441ca006942e941735be913f9ad0f3833f926d4bb

SHA512
e76004b828be3c55283a4b660682528d5eedc617ba69d8804a261810b57d0b2ed218288e7d4dfc112d6307350959435d311b15c5cce28d8e45afbe1f301dadb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
57KB

MD5
3047d56fbf0c63491e298f7d27e23edb

SHA1
f7136b17cbe4ff0421ec2d7a7d3d09cd10226741

SHA256
3683d742aaa385af16b9364989694d0364636b3e81eea9e57d0f7255896f0898

SHA512
1dc4166b7fe4120afc69b66425f651f3da8478cb6d757a5597efef9d513c8a5627420d596c6bdaaf6562df8e333914759219777a43a92b9425f20e7c499a4505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
f57e79cc771c3bc7b9254e9c2a233d82

SHA1
21a6ee9992269ef278d4425b7b15742596511213

SHA256
1627930686e9aacc16bc005580a69a3b26b8811a8ece748a56b0a42618e2a415

SHA512
5547c75b0aeda53085e05b483bafa08969afa0ca4211826c1af71e6a763dfae52baf56e364cc540bb3190279d1118a510fb206fd8f19d80aa9f84793a3cd98d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
c5c4b8dea90c47655656d5b017c3a9ac

SHA1
995bbd4b92a0f8700c7452d1eb53739423ddcfee

SHA256
079e666ec17252e4d20606ce9bd15cad9d379e614a07bc0d1e6bd62e0786a7c9

SHA512
0e6992c26cc074d54c0d16720826231be119e32734075989fa043c79777973b111d5e66043152cf3018d9fb981a5db1936ebf621849d4a7ace9328be7cbc5085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
b3f5ccf686eeb31cada4bfa89aa826bd

SHA1
48ee00939ab6bc9ae7ead752396bd4dd0c41f238

SHA256
22220f4daf2205da1355852f635527fd3b13ae2a183c8f7703e2b3229af3304d

SHA512
e15a5a0bdb368e4c3c6ec3824d645e1ea5ae0019f5c8b042a19c2980876c81b27b0d3f063e30eebae41f7494fcef611648ace907a7762ae132837ee1e11c9e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57f31a.TMP

Filesize
392B

MD5
2127af43a192bdfc9fa3409a982d5d2f

SHA1
2e9767b4e975ded0d8ae7b4432ebd21367e9b74d

SHA256
857515fa5ab979aba09005852344a04c760afb4d4429c030c89cf67f82d4d1a2

SHA512
11c6f39f33a62974f3f5b8b8dab9aa3969266e4af6680575da28a552267841c76750604f6dbb0ab2d218bb1275c2e0b15cd078999b3d1a8a41b4c0bef658cc9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
43e14abfd0e1a39e33f4119be5707bc6

SHA1
cc819d5cd0e71b96481deb167024646f439bf9de

SHA256
0642cbdeec3ad4f2cd3c9ce583af917e208f9af147a7d7bc787c8f1c5ce1e48a

SHA512
ee7ddfe5761d36e310fb56f52308c862ec365e84117b403b51fe7f0db5abbbfb546eefe510d084ad43c288f1b91a69843f3eb0866d37ee41eb63bf67e24f5cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.76\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.76\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.4.15.1\typosquatting_list.pb

Filesize
623KB

MD5
8f3d7269c9b667dcc8ccbe6ecc1e2b20

SHA1
b5f295eda0e21035335f246e0956c8f19a664154

SHA256
7e4eb19d32348c88a4aac0aa4e724d17364ead8c8089d0bb7bbf59dbf73a5b2a

SHA512
b998a887ea846f5f735e03c60a67e0dbc60b1d4a6c15594c72483fb2a245dbffc28223f4524a35fe045c9a657f1af3b8046ed6e581298bf3a27732261a0f02c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8ed259e5-a967-4812-87c9-f64189b20ae6.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
453e3ea7521ead89d70c3404c7cb8fbc

SHA1
7110e8073b8567cda2867e9a23bd43e462f67259

SHA256
b3ee1510dcde79224b640d8ce25120f22369dd46a7841c05442caf229ea64dba

SHA512
913c74280497fc09cc9e18ba1d81f53a389e758758cf4941e33dfec7b7a552a15e541c01b874201dd5c7ca08a31d5563261ceca9de90c4bb9b6f02883fc2f1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVJJVJJ.EXE

Filesize
251KB

MD5
c6939f4e6f7ea4280f591583ec90b425

SHA1
d23083c30ef03e470e091c8f1ae739f469248596

SHA256
a398b2dd83613dad2a49e8d08977b1d2b3add11e6dd3918361ffa4c9cbd1efe7

SHA512
5cfb1e76734762c0cb28a39aa892eb70bbde1f3ac6b5ad9912ca89d3b668509c33c148a26f1efece7e091db5be1612ef4d5298ed3a857c40913ef2b93f203688

Download Submit
C:\Users\Admin\AppData\Local\Temp\POO.EXE

Filesize
209KB

MD5
de3b8a6c241312a01b9c74c75c299e47

SHA1
4343822b84710f242d0dbea5a67a84c1e0ec7230

SHA256
bbbeee9055df0710ea85498b4fc3ee368816e5814e1db9249e3c8ef414577a91

SHA512
df18031db348f8861b8e1a6f91bf270d7d8ae499e9753f3d919893475123791d099eae0d1e4b915c7103908781ab9849198ada2312cfcae33c0d1288ee03c991

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAA73.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\A0C2AEE0-27B4-4936-83D3-41B66A8A5172\settings.bin

Filesize
40B

MD5
ae0f5e6ce7122af264ec533c6b15a27b

SHA1
1265a495c42eed76cc043d50c60c23297e76cce1

SHA256
73b0b92179c61c26589b47e9732ce418b07edee3860ee5a2a5fb06f3b8aa9b26

SHA512
dd44c2d24d4e3a0f0b988ad3d04683b5cb128298043134649bbe33b2512ce0c9b1a8e7d893b9f66fbbcdd901e2b0646c4533fb6c0c8c4afcb95a0efb95d446f8

Download Submit
C:\Users\Admin\AppData\Roaming\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
222B

MD5
d6e22536ab81b183e9900b34a1573469

SHA1
ed9aea044eef73458cf55033bccd38df3932ba38

SHA256
b75d835c6edb2c219fee160610b835b3770f3a8ee584c3bb53cf93f1134986a0

SHA512
f9ec1b6eaf56213407b63e71217cf9801353e9501eca58c336bba17191d01b46835169e932cfd730aa9ab2de9529b62aa9ec6b81a29d8c7df59f8b10d8d6f057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
9fe79de6da89f5715b7c81daf8ca4f27

SHA1
5b972daff22526b1ac3a709de8fa889c684ba5ff

SHA256
3c5fde85a29c8aa8846c14ccf3c2b04fb423b5ff4cf45c7cdedb7e5fa83095e4

SHA512
01e81fb9156a26c020c6031b0b6d3d1b5275cdf30006e4c07e090478332dd73d8ab98817fe7896d9146d7c50c75a9b59f5a8912535e58428e36a1e027e5fd084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of UndoDismount.asd

Filesize
27KB

MD5
05cbfa17e88acb9a7161e3e8533814a1

SHA1
297a2620da8b4592fb777d2919c5320bd0645be2

SHA256
f2faac489af683b48fae37cf71524e19bedc37e9bbae5a567111a00d271c6b25

SHA512
f1fd1818da6745707640f6366e82a76367293433227c9cb77f1666127c166f6ce1891f07b9dcbdd5ed98a50fbb9c6e5f82d9407deec09e9f49ceeaa592226db1

Download Submit
C:\Users\Admin\AppData\Roaming\yt1s.com - ling gang guli guli guli (1).wav

Filesize
2.8MB

MD5
d0b3f22f329ac2b9188c861197d4e4e0

SHA1
e2f0177be7977c6d9a0846f8817c10309b6aca57

SHA256
e7589b238783b6e794589ea3642e862c2ea802ecf894e38e4a10aa834925d4f2

SHA512
bef50cff89f6108b23747b73bfcd7331a6c6802d43064c053ba09066ed3eef9667d00f554055a5dcdd7937fedcc4f0f24e7f3a2ff6c9f819ef6baca3f9dd0868

Download Submit
C:\Users\Admin\Downloads\u6ag3a (1).rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\u6ag3a.rar:Zone.Identifier

Filesize
71B

MD5
b4bb26e4680567593105981351b374d2

SHA1
fe866bcb57b7c3b2df10360caef58022a41da7a3

SHA256
f46bad67f1154a3a1f7ec9c9dd5651fd71c36357d55dea29dd4049bab1408d31

SHA512
9248f6a7ecdd143ed97406a677ad9c0102f87d3f5fdede017d187781be2436f98ad22c63b409fe5a8a09d8da7ef900d6fdbc2ed4d01ef78a7b2c0f3cfcb294cb

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1254059393\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1352872712\manifest.json

Filesize
122B

MD5
0d77c27baa669b0714c49b73e68447ea

SHA1
65103c9707e083c5503ad9979560ba1bb7634ae4

SHA256
c853d6a286d9d31a382c6d3fb109d5336d275651950f22b8243289eb6125b516

SHA512
1f011c405ec558229a1f5e2923b38b7054144c66d4c69d658c9c2c371f6cc365317485c274cafcab80bcb88f989b0be4c43c763933de3f86362a79ec1e962ff3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_137568678\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_142885172\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1541825136\manifest.json

Filesize
145B

MD5
6d9ce9f996b9f9fe10bf9546dd82f952

SHA1
0bcf62c147fab9f8eeaf575902c2b6e77053b88d

SHA256
c94951578b17215081e5ca755033993f5d50fc812b8d5e8cd4bf6a6c68b36a55

SHA512
ae6ba65587b6b8b087c57a2f0fcbb529764891eb9e4d3b419194501020256872878af14484a1909cf2293a3fa80c0e74db13dbb3a6b5289c62df3f69a4c7e3b3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1980678810\manifest.json

Filesize
116B

MD5
d20acf8558cf23f01769cf4aa61237e0

SHA1
c4b21384309b0ff177d9cd3aa4198ab327eb2993

SHA256
3493b321a7fc5e183ed6f223ae55ce962541717d0b332d16bdc7cbcadf7e6f78

SHA512
73d082cbd71f6d0f06c7afc1bf63ee41c9a8e501df3e56f21a551b2d369a0afc8306894c8e0a38d0324e2ac403ec506ac1ecd8e9b61a9cb27134a229ccb13725

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_1982064983\manifest.json

Filesize
118B

MD5
c54fe40731b48d54a8bf4a75c9bbd00b

SHA1
c0a51f93ab33f434c5deff9afe002500928b3cf5

SHA256
bc698bc55ab41dbead04a286706669fced31a351957cb51ae8a21c482b752909

SHA512
372171276869335a8a4dc5de8ca85e6b9cd8294b1c25eba423799fdd9478e98adf11dd9283b2c7718e968ec7d48df383b1d65c3ece1418fc3f3cf9dc271e803f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_373236498\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_443335705\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_443335705\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_667328062\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5996_717289677\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
memory/440-2031-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/496-2646-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/496-2644-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/820-2706-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/820-2709-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1064-2702-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1064-2703-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1316-1884-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1316-1882-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2096-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2643-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1881-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-3029-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2395-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1978-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1834-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1991-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1838-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2625-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2701-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2637-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-3007-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2989-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2013-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-4790-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-1927-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2692-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2029-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1412-2673-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1592-4709-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1596-4681-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1672-3222-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1708-3067-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1860-4727-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1860-4729-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2028-2032-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2032-4606-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2032-4608-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-4592-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-4594-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2260-2694-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-3551-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2304-3549-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2336-1928-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2336-1929-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2352-4723-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2376-3036-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2412-1830-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2524-2992-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2524-2990-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-4623-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2568-4626-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2604-1840-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2844-3071-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2844-4687-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2896-4664-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2940-2638-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2940-2639-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2984-1833-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2984-1815-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3048-3522-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3080-3252-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3224-1930-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3352-3556-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3352-3612-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3364-1827-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3416-3377-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3416-3379-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3472-4693-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3472-4691-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3584-4697-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3584-4699-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3932-3180-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4164-4711-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4284-4618-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4416-2988-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2994-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4416-3010-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2679-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2704-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2698-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4452-3520-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4452-3254-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4456-1841-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4456-4707-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4604-3069-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4640-3477-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4640-3475-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4664-1980-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4736-1828-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4736-3073-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4776-3034-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4824-3009-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4824-3182-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4900-4666-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-1942-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5028-4612-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5028-4614-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5116-2014-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5116-2016-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5212-2068-0x00007FF8C1190000-0x00007FF8C11A0000-memory.dmp

Filesize
64KB

Download
memory/5212-2072-0x00007FF8BE8D0000-0x00007FF8BE8E0000-memory.dmp

Filesize
64KB

Download
memory/5212-2071-0x00007FF8C1190000-0x00007FF8C11A0000-memory.dmp

Filesize
64KB

Download
memory/5212-2070-0x00007FF8C1190000-0x00007FF8C11A0000-memory.dmp

Filesize
64KB

Download
memory/5212-2073-0x00007FF8BE8D0000-0x00007FF8BE8E0000-memory.dmp

Filesize
64KB

Download
memory/5212-2069-0x00007FF8C1190000-0x00007FF8C11A0000-memory.dmp

Filesize
64KB

Download
memory/5212-2067-0x00007FF8C1190000-0x00007FF8C11A0000-memory.dmp

Filesize
64KB

Download
memory/5280-3031-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5356-4717-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5360-1829-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5492-2397-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5740-1831-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5752-3541-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5768-1994-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5768-1992-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5888-2627-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5888-2097-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5940-2675-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5964-3294-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6028-3292-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6136-2064-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6136-2066-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download