xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
2099s
max time network
2102s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Extracted

Family

xworm

Version

5.0

amount-acceptance.gl.at.ply.gg:7420

Mutex

k2N8rf6LqCqdtF6c

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/1292-192-0x000000001BE10000-0x000000001BE1E000-memory.dmp disable_win_def

resource	yara_rule
behavioral2/memory/1292-192-0x000000001BE10000-0x000000001BE1E000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1292-1-0x00000000006D0000-0x00000000006E6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\wuoptw.exe	family_xworm
behavioral2/memory/4148-478-0x0000000000580000-0x0000000000590000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4760 powershell.exe
1120 powershell.exe
3144 powershell.exe
3020 powershell.exe
1428 powershell.exe
1596 powershell.exe
4800 powershell.exe
3840 powershell.exe
Downloads MZ/PE file

pid	process
4760	powershell.exe
1120	powershell.exe
3144	powershell.exe
3020	powershell.exe
1428	powershell.exe
1596	powershell.exe
4800	powershell.exe
3840	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sv.exemsedgewebview2.exemsedgewebview2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	sv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Drops startup file 3 IoCs

Processes:

sv.exewuoptw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	wuoptw.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 60 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exewuoptw.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesvhost.exeMicrosoftEdge_X64_126.0.2592.81.exesetup.exesetup.exeMicrosoftEdgeUpdate.exesvhost.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exesvhost.exesvhost.exesvhost.exeMicrosoftEdgeUpdate.exesvhost.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesvhost.exe

pid	process
4428	svhost.exe
5100	svhost.exe
1092	svhost.exe
4748	svhost.exe
4148	wuoptw.exe
3048	svhost.exe
2912	svhost.exe
4716	svhost.exe
5632	svhost.exe
436	svhost.exe
5476	svhost.exe
5240	svhost.exe
4984	svhost.exe
5892	svhost.exe
5180	svhost.exe
2528	svhost.exe
1536	svhost.exe
6040	svhost.exe
3664	svhost.exe
5616	svhost.exe
1480	svhost.exe
5580	svhost.exe
5136	svhost.exe
2432	svhost.exe
5476	svhost.exe
5928	svhost.exe
1016	svhost.exe
5176	svhost.exe
5892	svhost.exe
5328	MicrosoftEdgeWebview2Setup.exe
5544	MicrosoftEdgeUpdate.exe
5944	MicrosoftEdgeUpdate.exe
5256	MicrosoftEdgeUpdate.exe
4896	MicrosoftEdgeUpdateComRegisterShell64.exe
2624	MicrosoftEdgeUpdateComRegisterShell64.exe
3032	MicrosoftEdgeUpdateComRegisterShell64.exe
5268	MicrosoftEdgeUpdate.exe
2704	MicrosoftEdgeUpdate.exe
5240	MicrosoftEdgeUpdate.exe
1680	MicrosoftEdgeUpdate.exe
5612	svhost.exe
2404	MicrosoftEdge_X64_126.0.2592.81.exe
1864	setup.exe
4012	setup.exe
5160	MicrosoftEdgeUpdate.exe
4896	svhost.exe
4024	msedgewebview2.exe
5468	msedgewebview2.exe
5216	msedgewebview2.exe
5488	msedgewebview2.exe
5932	msedgewebview2.exe
5440	msedgewebview2.exe
2704	svhost.exe
1260	svhost.exe
4128	svhost.exe
420	MicrosoftEdgeUpdate.exe
5932	svhost.exe
5152	MicrosoftEdgeUpdate.exe
5460	MicrosoftEdgeUpdate.exe
780	svhost.exe

Loads dropped DLL 30 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeTelegram.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
5544	MicrosoftEdgeUpdate.exe
4896	MicrosoftEdgeUpdateComRegisterShell64.exe
5256	MicrosoftEdgeUpdate.exe
2624	MicrosoftEdgeUpdateComRegisterShell64.exe
5256	MicrosoftEdgeUpdate.exe
3032	MicrosoftEdgeUpdateComRegisterShell64.exe
5256	MicrosoftEdgeUpdate.exe
5240	MicrosoftEdgeUpdate.exe
2704	MicrosoftEdgeUpdate.exe
5368	Telegram.exe
4024	msedgewebview2.exe
5468	msedgewebview2.exe
4024	msedgewebview2.exe
4024	msedgewebview2.exe
5216	msedgewebview2.exe
5488	msedgewebview2.exe
5216	msedgewebview2.exe
5932	msedgewebview2.exe
5932	msedgewebview2.exe
5488	msedgewebview2.exe
5440	msedgewebview2.exe
5440	msedgewebview2.exe
5440	msedgewebview2.exe
5216	msedgewebview2.exe
5216	msedgewebview2.exe
5216	msedgewebview2.exe
5216	msedgewebview2.exe
4024	msedgewebview2.exe
5152	MicrosoftEdgeUpdate.exe
420	MicrosoftEdgeUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sv.exewuoptw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	wuoptw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

Telegram.exeTelegram.exeTelegram.exeTelegram.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Checks system information in the registry 2 TTPs 14 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 14 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeWebview2Setup.exesetup.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_pl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\ga.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_ar.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\copilot_provider_msix\package_metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_ja.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_ne.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\elevation_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msvcp140_codecvt_ids.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\copilot_provider_msix\copilot_provider_neutral.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\cookie_exporter.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\nn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\onnxruntime.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\he.pak	setup.exe

Drops file in Windows directory 10 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 33 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Telegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exemsedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesvchost.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exebrowser_broker.exeTelegram.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "837"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "78367"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82CCB536-D2EE-4F19-9067-40531F08D1D4}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "189"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PivotIndex	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = b0d667eb64cbda01	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{2DF293A6-9F12-462A-BC3C-BAB5D1BE3AC	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Desktop\\Telegram\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 3 IoCs

Processes:

browser_broker.exeMicrosoftEdgeWebview2Setup.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip.73stscn.partial:Zone.Identifier	browser_broker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MicrosoftEdgeWebview2Setup.exe.pcbbojs.partial:Zone.Identifier	browser_broker.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\MicrosoftEdgeUpdateSetup.exe\:Zone.Identifier:$DATA	MicrosoftEdgeWebview2Setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4856 schtasks.exe
672 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 8 IoCs

Processes:

Telegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exe

pid process

5816 Telegram.exe
5632 Telegram.exe
4216 Telegram.exe
5896 Telegram.exe
6060 Telegram.exe
5368 Telegram.exe
1776 Telegram.exe
5580 Telegram.exe

pid	process
4856	schtasks.exe
672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesv.exepowershell.exepowershell.exepowershell.exepowershell.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1596	powershell.exe
1596	powershell.exe
1596	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
3840	powershell.exe
3840	powershell.exe
3840	powershell.exe
1292	sv.exe
1292	sv.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
5544	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdate.exe
420	MicrosoftEdgeUpdate.exe
420	MicrosoftEdgeUpdate.exe
420	MicrosoftEdgeUpdate.exe
420	MicrosoftEdgeUpdate.exe
5152	MicrosoftEdgeUpdate.exe
5152	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

MicrosoftEdgeCP.exeTelegram.exeTelegram.exesv.exewuoptw.exe

pid process

4792 MicrosoftEdgeCP.exe
4216 Telegram.exe
5368 Telegram.exe
1292 sv.exe
4148 wuoptw.exe

pid	process
4792	MicrosoftEdgeCP.exe
4216	Telegram.exe
5368	Telegram.exe
1292	sv.exe
4148	wuoptw.exe

Suspicious behavior: MapViewOfSection 18 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

4024 msedgewebview2.exe

pid	process
4024	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1292	sv.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeIncreaseQuotaPrivilege	1428	powershell.exe
Token: SeSecurityPrivilege	1428	powershell.exe
Token: SeTakeOwnershipPrivilege	1428	powershell.exe
Token: SeLoadDriverPrivilege	1428	powershell.exe
Token: SeSystemProfilePrivilege	1428	powershell.exe
Token: SeSystemtimePrivilege	1428	powershell.exe
Token: SeProfSingleProcessPrivilege	1428	powershell.exe
Token: SeIncBasePriorityPrivilege	1428	powershell.exe
Token: SeCreatePagefilePrivilege	1428	powershell.exe
Token: SeBackupPrivilege	1428	powershell.exe
Token: SeRestorePrivilege	1428	powershell.exe
Token: SeShutdownPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeSystemEnvironmentPrivilege	1428	powershell.exe
Token: SeRemoteShutdownPrivilege	1428	powershell.exe
Token: SeUndockPrivilege	1428	powershell.exe
Token: SeManageVolumePrivilege	1428	powershell.exe
Token: 33	1428	powershell.exe
Token: 34	1428	powershell.exe
Token: 35	1428	powershell.exe
Token: 36	1428	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe
Token: 36	1596	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeIncreaseQuotaPrivilege	4800	powershell.exe
Token: SeSecurityPrivilege	4800	powershell.exe
Token: SeTakeOwnershipPrivilege	4800	powershell.exe
Token: SeLoadDriverPrivilege	4800	powershell.exe
Token: SeSystemProfilePrivilege	4800	powershell.exe
Token: SeSystemtimePrivilege	4800	powershell.exe
Token: SeProfSingleProcessPrivilege	4800	powershell.exe
Token: SeIncBasePriorityPrivilege	4800	powershell.exe
Token: SeCreatePagefilePrivilege	4800	powershell.exe
Token: SeBackupPrivilege	4800	powershell.exe
Token: SeRestorePrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeSystemEnvironmentPrivilege	4800	powershell.exe
Token: SeRemoteShutdownPrivilege	4800	powershell.exe
Token: SeUndockPrivilege	4800	powershell.exe
Token: SeManageVolumePrivilege	4800	powershell.exe
Token: 33	4800	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Telegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exe

pid	process
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Telegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exe

pid	process
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5816	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exeTelegram.exe

pid	process
3136	MicrosoftEdge.exe
4316	MicrosoftEdgeCP.exe
1820	MicrosoftEdgeCP.exe
4316	MicrosoftEdgeCP.exe
4792	MicrosoftEdgeCP.exe
4792	MicrosoftEdgeCP.exe
5816	Telegram.exe
5816	Telegram.exe
5632	Telegram.exe
5632	Telegram.exe
5896	Telegram.exe
5896	Telegram.exe
6060	Telegram.exe
6060	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe
5368	Telegram.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exeMicrosoftEdgeCP.exewuoptw.exe

description	pid	process	target process
PID 1292 wrote to memory of 1428	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 1428	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 1596	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 1596	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 4800	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 4800	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 3840	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 3840	1292	sv.exe	powershell.exe
PID 1292 wrote to memory of 4856	1292	sv.exe	schtasks.exe
PID 1292 wrote to memory of 4856	1292	sv.exe	schtasks.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1292 wrote to memory of 4148	1292	sv.exe	wuoptw.exe
PID 1292 wrote to memory of 4148	1292	sv.exe	wuoptw.exe
PID 4148 wrote to memory of 4760	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 4760	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 1120	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 1120	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 3144	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 3144	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 3020	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 3020	4148	wuoptw.exe	powershell.exe
PID 4148 wrote to memory of 672	4148	wuoptw.exe	schtasks.exe
PID 4148 wrote to memory of 672	4148	wuoptw.exe	schtasks.exe
PID 4316 wrote to memory of 2052	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 1448	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4520	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4832	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4832	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4316 wrote to memory of 4832	4316	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msedgewebview2.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Users\Admin\AppData\Local\Temp\wuoptw.exe
"C:\Users\Admin\AppData\Local\Temp\wuoptw.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wuoptw.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wuoptw.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:672

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:3380

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MicrosoftEdgeWebview2Setup.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MicrosoftEdgeWebview2Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
PID:5328

C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU88D.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:5544

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Modifies registry class
PID:5944

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5256

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4896

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2624

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3032

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Mjg2NEQwN0YtNDI3RC00MTM3LThBRjktMUZBNkI4NDg3RUJEfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0UwODgzNjFGLUE1QTMtNEVCNC1CRUUzLTIwNzc0RUUwMDI2RH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJRRU1VIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xODcuNDEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIxNDUxMTk4NTc1IiBpbnN0YWxsX3RpbWVfbXM9IjUxNSIvPjwvYXBwPjwvcmVxdWVzdD4
4⤵
- Executes dropped EXE
- Checks system information in the registry
PID:5268

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{2864D07F-427D-4137-8AF9-1FA6B8487EBD}"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
1⤵
PID:4348

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1416

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1092

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4748

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3048

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2912

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:1448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5432

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5632

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Users\Admin\Downloads\Telegram\Telegram.exe
"C:\Users\Admin\Downloads\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5632

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:436

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5476

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4216

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5240

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5896

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6060

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5368

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Telegram.exe --webview-exe-version=5.2.0.0 --user-data-dir="C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=ElasticOverscroll --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=5368.1036.5970124514331379230
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- System policy modification
PID:4024

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=126.0.2592.81 --initial-client-data=0x11c,0x120,0x124,0x108,0x12c,0x7ffaddf20148,0x7ffaddf20154,0x7ffaddf20160
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5468

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView" --webview-exe-name=Telegram.exe --webview-exe-version=5.2.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1708,i,4394327504985164265,13728441425035426374,262144 --enable-features=MojoIpcz --disable-features=ElasticOverscroll --variations-seed-version --mojo-platform-channel-handle=1704 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5216

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView" --webview-exe-name=Telegram.exe --webview-exe-version=5.2.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1628,i,4394327504985164265,13728441425035426374,262144 --enable-features=MojoIpcz --disable-features=ElasticOverscroll --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:3
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5488

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView" --webview-exe-name=Telegram.exe --webview-exe-version=5.2.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1980,i,4394327504985164265,13728441425035426374,262144 --enable-features=MojoIpcz --disable-features=ElasticOverscroll --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5932

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView" --webview-exe-name=Telegram.exe --webview-exe-version=5.2.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3224,i,4394327504985164265,13728441425035426374,262144 --enable-features=MojoIpcz --disable-features=ElasticOverscroll --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5440

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5892

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5180

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2528

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1536

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:6040

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3664

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5616

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1480

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5580

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5136

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2432

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5476

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5928

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1016

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5176

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1328

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5240

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Mjg2NEQwN0YtNDI3RC00MTM3LThBRjktMUZBNkI4NDg3RUJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDkwMkNFM0EtMzg2NC00NzA5LUI4MkMtQTM5NzQ0MUIxNzkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlFFTVUiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ijg3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MTIyMzM3MDgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM1NjcwNjU4NDY3NzMyNDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTE0MzI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyMTQ1NDIyMzc1NSIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1680

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\MicrosoftEdge_X64_126.0.2592.81.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\EDGEMITMP_F55CE.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\EDGEMITMP_F55CE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1864

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\EDGEMITMP_F55CE.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\EDGEMITMP_F55CE.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{45D4DC58-C6A2-4D36-AA2F-0C099A2DEDE4}\EDGEMITMP_F55CE.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ff7aa67aa40,0x7ff7aa67aa4c,0x7ff7aa67aa58
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4012

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Mjg2NEQwN0YtNDI3RC00MTM3LThBRjktMUZBNkI4NDg3RUJEfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezRCRjY3RDhCLUQyNUMtNDJGNy1CRTFFLTUyNzY1QkFCMTMyN30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJRRU1VIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI2LjAuMjU5Mi44MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjE0OTEyMDM0NzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyMTQ5MTIzODQxNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIxNjkzMjUzNjQ4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8xMTEwYmY2My1jNmNlLTQ3MTQtOTY5Yi1iMzAyOGI0NDFjNDc_UDE9MTcyMDM4ODUxNCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1td1dGOFk2bjZGYmJ6SXBYTklVbHFualRzYVpucEJlQlRrMFZCT3ZQU2hBNTNLTnhkWW81VG9mbGlIUCUyYkpBMmJTMXRDbnYwem5wdmpURHhPbGZkSGVBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTczMDgyMTY4IiB0b3RhbD0iMTczMDgyMTY4IiBkb3dubG9hZF90aW1lX21zPSIxNjAzMiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIxNjkzMzU5MTQ2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjE3MDkzMDg2NDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjIyMTMwMjg0MTcwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNjU1IiBkb3dubG9hZF90aW1lX21zPSIyMDIxMCIgZG93bmxvYWRlZD0iMTczMDgyMTY4IiB0b3RhbD0iMTczMDgyMTY4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0MjA5NSIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5160

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5612

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4896

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3324

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:32

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2096

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:1776

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5580

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1260

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:420

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5932

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5152

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjU4MUNDQUEtN0ZBMS00RTU0LThEQUItRjk5RTBGRTMwMTA2fSIgdXNlcmlkPSJ7Q0YwQkMyOTYtMzlFMC00NjU2LUI5N0MtREEwRTY5MTMyNDBEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDQTM0OEYxQi1FMEM0LTRCMkMtODM1Ri0yMzNBRDM4Nzk4QjZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3R4Z1VCSG9vNkFRU0EvZnlFNDhzeUVYcXgySisvcXNxbEdXeGk0dWZIWWs9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODcuNDEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC44NSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyNi4wLjI1OTIuODEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjM4NCIgY29ob3J0PSJycmZAMC43OCIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzY0MjU3Mzg1NjM5NTM4MCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9Ii0xIiByPSItMSIgYWQ9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7NjUzRDFGQTEtOUEyRS00QTZFLTg3NEQtNTFDRUQyQzE2ODkwfSIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5460

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Installer\setup.exe
Filesize
6.5MB

MD5
7c44a5cba89f38d967b1f4e11225da0f

SHA1
44837f2ff9b3ebc7c371ee5f9e0cd5dcaad508dd

SHA256
a10c3e0b2ec1286bfe6b3fe9005a9132fad01be9afc4bdd5adb29f174b8fb706

SHA512
25b4cae7fc6d200dab70e94461b7f2e7899813975cab498fb367a32aa2e187fb7b1330545b60f6340d53fe5e04a1ecfb5d6b8bf004ac26ecaa7a8f6e387dfe99

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
e3f7c1c2e2013558284331586ba2bbb2

SHA1
6ebf0601e1c667f8d0b681b0321a73e8f4e91fa3

SHA256
d19616ac12d3d536c8fbf034513a4977c88ef2d1676d358a2358fa051c8a42ba

SHA512
7d4fd7ad06b05d79211144cbaa0047bdb4910212565b79f292a6bea652735dacf69435b24c73bc679cbdad4207f6352726eb297a1e7af4f7eef14dbc8a2ca42d

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat
Filesize
280B

MD5
60807d24ad93925ee41961ff23111f6e

SHA1
18220036994ed7a53013ea108b0a621d36a0ed55

SHA256
81cb5cc3163750fad8c1f90e5ebadd69481d2817fd90475682ef18ae739085cc

SHA512
5b02a35fc3545716a7613f3308d32e841ddf25e1aec7f09af286861b1341d3f351d1b9b17aa48a49f6f3b4b4036a7fb0bc4e690f05342275d6103649253954fe

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
14KB

MD5
7953ec044cd8fccedc1c95cb96a903a0

SHA1
6965a923b4be5f689db8fcc676057af92dd95778

SHA256
da79f031598aaeffc94efdbf33f19a14495d8656e8b3e162a9e4775b30dbefba

SHA512
b74aae32ec79954a271739289908345e25059679cde377d8ed7d324dc9fa964409f7206814bbeb8e7159704a251a171d7f7895376403f310e6c07864db96050d

Download Submit
C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
797be8cac3e870345482b95e9bed87a9

SHA1
94765c5f9f839ddcf4f28c1e2e8f1e35b9141c2e

SHA256
073cf61f2e6ee74d9ad3e1d6b90e96fd0e225dbd83c32106beecaf23722ad79d

SHA512
c5d7c386644162be0b2561f2a268e524a1eeda5a480414c3d51c633ea688877df484ca2dde1acacb90189f3466b58a7bad68220e12124fd141cdd85964a5b820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5640a1e8fa97730fa1e5bbb9643906b1

SHA1
dec2b2264e20b8887ff6c4a217533d57b0f34e0e

SHA256
f6ea78f4ec45fb86b8dc0f361b875d67d0abd7c1af8674ee52842f19313a08b2

SHA512
1857ec87317319f7791571854b7309481b7102fee7fbeb70b3e17214a1229f8fa8a428d6c4954225ba1ea80c8c83a7b37e9bfbef8909022182913c108d78b310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dab9aa33ee8e880bbb64639cb153bc04

SHA1
8c242c4c8e1897a1cb7ab83202cbd2cbb7f7afac

SHA256
f67f13ed5e72ba44f07a7a1e7b6468177493a83947565e2428a8219283d0a438

SHA512
e3bf559f0b3a9dad4b9c18fb022e4c9f1d8eb6fa83e74466e81c94a679373cf3fa0234d1efb3d132acb7e5b9198b77d0eb66fb471874d219f8c9ba38aebcbe84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
feadd7227952ba0cecccd1e83d465ce4

SHA1
99d72b8aa9a0f5ab642355b8858d8b24e856ac76

SHA256
02d3432c0915c855529e5990f924191447abbe0710c2acdeb5fbef3dd5c34908

SHA512
b6061744b3b8616352264528bd07e2a5506a8d5ee925f423fb80b163b0279ff95be99d1626d85dcf5e69277a58a6ad5a53a4d654a612a546fba50171ddcfb060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
74b61329be8aabcf4dccdac5e30acbbf

SHA1
2769241647206d34aac675b607e71fd83fbbc531

SHA256
6c8b5fbdec5228c5beca5dbaacc725d95b80e887331f93c88fc1299e743a1fe4

SHA512
c79615f75787978c5c6c5d6d358ae74b3f5d385d63cf6f7c0fe3cac12ba183e73996fb296e40de4513de2bb3a191f392848bbfa5e819f48ee8bccf2eaa7296cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
da68189d0b04881e0e6a3231724e2284

SHA1
a102d2d7bd11e224337d01d8becb5c02a02bce13

SHA256
704f424da042147f75d23f91feeb8cc860d199013d4e88692b22d96fec94a2df

SHA512
591a241c475e22583ba8149668ab4eb92df361d9385c47846a13356a56e45ab14d793738f5bd934bd8305ff1d19a12bbc14970db0497d962b4e4e8a40e042bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b3bba3d94860be0b747ac8968f4f7e65

SHA1
cd10dd3baeb8043d927ba91cf67d23c7357274b0

SHA256
33c75bf448740cac0d9aaecc33d93416c0cc23b00d37ad29175f084c7f76c6f1

SHA512
7a22d290a6177bb56eebb453cb3439b39fc3b116d468c8b803c334f25786a20260ced9e9d25f0d1bbe7311e5ba994fc0bd7ffb91f37fe6f995d7de4fef2cbe18

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\8CgcSSLayxEVUBf0swP_bQGMId8.br[1].js
Filesize
226B

MD5
a5363c37b617d36dfd6d25bfb89ca56b

SHA1
31682afce628850b8cb31faa8e9c4c5ec9ebb957

SHA256
8b4d85985e62c264c03c88b31e68dbabdcc9bd42f40032a43800902261ff373f

SHA512
e70f996b09e9fa94ba32f83b7aa348dc3a912146f21f9f7a7b5deea0f68cf81723ab4fedf1ba12b46aa4591758339f752a4eba11539beb16e0e34ad7ec946763

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\8Hi2PfQw5eooQrwqITfZZ5pyvNo.br[1].js
Filesize
7KB

MD5
e51b7eb6cb390c2123c4fb6beff38fe0

SHA1
e30f700b250bb6c43c07ff2a654b7c5a464c6d5c

SHA256
3350bf7fb98eecb656369997de56fb9f8a8c97c28780cae0e64b70e5e7575604

SHA512
c03f314a5d882bd94843bf9f651bb6d9150f6580a78ab14d470ae7c2be54c9ab3e68196d889b27ec590ff87ab0151cae7655d80e1efdb1c4a43d9d2afaeef3ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\9xGNA8UskvA9WHF58zbLOHZ5HvI.br[1].js
Filesize
511B

MD5
d6741608ba48e400a406aca7f3464765

SHA1
8961ca85ad82bb701436ffc64642833cfbaff303

SHA256
b1db1d8c0e5316d2c8a14e778b7220ac75adae5333a6d58ba7fd07f4e6eaa83c

SHA512
e85360dbbb0881792b86dcaf56789434152ed69e00a99202b880f19d551b8c78eeff38a5836024f5d61dbc36818a39a921957f13fbf592baafd06acb1aed244b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\Gyuq2bqitqDJM0BeAkbKXGlQXNw.br[1].js
Filesize
1KB

MD5
a969230a51dba5ab5adf5877bcc28cfa

SHA1
7c4cdc6b86ca3b8a51ba585594ea1ab7b78b8265

SHA256
8e572950cbda0558f7b9563ce4f5017e06bc9c262cf487e33927a948f8d78f7f

SHA512
f45b08818a54c5fd54712c28eb2ac3417eea971c653049108e8809d078f6dd0560c873ceb09c8816ecd08112a007c13d850e2791f62c01d68518b3c3d0accceb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\V_fBQ_iVmAgE_Ta_T-6BNXc0ZY4.br[1].js
Filesize
576B

MD5
f5712e664873fde8ee9044f693cd2db7

SHA1
2a30817f3b99e3be735f4f85bb66dd5edf6a89f4

SHA256
1562669ad323019cda49a6cf3bddece1672282e7275f9d963031b30ea845ffb2

SHA512
ca0eb961e52d37caa75f0f22012c045876a8b1a69db583fe3232ea6a7787a85beabc282f104c9fd236da9a500ba15fdf7bd83c1639bfd73ef8eb6a910b75290d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\XJ8OmILbNhm0zU9tdkuGYeXVPRQ.br[1].js
Filesize
391B

MD5
55ec2297c0cf262c5fa9332f97c1b77a

SHA1
92640e3d0a7cbe5d47bc8f0f7cc9362e82489d23

SHA256
342c3dd52a8a456f53093671d8d91f7af5b3299d72d60edb28e4f506368c6467

SHA512
d070b9c415298a0f25234d1d7eafb8bae0d709590d3c806fceaec6631fda37dffca40f785c86c4655aa075522e804b79a7843c647f1e98d97cce599336dd9d59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\lLk8XmbdNzzlnPRzVzDhaF9yjqw.br[1].js
Filesize
824B

MD5
3ff8eecb7a6996c1056bbe9d4dde50b4

SHA1
fdc4d52301d187042d0a2f136ceef2c005dcbb8b

SHA256
01b479f35b53d8078baca650bdd8b926638d8daaa6eb4a9059e232dbd984f163

SHA512
49e68aa570729cc96ed0fd2f5f406d84869772df67958272625cba9d521ca508955567e12573d7c73d7e7727260d746b535c2ce6a3ace4952edf8fd85f3db0dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\n21aGRCN5EKHB3qObygw029dyNU.br[1].js
Filesize
1KB

MD5
cb027ba6eb6dd3f033c02183b9423995

SHA1
368e7121931587d29d988e1b8cb0fda785e5d18b

SHA256
04a007926a68bb33e36202eb27f53882af7fd009c1ec3ad7177fba380a5fb96f

SHA512
6a575205c83b1fc3bfac164828fbdb3a25ead355a6071b7d443c0f8ab5796fe2601c48946c2e4c9915e08ad14106b4a01d2fcd534d50ea51c4bc88879d8bec8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RC7GQ9VP\9MqrCXB0EVjVIRzDOArDGhu3yeM.br[1].js
Filesize
1KB

MD5
56afa9b2c4ead188d1dd95650816419b

SHA1
c1e4d984c4f85b9c7fb60b66b039c541bf3d94f6

SHA256
e830aeb6bc4602a3d61e678b1c22a8c5e01b9fb9a66406051d56493cc3087b4b

SHA512
d97432e68afdaa2cfaeff497c2ff70208bd328713f169380d5afb5d5eecd29e183a79bec99664dbee13fd19fe21ebae7396315ac77a196bfb0ab855507f3dacf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RC7GQ9VP\Pjj829CwRyC-8v2EBV3taqJnwMs.gz[1].js
Filesize
9KB

MD5
6007173991015e6a78bd464cd93c8efd

SHA1
d1fcf14a3504db6dc5371de506b83eeb33e840e6

SHA256
62064f220d628c1d64c67d806b85885dafc7c5679c835b216c9d87bfd58c63b6

SHA512
8fdfc9bcbd9eec82cd51786722e3af9e0634fa50a44db9a5d32c98aaa78609ab704a57971aab13ce7a98edf79aa3c70a95e69c2daab357cae42646a8bb9376f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RC7GQ9VP\TqttMd6kp4Oq5sq-Kbq-BwvW9vA.br[1].js
Filesize
183KB

MD5
50fda36301043d83145590caaf7875ed

SHA1
86490d4b5fc988b2c935f40086065bd57a64a02c

SHA256
63a3870f8cab97b88c27883a066fed1bf8c18badd588713dec855f6b864255e6

SHA512
988863885c3997098849ae3203a3bff08fcd3460c61946826cf16b670a575717cf50a41115646ee0ac938e4661be30af9309552b31ae2541f3e346f3ada36554

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RC7GQ9VP\nt6a1ZR520utsLoZmSYgwxdOPgI[1].js
Filesize
606B

MD5
0c2672dc05a52fbfb8e3bc70271619c2

SHA1
9ede9ad59479db4badb0ba19992620c3174e3e02

SHA256
54722cf65ab74a85441a039480691610df079e6dd3316c452667efe4a94ffd39

SHA512
dd2b3e4438a9deaa6b306cbc0a50a035d9fe19c6180bc49d2a9d8cdbb2e25d9c6c8c5265c640ac362dc353169727f8c26503e11a8a061a2517a303f61d0ccd3c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RC7GQ9VP\tlifxqsNyCzxIJnRwtQKuZToQQw[1].js
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\1rUTIFRcUHTZUBaDs_0q8KvUlR0.br[1].js
Filesize
8KB

MD5
c63e610f6bfb2687ee044cee7d3e16c7

SHA1
b78022432ac754cc41335341a8e07f2676bad789

SHA256
c150d5e192ece8d69ba8029d87ecbc66674013b8418264cc86f0abcb0da0a38b

SHA512
11029009d8d0885d16a4b546816cc0f22f51ffd035fdd87d58eaf432017947460a1a78a543c0eb3875af49342a240ea606aced23654bc190ba6a4b7101e13a3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\3US3nNU_RgsSNFm9Bzw6xgeuOHk.br[1].js
Filesize
1KB

MD5
d42baf2a964c88aaa1bb892e1b26d09c

SHA1
8ac849ca0c84500a824fcfd688b6f965b8accc4c

SHA256
e3a15dab8cc5adbd2cfa1a162bf06583da6fb7be3831323d819cd881bfb0672c

SHA512
634bb1c984c9d74876051937240295a5ed5dc6404379decafbc4df074aefda5246ec33be84d2b21e0099c7bdd406e9cae6ebdf0ff01ddec3806b89dc50810c12

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\5L3iD467J3iJWEPwIjxlK0MMDpY.br[1].js
Filesize
1KB

MD5
2ef3074238b080b648e9a10429d67405

SHA1
15d57873ff98195c57e34fc778accc41c21172e7

SHA256
e90558eb19208ad73f0de1cd9839d0317594bf23da0514f51272bf27183f01da

SHA512
c1d7074a0ebf5968b468f98fc4c0c7829999e402dd91c617e679eeb46c873dc04096cbf9277e115fc42c97516a6c11a9f16afa571e00f0d826beb463e2d1f7b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\9cuwOQ_qE7qTGKohzrf_gIjTlPI.br[1].js
Filesize
3KB

MD5
fabb77c7ae3fd2271f5909155fb490e5

SHA1
cde0b1304b558b6de7503d559c92014644736f88

SHA256
e482bf4baaa167335f326b9b4f4b83e806cc21fb428b988a4932c806d918771c

SHA512
cabb38f7961ab11449a6e895657d39c947d422f0b3e1da976494c53203e0e91adfc514b6100e632939c4335c119165d2330512caa7d836a6c863087775edaa9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\Gw7eETSwe7GHmKwW1lRqGPQJXRo.br[1].js
Filesize
2KB

MD5
17cdab99027114dbcbd9d573c5b7a8a9

SHA1
42d65caae34eba7a051342b24972665e61fa6ae2

SHA256
5ff6b0f0620aa14559d5d869dbeb96febc4014051fa7d5df20223b10b35312de

SHA512
1fe83b7ec455840a8ddb4eedbbcd017f4b6183772a9643d40117a96d5fff70e8083e424d64deba209e0ef2e54368acd58e16e47a6810d6595e1d89d90bca149a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\IPjqENt_x1c56fZCsFxov2V2J84.br[1].js
Filesize
226B

MD5
9a4dafa34f902b78a300ccc2ab2aebf2

SHA1
5ed0d7565b595330bae9463ab5b9e2cdbfdb03c4

SHA256
ba98a6ebc3a03098ca54973213e26f0bf9d1e7e335cdfc262346fb491c3cad69

SHA512
1a8b4fce1c0e585bfcf8f11e0192fb04a80dbde7035a9c8fc426cd6383d6902bd77222331372ea33aa50d92b7cc7965656b11f480085af70267b3fd8355ebfd4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\K3hC1_cQXGFr6cxRJVWYpzZJaAM.br[1].js
Filesize
891B

MD5
02b0b245d09dc56bbe4f1a9f1425ac35

SHA1
868259c7dc5175a9cc1e2ec835f3d9b4bd3f5673

SHA256
62991181637343332d7b105a605ab69d70d1256092355cfc4359bee7bdbfb9c6

SHA512
cbb43000a142807ff1bb3bfac715cef1240233117c728f357c824ce65b06be493df2306c7b03598817f09b02e9e36ec52314f88467679c5bef3ee1504a10c7e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\K_V1CARn2Q2lTs5njJKUvUkHyi4.br[1].js
Filesize
242B

MD5
6c2c6db3832d53062d303cdff5e2bd30

SHA1
b7a064a64ceae5c9009ef7d6d8f63b90d3933c9d

SHA256
06b77ee16a2cd34acd210b4f2b6e423762ea8874bb26ae5a37db9dd01a00ff70

SHA512
bc2d115b53035b700d727af9d7efaf32dd2a39a2344f3f5fa1a82586be849ec7803e8320661e66ab7dd2a17e64b7897e95bbd84502b91997fa46eba4e67e8c7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\anLBCCbtVUfEVXi8CHBSo5E22oY.br[1].js
Filesize
19KB

MD5
5463a4fcc6967dbb06c1c51e3e1d80db

SHA1
a47dc8a729719b7f88521ea56fb38d6f71be21cf

SHA256
9c4df84d46da7cc013cf9fb07433c6bc40d75f00121993ad51036fcdcdd145bb

SHA512
3b18dacb21624e993e8946fa69d9482a05f8f188ea313b06eb6707210e5f15c5be7d1b0f571ba20b2d56686806ad4fff870ea6fcf84e851586c518f62cf29302

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\g2mFaePdYzQOubI8JEItbebrED8.gz[1].css
Filesize
824B

MD5
6d94f94bfb17721a8da8b53731eb0601

SHA1
ae540db8d146e17cfc3d09d46b31bd16b3308a6d

SHA256
21829c74fce2c9bbbb3099a7a487de71465ed712410c32bc6c69884db07a90dd

SHA512
bf33fb4858b56f888108bcd5c2691613b68715e260e59c1e37a050a709be04a8e0eaf5509667183a0d51f1201e58c02df4f744a0772242ee5b61595c44c072e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\gKwIRAF4fg7noG1zyeUz8x3Jdhc.br[1].js
Filesize
924B

MD5
47442e8d5838baaa640a856f98e40dc6

SHA1
54c60cad77926723975b92d09fe79d7beff58d99

SHA256
15ed1579bccf1571a7d8b888226e9fe455aca5628684419d1a18f7cda68af89e

SHA512
87c849283248baf779faab7bde1077a39274da88bea3a6f8e1513cb8dcd24a8c465bf431aee9d655b4e4802e62564d020f0bb1271fb331074d2ec62fc8d08f63

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\psgXZvzYJMEW2ydikIk493Va1d4.br[1].js
Filesize
1KB

MD5
f4da106e481b3e221792289864c2d02a

SHA1
d8ba5c1615a4a8ed8ee93c5c8e2ea0fb490a0994

SHA256
47cb84d180c1d6ba7578c379bdc396102043b31233544e25a5a6f738bb425ac9

SHA512
66518ee1b6c0df613074e500a393e973844529ca81437c4bafe6bf111cba4d697af4fe36b8d1b2aa9b25f3eb93cd76df63abfc3269ac7e9f87c5f28a3764008e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U67OMNFA\zXHaGKCOTtmQ_Ueik3R6GTcUz-8.br[1].js
Filesize
33KB

MD5
fe1f9add646fe3c4eb695f76b6eccdfc

SHA1
caf4f7fd1142398e9a9386bce595afb66fd41c77

SHA256
2d790381800ec6ddb18f82658ff2515866a1e3e470b926d46dd8b46ffffa7403

SHA512
1f621757daa2864d4d258c6a69a60490df224ef5dd86a230f8d410e50ac1423a9e0dcb44225c17be2dd14826c54e545626b991cc7741055ba96d1d95d638a24f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\2IeqNnpxuobNf8w1fP2Oy2HEFfk.gz[1].js
Filesize
358B

MD5
22bbef96386de58676450eea893229ba

SHA1
dd79dcd726dc1f674bfdd6cca1774b41894ee834

SHA256
a27ce87030a23782d13d27cb296137bb2c79cdfee2fd225778da7362865eb214

SHA512
587d5b5e46b235cdcdf41e1f9258c1733baee40b8a22a18602a5c88cba1a14edf1f6596c0ab3c09f09b58f40709ac8cf7e1bb33b57293aa88eaf62d0ab13fbf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\43BJuM7qM_8Wd1WfIZM2_oK9zrw.gz[1].js
Filesize
371B

MD5
b743465bb18a1be636f4cbbbbd2c8080

SHA1
7327bb36105925bd51b62f0297afd0f579a0203d

SHA256
fee47f1645bc40fbc0f98e05e8a53c4211f8081629ffda2f785107c1f3f05235

SHA512
5592def225e34995f2f4e781f02cc2b489c66a7698d2feff9ac9a71f09e5284b6bbdb065e1df9c06adfb1f467d5627fbd06e647abf4e6ab70cf34501232126ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\910ptS3pcIDQ7a5acMaHuQliuN0.br[1].js
Filesize
1KB

MD5
8898a2f705976d9be01f35a493f9a98f

SHA1
bc69bec33a98575d55fefae8883c8bb636061007

SHA256
5f30270aa2dc8a094d790e1e4a62b17c7d76a20b449d9b69af797a55fada9108

SHA512
c8575df93fbd1f65a285d484257adfe12733e47a6524a18d5910d33562eefd1d9da7197d16c7a3cad3bc5ad89546ff0fefe90e5c96e7850ecec9708c90334349

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\CcMXS8Oo0OUnUE0LzYK9AFJ6la8.br[1].js
Filesize
1KB

MD5
0c0ad3fd8c0f48386b239455d60f772e

SHA1
f76ec2cf6388dd2f61adb5dab8301f20451846fa

SHA256
db6dde4aef63304df67b89f427019d29632345d8b3b5fe1b55980f5d78d6e1e7

SHA512
e45a51ef2f0021f168a70ac49bdcc7f4fb7b91ff0ddd931f8ecbd70f6494c56285b2d9bc1170804801ce178244ccf361745b677b04c388b608d1471e0695ebeb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\ID-70CBAEOXh6Nwxga-CxgpUq4k.br[1].js
Filesize
883B

MD5
fd88c51edb7fcfe4f8d0aa2763cebe4a

SHA1
18891af14c4c483baa6cb35c985c6debab2d9c8a

SHA256
51f58a23f7723b6cbd51b994cb784fbc2a4ab58442adaeda6c778f648073b699

SHA512
ffe417fa00113273fe7ac1b1bd83c98a3a9dc12d41c77b60c52cc5ffd461d9ca2020c2444ac43771d737c70c58eca40786a5c5762b60f30da523f709684510df

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\MicrosoftEdgeWebview2Setup[1].exe
Filesize
1.6MB

MD5
db7fb67fcec9f1c442de25f3ad59f50c

SHA1
b600aa26d1cded59760304c6d77f4ff75722eabd

SHA256
c227208854734bbd38c9f74f39034111733da5c7ce71515b1610aedd79417f9f

SHA512
c14ec7d252a6f201dfea476d302fbc5140713cb4ea7bc8d4e610bfd806b3fa3c141153e2e9b8cb36255fba1fab4d4400ed83f5f5c1228d77d77bace41d5de7fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\NfTD8Ovh04Y_Ni14YxqYB8R_2_Q.br[1].js
Filesize
888B

MD5
f1cf1909716ce3da53172898bb780024

SHA1
d8d34904e511b1c9aae1565ba10ccd045c940333

SHA256
9abac0cbfa6f89106b66cd4f698ead5ccbf615ecf8cd7e9e88567a7c33cfec01

SHA512
8b641e93405565b4a57c051edefc8e02d6c929ddd4c52f9bfbd19c57896aa40426bf5ed6760dbd479719561c4f0a25bfc4102f0f49d3d308035c9ca90b1d0fce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\VbSztIaSY8XAi9dm3h6m51N3zH8.gz[1].css
Filesize
610B

MD5
f8a63d56887d438392803b9f90b4c119

SHA1
993bd8b5eb0db6170ea2b61b39f89fad9bfeb5b5

SHA256
ef156b16fdcf73f670e7d402d4e7980f6558609a39195729f7a144f2d7329bf3

SHA512
26770bb2ac11b8b0aef15a4027af60a9c337fe2c69d79fddaa41acfd13cac70096509b43dc733324932246c93475a701fd76a16675c8645e0ec91bd38d81c69d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\_ykiGO1K5rjAQeICdJheT3jfLeY.gz[1].css
Filesize
589B

MD5
7a903a859615d137e561051c006435c2

SHA1
7c2cbeb8b0e83e80954b14360b4c6e425550bc54

SHA256
281d6234fd292800c2a5dbd14e524c9cee0d4438188b0b7d873abf41515a7666

SHA512
aa47efab7ec689b838d1e5adfe26e035e8b93f2b806f1954214447cb2065fa5906f81a70b4c656b3ce1490d8ac2009c7e7b0f96491d6d4559c41fb25d08fe35c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\eKvcHdnNwo1WcxoSioV4ztnfZk8.br[1].js
Filesize
2KB

MD5
fb797698ef041dd693aee90fb9c13c7e

SHA1
394194f8dd058927314d41e065961b476084f724

SHA256
795e9290718eb62a1fb00646dc738f6a6b715b1171dd54a3d2defa013a74f3da

SHA512
e03c4ab727567be95b349b971e29cffb3890cfb1a1ddf997b34b9d69154294a00a5112f4ffca4df4e26bbf96afa75e5943e965edc8f8e21035ed2ef30b7688d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js
Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\tPLNa5UcMaQEzzg0acZfPM45N6I.gz[1].css
Filesize
2KB

MD5
9baa6773c6549250a3393e62c56eb395

SHA1
5bb4eead8609cd30b9b96b23ec4fd0082ae64c1d

SHA256
dadf403df8cfe888e59e6a051aee3783a2bf0bcc60dc1d09a7797daaee726ca2

SHA512
cf12319cf07897864828d9c950df4a98a0628d828a7fee75f1235fc5d3a57c90a40b5ded2743af2e62b1d13d3f6be0d302ada054e7c0d7164b8ba12054909b8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\uiannz55FdT0j3p9jGwegfI5aIY.br[1].js
Filesize
1KB

MD5
45345f7e8380393ca0c539ae4cfe32bd

SHA1
292d5f4b184b3ff7178489c01249f37f5ca395a7

SHA256
3a40a1ff034448d68d92a75ababa09ba5f2b71d130f5f6bdf160dcf8851529a9

SHA512
2bfd00bf303ad5a1e8413b5ee6a162167605511fefb8df61a8f40f80382f5520df690a53b1058365f1d81562b2668376886d0f829517a642fcd87412801fe987

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\V4L0NGN9\ydDuUFvQrnTEDpvE14Ya7abrPGk.br[1].js
Filesize
1KB

MD5
d807dbbb6ee3a78027dc7075e0b593ff

SHA1
27109cd41f6b1f2084c81b5d375ea811e51ac567

SHA256
0acdce370092c141b0c6617ed6e2163f04bb9b93d3213b62c2bc7a46fe0243c7

SHA512
e037dfc31d595b459660fe7d938eedb4f43d208d247174ee8d6fd0d125f211142cd73497e4601893cecb6f565b7e2e7815ce416d72bb95504d3f277e4e806d11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\GNPPIGBZ\www.bing[1].xml
Filesize
97B

MD5
e589bdc823cc3c5835ccf692831af5ba

SHA1
46dceadd03c8e49ed114b8fa3f415227112f94e8

SHA256
dd755eda96df633aba8b9b6ad5f8b3ae8ac202f8fcbd3dff7fa891c66e0884bb

SHA512
e8333eb60207019b6ffe7f3cf6931f4694f78c5de3e7e04a710945c123c9bfccfdf942d480ddf2071ecf5004757e82259ac33746b5eb68f4c1cb1643eef86613

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\GNPPIGBZ\www.bing[1].xml
Filesize
1KB

MD5
68169ac7488c347d92d6e4c433580cd5

SHA1
ac9ca4bd7f71fa8ad6e49f5218c786067e118901

SHA256
d85b4255c7f77f3467b67a82ff67093a195f6c616caf851f56886f8356e6c492

SHA512
be0b058f9ae2bd5c71aa72de1a0df3aa38af036b0a1b4bd92effed1db16ba6ec32b140b20dc6aac13f989e79d6c0c703033ef656ab7dcaa1061e5b005eae1c01

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\560TDRZE\favicon[1].ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8C5EMANJ\favicon-trans-bg-blue-mg[1].ico
Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8C5EMANJ\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GORTRGFT\favicon[1].htm
Filesize
1KB

MD5
e0dc97debdfae982ba9dabbecfac652a

SHA1
f5dc07e878fb3b4ca3ed0a12e2b6bfd0736a04e4

SHA256
93c9b4deedd8116f7e455d5d87ac74c50cadfde9e198af6607f4ad2250cd3ee2

SHA512
2c792cb18141e0129290ee82e81956398c405b575ca6d8b4d00253435e13351faf79f0dbf4237d3eeb9dba5e9d477f07d1528c479a16d73a48a46539287bbd61

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GORTRGFT\website_icon[1].svg
Filesize
1KB

MD5
02f7553e1ac3129cd1c4d0442b5a0f81

SHA1
0dd8634450681fe1a2d0c1e5b02d6d0954e2772d

SHA256
0019255c610cb0843c524d7995905fa5201651fcc393846bee8414f0610097f5

SHA512
ac141a5648a3a22ceb295de8ecc6823f53d2a453316cd591dde888715344a60694316e1b85a5ceec72af62e34cc3d01768b020e5dfd5e0cb9916ec975ba4318e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NESDWFQW\favicon-32x32[1].png
Filesize
1KB

MD5
16a75c7824b5223b8e22864354e9e33f

SHA1
2c35e76ebe2d8002369d582b32bd70374552c574

SHA256
7f3e38478d53875c1f35d67fc035067274bacf9df8285889ad04fb143dfdddd8

SHA512
bd09744894646081e02b9e730c68c82354e3907c419578bdcb45d52c99d909d78ee084c8948b99d14ac6c8dfb343c9eb9197af039c5ac99d356440efd10a4ee8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NESDWFQW\favicon[1].ico
Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2WUTKSDI\tportable-x64.5.2.0[1].zip
Filesize
40KB

MD5
97cd19e0c218e4db7229079d8212299f

SHA1
4da94e1809f19c905b92891faa3e21ffebb5cdad

SHA256
842d177decdd7b2e80d7ef77faf30afdeb2c7d574d35d6717e64aef6806a6103

SHA512
10929f363f3729b3209a53d6a8546f006c82d1546fa9cc78ab57adbf88f3d92f7dd52a6faa5bfefbeed63f8fcae9026b2e00a8b96cd257bf384c3ca79428b2b8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
Filesize
313B

MD5
0b2c1e8c919c1cac0bdf16d172c6313d

SHA1
fd4c45f31ded540442f3ad049f79068e31df990b

SHA256
6dbba86eb14c8458ad7f7ee2879dc3a9cf0e223590041d81c05c847ff8197f3a

SHA512
a84e477c049a0a38893b62a6703f7704b8ea470024d2ff4f2267295616bee29ff8307c7cd2795b670081b0b8b78bf706fa7965aa39fe184ad7fbe450efdacf40

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
Filesize
400B

MD5
03decad10ca1a4092e05cbe3602bdcd3

SHA1
9e6e4da98d2e5949dced055ab9dbc4782ebe9c40

SHA256
a1763fdd808ca5eb90842b99c53fdc5a571e6691a8f5c88a9faad08c17fc292f

SHA512
fa57d43416bd360edeab13d5111a5b41fa18a5c6f682e9d5690001171db538df83c570067d6e4a95ef24ecf69bfa1dce8f94de01abfbb8891f130969f3b3b8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nfm5enh.jag.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrlwdu.html
Filesize
2.3MB

MD5
c82b72def4f77d30ce92dcc76a933165

SHA1
aa4f5a1a3819f9962f5f886135fc777c7007a343

SHA256
e5060ca95740fe722582e8f719d1bb559dcb169b8d71b45b8353134b0c85cb4c

SHA512
fc087a0297b0983a2145fa581702f3fae9326f93ed59eaaa6136cbdd71583f5f6f93ec4e416929f21ee48a8d402c07c33035d412fe36ab8bcf8718e72985a4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoptw.exe
Filesize
40KB

MD5
a2abffd7525046355e99e8673c3701fe

SHA1
6e1aaff66b5aac7a1c3df969b36da6141a95a4f9

SHA256
ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

SHA512
96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\940ad788ca8ecd2.customDestinations-ms
Filesize
1KB

MD5
d6ae948c1d0ec31075d88c5f7608f1ab

SHA1
026bc2abb93168237aaf22cf6936c9c498dc0b18

SHA256
cf2e2f4a7a86fa5871594f79bb19acc869d0b59f4e2f09a269c5d2f93423f853

SHA512
d6e391235ff275377d8f769e290e5f1c26a8cc805d84e5d6c222c5f8e44fad414807cc0ab649ea9ee277b1a1188b38156b6ecadce6c785f845f3c8fa634ec6d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\940ad788ca8ecd2.customDestinations-ms
Filesize
1KB

MD5
392cb3ad8e09b20ac1f4bee687f3bbb1

SHA1
f3019bb043d4e6afbb3ec25e20b8ef2a4662a8cb

SHA256
08d4650f372c3abf7de0e52ad05d41e814daf02c19aa4e64072dd03d51d98ad6

SHA512
8c219cf35ea58f6e788170538a55eeabf6a96a8f7fc8fbe5c3464ac84d286ddc55677158083cf705e4409318090610699df68bfc33b282c886c809b2ccdc7d79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\940ad788ca8ecd2.customDestinations-ms
Filesize
1KB

MD5
df265a4333d0a5dfbaa3eec250b15c6b

SHA1
df089abee8806be508a6f7f01d6536f29ab4f773

SHA256
446d38184d7667caa59f1cea070e1947b84441b44f8d0fb2a2ef96c12268e127

SHA512
571b2feb71dbb0e44be34a41870bb97565f6c272e89db84cd8158916d799ed0d5b01e9c22649b20cb1b79f29bb21d20e00572139058ff1e49e4bbc8e4099eba9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk
Filesize
665B

MD5
7340f57d01dcc3a51be8568bfd83c2f3

SHA1
947674ca1b03e4e139ae7e6f59ca4fed7335f124

SHA256
43f9e383766cd4651aaa63989b7a04ef391b6d020a8a169646b610a433136346

SHA512
a1345753dbd4644156c2f2277c8df2e0d2415d8bed05bd7baf048430797d643c8ddaffd11f19d14dc11313e721072682f0512329c0aa841e641ec2e056efac4b

Download Submit
C:\Users\Admin\Desktop\Telegram\Telegram_tdata_05-28-2024 22;30;01;101.zip
Filesize
4.4MB

MD5
38f689186c6993d773b32907f984734c

SHA1
2884f1feabe326cfaf0c26d1e944b72c9b4d0e7e

SHA256
3fb0f093d37226cdbb9f1dd4898a1d6a4e83e9a2ca99dd96508f0ba1c2f580a2

SHA512
be9a922ed2104df626404bbaaee123f76cd690f94584c4a5da8cecb3cd502ae80f533d805fa4fa9c86f46420966514719c0aef7bbc7151dffe071f101631ba2c

Download Submit
C:\Users\Admin\Desktop\Telegram\log.txt
Filesize
8KB

MD5
0c6bd2677d9007b7e091422af1faafb8

SHA1
58714bf3027b569c6c4e577484ac29e481c64a53

SHA256
9f20c06ec47abfd7bf10a13acc1c523f0977b82f85ea4fa62aea37b919553944

SHA512
c05eb6138bf70e346c180d0bf97297196e800e01505f2624e8a8d20ed6edbefc21ea6925df23105c947b65a94eeec01fd57b8a3d67fb7b26ab82d8ed8fc6cb0c

Download Submit
C:\Users\Admin\Desktop\Telegram\log_start0.txt
Filesize
991B

MD5
76aa84484ceb33b0b203c86fdc9d78fb

SHA1
bb4bcba3774f7eb8347b25c76a0975483473b03a

SHA256
e6f63666031710ae66fe1afaf1f5c8b2b23dd183b016e8a7149f66459d3d1310

SHA512
5a1c61ba9573ae364ac9860a6d4f2c767a37b488b20c97528942e3c4d242bd0c5a60232e2b1dca1eb43dec98950514f9fc2b9e26e812cbaf94669832e8043a5e

Download Submit
C:\Users\Admin\Desktop\Telegram\log_start0.txt
Filesize
1KB

MD5
cc0f0d6bec54fca34f8eb32e12d890dc

SHA1
dc2c5ede70ffa0ea32fd0ff53d95473d0ef17de1

SHA256
3341e0e3c74e7e26b224c8a97ee09a7a1553edffec371d9eca10fe0ea3845844

SHA512
6ced9cbb0a9f1694b47ac8210aecc7cd4f01a74ac866abd29a17f9fd1c391352fc7de4241123f6250e463346fc64caaadced0dc37eccad9c0b6f1194b91bf4b0

Download Submit
C:\Users\Admin\Desktop\Telegram\modules
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\9B5DBFFF87CAF3A8s
Filesize
140B

MD5
350ea072cfedce6d25db84e53720fd83

SHA1
6d0978b4d42d8ec5b8afe43559185934f6b43741

SHA256
e6c833995e51afbecaa17cca86aff75b01634537fc442cc3816bd9f5a73d120a

SHA512
61ecc651d9ec666be9dfd5b3a85ef89382cb8f7c2316d9b666da251b23c851a4e684e178184c69fc2f0b6b2428acd67a7863f498c004507e3ca6b35f7a1f3c2f

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\D877F783D5D3EF8Cs
Filesize
348B

MD5
47a2c143775d067982fabe21bb113eda

SHA1
e1dc04642462e423094f5fa696be75a30500ad29

SHA256
f02c15aa181ce6bfadb914c9ba6d8cebdf88e61d27b4c91098f2b9f9e8c09c9f

SHA512
89496a08026de3ddd5cbc0b1fdd645693d928490af570b56c44f711be00fde934894088a6709b068fea7903538f1d57a7808b744890d69f349b2f37e547c945a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_0
Filesize
648KB

MD5
52fabb97c5b590433621941497a5ff90

SHA1
82148e256017d231de8de399c6ff99fca288c340

SHA256
da05fe8f69700a3c9f60669d81126aa8612877339eb32c31e2ced1361dab5c06

SHA512
fc96b60b9dfa4455033377123d1cdee9fdc4a71c67da347a03672684e5ccce3e486bfb54c32c63de5e9047c4015296bf960d624ad11df670496e43f8aeb37fbf

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_1
Filesize
648KB

MD5
cc3e1de71fc3e46f0774c3f8f8ea9b1b

SHA1
70ffcb8672d696fc2bb83f2e6e112597fc8b5176

SHA256
930fe88d51a087136652557a8d61fb90e69be49b66d106c1454bf2b5250eddc9

SHA512
5d424cca4674eb52f76b64d85528ce6e1473d641ed715e8fdd03718cca8496a7b04fe35626cd9aaaac85bf1f19acedb325df4edd244ea19ef550fff0135f3b8a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_2
Filesize
648KB

MD5
3c09f59fabc14d9bf2c04214f37551d4

SHA1
7c6ab40bd202c57a48fb6f9c6083539ae51cc477

SHA256
cff511baeb67be6ddd3295f6a2509ccb65a1d26c720ddc9927fa1285ec4d91eb

SHA512
aa3eaa31bc152571fd1668fc20ad6cf3d4969346ad282ae46db8f1590cef6cc84ef6109a1627292fec7f5899a1cb9792f71121bc4bac3a6f297b211f9c6c904b

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_3
Filesize
648KB

MD5
ab32d1ee5424e7b8fb5577c12d12479b

SHA1
28729ec84c94abe81ff767620ece694ef351baab

SHA256
2c4ddb2f126e0a472dc368fe4d3f6e47fa3a3b242e72541a301493a91ba85e8c

SHA512
ca57a2febefc3a36bf94b6f443b3e472aa1b61e74fc9ab14b2f10dceaa793d0cace2687a3d5defe0f95adf13e39ad63fde4397a794a5668126ed036409452284

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_4
Filesize
648KB

MD5
d4a65f12b0ce2f747db593571ce91e73

SHA1
5b826ce617aa5434e22038a42462d56872402f6d

SHA256
e51cf3e32d1a1dd81f0414e9890253b616c4537b1f5162a27b7d1cb5148448f8

SHA512
e8406ccafaff921731c4e5a2dc7202fd5e0e5e2b4b2429c21580cd908d9c580b8dde38c7792815b51e574a735fb391c4087f023abd902544ef1d36b4ed2b036c

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_5
Filesize
648KB

MD5
8d437ba5a78cdefdd592325a7ebddbf2

SHA1
db6dcf56d02e0dc2844fad6ee69d7a7c3cff8f07

SHA256
9f370c237818ff47d3cc2abe95ebd9767e44cc6f8cef4911974922a1ccc296ee

SHA512
6d681d43d240852a3e531e9d32a4a64c696fcf1b251c97e82a93715905973d86c463bdae4a6f1459822ed2a8494fb3044aa9c7ac0e99f0598e05b733e09c3797

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_6
Filesize
648KB

MD5
cc3d620ffc5ccbc0a9530cab6e3c63bf

SHA1
0af5da0ad140259782909fb7214ab44069692e32

SHA256
c4f906e0a9773c1c335b1446e18ca21e70b1d2521255859220f278505a8004a0

SHA512
ce2fc120e9ba408a715a4aa11ad841f44f7ab27d149972b9d3763bcf0af4dc7255b09d689d90a1b9bb3b45727828fce64d01af5e2e2a2938f9da81d3458f6d74

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_18_7
Filesize
40KB

MD5
ae6bb3c78d8e63aa871d861e7a857d36

SHA1
9c3d8c3066cc131069c40ea12ccd94dbc2673d2d

SHA256
0d41acee89eca44ba3b1d566fe8cde6e76e17552216f6df15502d84485d8728f

SHA512
09d12a920446050695f92de7a870e546d8f88b435e1790a9faa64a876fde2b544131e1a7242475497306fca0cc60c25806a065a5f73863546a8067294a92fe8a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_0
Filesize
1.1MB

MD5
12c4ba6a0de449f15e431a08106e9cac

SHA1
e652220fa60a6b661b3ecce477c5496dc497942c

SHA256
6c25a4f25c152cf981427c584fa367259afc5ca43e178e2b504575c9c98765c3

SHA512
dc6941776c82e529186791b991faea486a25d09711cebe4bb411e8a4d697c4d6f19c2fbefdb18696b8cfc2e0aaa7efc14211cbdf14911e42259ad8030eb5ca70

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_1
Filesize
1.1MB

MD5
38e5a642ca28eab4c6bddeb2908190b8

SHA1
840b5d2650224b1d02ce6b0cf57b76cebbf52015

SHA256
664fa25af0aaf12f4d670854310da7b0f90aa8f014612c2a83a7e709fb1493f6

SHA512
3ccb86a3b8b8ffc6b3310d1f731d6dc6b2fa77025496959bd263de075f8f7972cc04232212043761099aec9f0ef19a6ed3bdab1aa19ad7131628bed10a02c683

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_2
Filesize
1.1MB

MD5
1155913391a91542fb8883b76cfefd33

SHA1
095640ba8b772ffd5c28bf7ef67dc9f54b450b73

SHA256
4bbdfe290b7f6b33a32b761937a865ddfecb06524da1f0374eb464cb7641e21b

SHA512
7bc73dbb9910112e6012a521e49f9c679d1ff23049c7a32312eb6c8d270583ed9a7734640836f204cde46654571388fad1824569e266975889d019da072c60e4

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_3
Filesize
1.1MB

MD5
93d8c2620c847c9c0326650a3404b6da

SHA1
767f0443ff10e1461fc36196dbcb0f3bbc93f4ce

SHA256
a0367df00c87309dfa33a51c13b4c4fb2121e5f525825ef974f1b933b9d7c83c

SHA512
c6420515bae4be6421b35f71f39ceb0cc464b9a6d4229b2417a9b33fc1ddaeb412672969ee8280abbffea3fb7bb943e2258be594030cdeaa4c34f0a52d0c883f

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_4
Filesize
1.1MB

MD5
3b6c60db60eb2334bfc9d4e48456116d

SHA1
6daa92bc661da4c59f9f71bdf5b432b2e9ed3628

SHA256
3b7bc00e250fdb865fc934673390f7fb66077db5aebc8c77ad355169202bf13f

SHA512
52afaba93c073f8822f771f2d9c60fb558065ed243eaa3c9f457ee02f418594315a5f615d0d105ebc0ac4bf963241c17afb03c6fc48afdd714c8944801984065

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_5
Filesize
1.1MB

MD5
45e31f07888434ebfd4862fe9207ed86

SHA1
eadd93371ba7da9550a45614bd3781cce6cfd851

SHA256
05c4e13a74b4aede2f4694d3075dffb93178ed2626b79b5f38fdd0b20eb5ff53

SHA512
afae6d9ccd2881e62a5a0f0eeb10f09e2f2c2b838b42aec92b86682efa4bc97f8c241f968ba96458d5af80f32ffcbc240d268217cf27ddc63a9f01aca58c693c

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_6
Filesize
1.1MB

MD5
faada9dab52a803fc7b5857ea77a2843

SHA1
96c56d6d513fb7614a8eab8db092f98fa25f6401

SHA256
6351870bd0c643061e0f2d649eb72b53854dd5f71795ed4d91054570ac2d82b9

SHA512
15eba553c2983cf8bb565caef39c57203897618af5b244b4abd5fe30c039866583de96836c2a6d450119cbdb8280179ba10dd7bd545a8eb197507818a8f1672e

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\cache_24_7
Filesize
72KB

MD5
f8d794e2441b8f07420e6241c89c2387

SHA1
13c697f98f98c06d9164f763f53a585d9280c46b

SHA256
994ea1ab8a7550bd21598910bf4f7bfc65c5ce261429cc9a177a0d7f2a0385fb

SHA512
d51692aebcc3237f618d365593efd326bd876ab9b0c3ac07b691b29e5669caa1af7b3bf97e32e26e4b1689cc9c67b2b2547ff12016b53d7008929e1fd8d82d5c

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\emoji\spoiler\text
Filesize
548KB

MD5
20ff0edaa1a8492e025ccdbec28a8754

SHA1
06570e048efa15e30c759dc71fefcb1233166738

SHA256
0a9f0839159b36defb94823ba9b0c263c73c941318bf1a9d8e9bdc8c80fb3780

SHA512
2dcb40ab6c2c8560af84249bb9883c3292ef7f36418eba536b70244131bbca98c3632ed6900e8f09bb98bc8b599116f0cc14012fa33620766ff36c9a70bfe5aa

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\key_datas
Filesize
388B

MD5
7770e6de4dd07ff4118ded66ea81bc87

SHA1
381bdeefac9839c419b4aebaf20f2ed756f28851

SHA256
7f13a23f06472186eb82c5469b8818200d059a8150f41b0f5fa833111ef23fc8

SHA512
c2a51ab597bef640fd4e3eee09a01c25c6e5bc1bdb76db492ec940eb326e2c830a51c94d53c9707275933224d32eb156f482715de01e5eaf1fc3d0ddcd65218a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\settingss
Filesize
1KB

MD5
4042c9081983b61d9ac3211527d8bd66

SHA1
75f597bad5417046c66fba6e68632d1e68d10e72

SHA256
5b051ac4c26578d21641f5910cd5d9783672b6301cd1ce9baf3581f02cc576ff

SHA512
99c17cfc6096b36fdad0b3832c05febf474b4f803b0ddbba5ea2b334f6de911db7f9f49a27daaf1ed34e1adf665849ba3f0b66abe853d7572c4049a3fd2daf33

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\shortcuts-custom.json
Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\shortcuts-default.json
Filesize
3KB

MD5
748cf4066be09fce7cc0deef21fda22f

SHA1
a2e4dc764e1df3a103f513e6dcba111d140f39c1

SHA256
f9a8f9e002d9070276744fd996603934e0c03e419a5e537d0e8c4c391410b2eb

SHA512
5e3ba925593bfc2fb29b717ff2a1a6d78b8cf588521b53a6e816ad7382d164e59ecd8d97e61a372f28b68acd10a2af109b3d1cc91afd7f0d537d1679929e4386

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\temp\quit_0.ico
Filesize
2KB

MD5
b9c4f98892971b41032a08e530d62878

SHA1
9f5eb322560fed8481b39368f069f9a854431c78

SHA256
27d07a026276b27f4508b575a30e0d80dca9c0046594b7f2d395baddefe2c727

SHA512
1b34c04165306385da717a901b839060069cdcb3f03407137f02a6dcb04a10eb31a7f616929064f497e6cccaa69f076946436e65d5512d307d3cc8224948df6a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\03\65E127D6D1E9
Filesize
12KB

MD5
82aa9b42ff38ea572fb775bf215709c8

SHA1
f9ac9776d8ac19c1ec6012457d9d4a89c6a29831

SHA256
629cad7e01bb80847d93307c2336f49190d64c9de7a920f6a5b2c0f1c3834c9f

SHA512
a893da3b423948b4aec1f1cfd91a48fa5ae9e8df38a900f056a484fe115bab77035ff31c6a31c92cb3ff3201375342b1e5c22e29861cd8c5b70ecca017e5ee1a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\06\FA6479080718
Filesize
11KB

MD5
115e0601282900e8cb0c1e6b85df6876

SHA1
24168e6de610b6afebd651e884826ac3d1e6187f

SHA256
528b257e61739084fe25ddca61dd079231e32e37a0139e2ad19d848c2496092f

SHA512
a71a575710c262ff7ca06f0c8f979d6ad49f5b0c485c17da48172d2a0eb34c344bbb5511dbac415e3e8f702a6dfeda0fe03acaf6d6f9dc1bb2a9ded00a2baf8a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\0A\73C12EDCAD74
Filesize
8KB

MD5
4d07c5a292295d3f2ab37d31ff511166

SHA1
b85334d01f53ec4064eb0eb807bc8fd8d72e3974

SHA256
81a6c9714d77e6073a9d8984f1490faa6a56910a55168a902f65e72e2c739431

SHA512
da5f40c79631cf21edcffbe363794e0585d0d93ee9170742dafcd51bcf5abb111cd71b6020c2537d876db4ce66d9deadeffee4c54f543a754ac8118930c00579

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\0E\B00500B0FB34
Filesize
12KB

MD5
c2cc573b00bad9a30d4092e20fcf906e

SHA1
ddbfe0c1b8d4c7036a8511b8eadde4a67859d95b

SHA256
096898c42f81859bb840c54562b2d47ee0bb4adb5e16f49d6ad99a401e260844

SHA512
421c746e1104753670c74250ac7d20cb7b2d5121839fac4bcb505e7eee81a981f8c70bcfdc9e44768538edcd6ce250ae65c6156d1f5f9ed9e8cf725f33cbff5d

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\1F\691A831DA105
Filesize
2KB

MD5
76c136a2167ba40f545020e9ef45373b

SHA1
9cd3446353b181cea5ea17e529b428ecbada4960

SHA256
4b36953c76e162d37c1a9fe44ad70b3dfea6b2e7b0c9a7db0edae2733fcc3b9b

SHA512
20b1b90b5f784d59b6a6c0bbe5fdd393b6fa392deaac8308795b13a45708e7759a1ac55a8fff174d3d25e991be009ca8f67f476d73229f6cb69bed270a9e1571

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\1F\9B9C2DC86CA6
Filesize
6KB

MD5
32db1ad1644b4dbe57f6cee8434fc75f

SHA1
cb56de467dd65c18aec60230e00e4f1d8c9c49bc

SHA256
7441635cf79c7f889a0271eb3c114e0f76796c8138fe20335b5a3c264757e1f6

SHA512
c294cffc5cc5e7915bd429e118c368250afb5e137bde704c2a7b2c302750a71f769eaf35527b34f090c48b59af8329c32ccfa02bcc459a70b4f472b2fe9cfb45

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\47\971D2BCB7580
Filesize
8KB

MD5
e65eb526c83036e17c13a2c59f6afaf2

SHA1
36743bafcd77ea6c56115ce2713045f130aedc34

SHA256
0ef99ee39e8c4f95bc5380ffc34880ef3e411b9114f2ae833ca84617c5a2cdd5

SHA512
636fecaa4660074d5663f8cb9431859be58d6e3cd6d9264025b70ff7ed06e44724d9f227f4a2ea8a8bee2e9564f3f23b701dcc7dfcf6db6ddce2b6b4071ee7c1

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\50\94D8778E93F7
Filesize
177KB

MD5
b731ec7b7a7a4c29ea33f4695bde21a7

SHA1
1b8b14d0b803fd7138b5aa799b8e10919a13a8b1

SHA256
dbc4147da81fe581612fc3a970b4ac81e2eeda4c6635fd5e0c0bd9cba5cd8c45

SHA512
8fc4abb8157be49968f4e91e9384fe81c842815fe77ae8c53f86d294850c1b87345de0d18b79ea887993a150d79c73bfce65be5138749e83e5afbe9568b579e1

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\53\9DAB61766ABE
Filesize
13KB

MD5
de292c2d449c2f28d51f84a5a4cd2fad

SHA1
16e1548880ebb0e911d1158a28d99dc2e0808630

SHA256
5a7055e26cfa1ecbfde3f1429ab2aae363d00db00fdea4f109140aef2df54568

SHA512
925c63a84db151e672685c8d9a0cd25afa21b6d23731b83aed73a38d3bfba2628df5fd3c32aa22e438f8416e5588cf306a3704dfb4f6f23d0974698a80f27078

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\56\4CD75183D215
Filesize
13KB

MD5
ccb15d9ff3ec2ece0a2251d940964f69

SHA1
65b550f505bef1aebfa74a123e3da3ae263dea73

SHA256
1bd78ff9f5202d941f10892eb99900934dfdf5ab23384ce816fefbd2b2c6cdf9

SHA512
6316716caeda90bbd05e7a410b140dc86b52f3a4bc0004aa65f0438c72d99a6ee060d9c5181b35f507e0e0fe232f9ebfd1a8f4a317ed720b250860ec110f0246

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\57\6C0F7DF761D4
Filesize
13KB

MD5
d3863b3f95650aef90451c036c74a056

SHA1
02fe02a6ed24714c8d61a4ecfb0ac05b7112b179

SHA256
c0e99efe8f8916a2742bec96f53bc15a9e5da8c7c9cb4bf75ba286f139de8b90

SHA512
e0ee5bfa91a0b09963fd636565012af3292e087ad80b437cc3ddad0f69fb7f414903c69caad520675e81242649bf890c66b788477e2e7f73ec39b1e8ba45fd47

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\64\6E606B26F44F
Filesize
169KB

MD5
3fe32c477ae34de713e922d5689f2b39

SHA1
e3ad847efc8f0ec84f6626100992e90a80913591

SHA256
0077d998554f6d4f688829584459bbfa0a7842b2cadbcd014c7286e29b62997d

SHA512
62205ba304e2aaf3665d43ca14e3515de89aa24f8ab51a47879671fa3eccc22413d8ef4e1d6bf689449be72255a1d2f55c9786d70699f95cc1d8a05fa1fb6626

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\69\69329772814F
Filesize
8KB

MD5
074690c5ba5f847474a09dce2d2f6cb0

SHA1
8ead4accd116785e520b9251b6a7347228b46137

SHA256
1b64db4748e69d5a84804bc9961dbd1defa4248e0ce637ba03c82b1e7d8b6480

SHA512
429facaf43748410eb5de3cc754c0a59cbae4a01ff92f18ad464aa23aeb3e945c4e29f0f4c0f98aa62f8e9cf45e82365aa5ab9f4f7a400b52276b5b4ece6f4d8

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\96\C76BA4613F6E
Filesize
12KB

MD5
7d325f21394da372ff1fec133933a8e9

SHA1
580bfef643c311a997a831521bcde422547c2f53

SHA256
16fcc6d479ce499446e55dd2be744646461950793a3edc83501f50b76b016bd5

SHA512
6a4949175c41d487faab3c0246bfa2f3df72b26ed40fae610ec693b70a0f360ea872bf1dd096332fe55d242f734426e8cac3dbe80c3ae234fdf11106d3e38de4

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\9A\17938757413C
Filesize
16KB

MD5
e54b0adc3aaca0ae836d6f224bd52b75

SHA1
f27af441d2db77659e454aaccc46c3c9594dc316

SHA256
edcb4b1ae13686265c09c648f383d41c2541dddc6a9d49acf3754d454e86b3b4

SHA512
36286131c9a38c6af8432d32a6572fb54f27eed5be5bd5b15f5ba034b230050c9a540535b41b2d854d53feca2fb3120c75451267d2c6e49d2396239e8e76beeb

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\AB\486D8805EBEA
Filesize
4KB

MD5
7219523453e3ab7754385302ae970551

SHA1
6604526ddfdb69ae35b0b6882d249cd467b3bcb5

SHA256
fbb063acfe8c195fcbf61225d3107c3d28d58fbe220aa0d45ffe56c72aaeb450

SHA512
ccb9b8d76f7dad3cfacecb971b23b8679c91fc0e2fee70c71b47f1eabedc6cd49945e4fe803b4325c657713242c4d4046272dac9d6656dea4ab285df7d489a03

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\B2\1B5DDB32334D
Filesize
8KB

MD5
21f5d2907c107a23a28de5d861e40670

SHA1
338ec8f3bac9b46c3fe233551eca837a33ff3ce6

SHA256
a9a5f13525bbcaa5e9d19959a786dc96962afe859753301ed96fcd0c63bce1a7

SHA512
faa57612327fc1c617874c93410e1da942939b84f893ddc549558566985c9a8408f8f1d822f5a6445321862ab696f02b2c6df5d34ac1561072f7ae86ccc55259

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\BC\57BF13535BF7
Filesize
9KB

MD5
1d5b5f4724aa7c8656698ce23e373952

SHA1
aa2fc896a20700e7638e993d7943b09c09445392

SHA256
ace1a3b3d3cd4858acfea62450e73c62aec185ee47a870d542e5224babcc1a23

SHA512
ce12aa7f5a6b5871bc0a3a2c3712f42640a1617c85c5b710f73fb357a5e2527691e25a9d0f97cfce1b88312c5b62557cc691bc09dae93c7907824fea38bc8902

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\BD\F472EA64066D
Filesize
166KB

MD5
da8084c6bc17cd757e44689ff8705904

SHA1
c38ee214c5a8df73152b28ed3ab749e7594604db

SHA256
7cbe9ba8cae7e08c59e9e8dcf18c628fd5aa0a18fd3710cb0328d428c1ec69dc

SHA512
5a9089116673f72b1ff5f69becfb5d69667535cd2a39483bde344b3455daaff2ef02357c4a206bf6142905864769edfa0298538e58a2aba71b9f2add730f7cf2

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\BF\8A434BA9FCB5
Filesize
12KB

MD5
0484325ecb2fa67e5e6826c5fea18782

SHA1
df5bbb1cc5f9621da421943cb48e687227311abf

SHA256
f5499653f78db92145c7ef120f67a58c968b6d7717ff917fe4a2a9c632872d43

SHA512
51fecef2bea8335ebe3bd4ebe3d69badd5e5ae2c074b5bac463fcde5082713e3bb4494206eb5296f3593043334b7accc061c9228119e3359b0a973b02fc9947d

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\C5\EFF801087421
Filesize
12KB

MD5
04b571a43addc418e83f68065ab408da

SHA1
a88f026a613db50b86f215fbf2aa1543ed94b138

SHA256
f0f643eb7baf86a856089952ddc67297a84479f9585d84017f23a84fcb1a61dc

SHA512
b987aaadbb29e79c20829babf1a8bc83a91b09b6442b196d722d9d66196533268021f4103196f45a48d101f2be64df9105b105043ab9d92075cd9386f35cc1dd

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\CD\C1B2F19FADC5
Filesize
10KB

MD5
85f4de7ae0b880571c598d71cca1fbd6

SHA1
92ff00f30746745f2568e447dc9a4d6204726973

SHA256
6722146b69c0f40435cdb92e0b377a1311fac7acea36a1d5ed01226ea0a1b921

SHA512
4f93174d5ece37a491ab177e4d2c5dffaa165beac47c909bdf7d62c6074006d8cf44f143e9469b3dc7594a72a3e4e6a0afdb83f4d4e76ef638ebbd1c9aa953c7

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\D2\E3813D90AEF5
Filesize
8KB

MD5
04cba9d179d6f34bf4a8ead79a077a01

SHA1
b3bd20ae72cdc75bd43d5c76feac669c39e70013

SHA256
c44ed478fecd2075a6d6adea64fae48431c32e46954903f68ea5a5694ff3e05f

SHA512
73c4022e2ab7f6487149e7d789339c29d2ac235ac1ef4c5a552af316d7760117ef6813b07d6975a85fec0c3e3ee9070d7ef03e7d8249477997f423564ea6c50f

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\D8\3E9D66F02FDB
Filesize
11KB

MD5
a751fc25081908a5fed51320ed6775ee

SHA1
41062dc26d5e1dc3bb7dea0dc9c719b279dddc16

SHA256
66be48f264a6cc9026007c7f1cc552aabd82298dc4bc7cd6ff5d08fda4877697

SHA512
56ef9d18373143edaa3577ca00c4ba8712827a4900a59f7f3a0f532cad5e5a05192d0252b3a31eaf76182199699f8b5192cebff9de94c1e3e5830bc57b8dd4fd

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\user_data\cache\0\DD\B3B63B8A4EA9
Filesize
11KB

MD5
ff8addfadd5526e1b27ff3f21960d18b

SHA1
a4b94125082ba3ac8125dc012307e5a4e6ed6de7

SHA256
efd2d2e86c01ef0442a24bbabd145a2d4d85fcb722c35ed21c3c93a0b55647b8

SHA512
fc9703166114a3644d7130601ebbed940b9831fa5e66e95e7ae67ce8e7de210d8164ce96b91e70881520593c270e67d610f52aa792f97c5c78e5898af1bbcf92

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\usertag
Filesize
8B

MD5
37cea44b793696deb19aa6b412edd940

SHA1
25e82aa425367e1cc5fdaadf75cca48178205b46

SHA256
ce4b41f21e581e8932afcc580d23a572cadae04eb91b8ab5a8e06ddc0a3ead3e

SHA512
72ee2a0627833a0c317bb2b1bfe1e49489ab5488d5b67afc4e134b25335c2b4f8901b1aa02b5aa92457da6a0bd02be81f19a8688363213a2870b0c2f05d21ccf

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\2094bd10-fab0-4ec3-b43c-960c59c57f77.tmp
Filesize
3KB

MD5
9c4f899f2d66953bf0c0abd7f8e604c6

SHA1
34b17e08acc26df3d6e141a06fb4e51c3a948595

SHA256
69909befb7017194b2fdcc3318735e9cf6b9c49221712ca6e97c4909196197d4

SHA512
8ed9cf203447653c8b6414f8c118aa93cb5998ba337a17eb44e267013f7945c41dde3108f14e46493b436eb1285526ef6b866a23b40c99a8c645401c88a9c549

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
e0b8126cece612122e5c6d0bb5d7743a

SHA1
61b431efe7835367c398109756e7ce6baaa18365

SHA256
462be95e3cd0a75b7f9430792dc61c6da8f5fc8019a0904de0c29016420456b2

SHA512
51a53dc4fb6d14d8ece20a338e6fe456c5155d445f12ceeb2ee77bd7d424df871b88f691a1e183b1c390d3f38190e16094f550f40451d5cb38deb17e05db4bf8

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
97926ee0b4cd79372817af92eaafbc7d

SHA1
64e244f359f5b6cdd970a4c2b08f04391a3d9c28

SHA256
24121ee219bb15c7ff75731fba2a3bef87f51b223efa8c4519d38de837354f54

SHA512
34702aff2f85aa6b482d612f1ddbc426a83731e9b4de9c8faf108a8001a049d04a8ff10498909ce1986831ef3f387bbb8457e0fdcf6cde69812e444e35fa0776

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe724f74.TMP
Filesize
48B

MD5
5dfbc7974c670cc28484d09b4bf176e2

SHA1
e501622f14eaac21fef6098115d07af77be5a401

SHA256
b2b09785f4547a638f3a54d8feb2f6682905a9e5e60d3bb636cc8ac55fd48a16

SHA512
c6dda82da02cdad527aef966d0e6a58d373ca222c0f910f22a1cf6f49223249d79c217095f534084d0a261d8eb3cedad03b0d9d674410ac63cf8becd3db9de6d

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Default\Extension Rules\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\GrShaderCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\GrShaderCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\GrShaderCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\GraphiteDawnCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Local State
Filesize
1KB

MD5
c57e60a79dde8f03df2e4b6628f2aaa9

SHA1
6a42bfe87982944ff9eb0c82e7f4c12465890bd3

SHA256
efac6c6e0afbb3dc750b0ee50cd8955b07b96e718ddfdb4161180a86297e3f87

SHA512
7c2ee77ec55dd2c0615a3aebc6e194b6bdd57f05eb2daa82b83ee28dd14b38613bcdce1209b8aca1ef54fcef4e378c665f699bbda5e23355071dcd404f85065a

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Local State
Filesize
4KB

MD5
d0dcb982c2349e4c9f7db333502aca21

SHA1
3a3bfc62cbbd0f8b9f6888cfdab90891e3a9200f

SHA256
7d8d0d7e6a80eddda83394a029dbaa6e73ec3fa00cf722a2aaa80d861a07f71d

SHA512
3b52d548835a9d7e2c68d5aafdb5beed2570d52f0b2b3d33a879bd0d436971e13e9077f57636311ce55bdb392c5accca9b135fac97cdde9286539f6b1d95d94b

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Local State
Filesize
5KB

MD5
42f353a594d2a6aa17b2bd3d79f1bf3f

SHA1
c33324d0f72d385404050f7d8394d55b1856e4d2

SHA256
edc1a6b8da3c883f39affc9748943ec4ae36a8bdbfc4ca9de34cb1b7b36c6a72

SHA512
2f524ba6488206085944be3342618982f02ac80c505ab92f318d4e9f736cc2c18a9885ff3b9ee4fe48ed33f89ed5e24c8103335153bd282cf5b2d91df32c7a76

Download Submit
C:\Users\Admin\Desktop\Telegram\tdata\webview\EBWebView\Local State~RFe723dc1.TMP
Filesize
1KB

MD5
7c135f2635c6959e0cee680f7b15ea2c

SHA1
59c0b30e4c9d4ea2a19846fdaed3c00e6f903292

SHA256
9bfc8d5a87023d93a803a88f990c22b0c205e8a436599b48e78badfb9956106c

SHA512
5309a1a8fcdcfa32eb62cd9ca76e4694d5cb78ab4da188dda0a99eba00d72f6b3aaa460039c83df9382454e3df50d1eec0f435adcc7df72cf23672ed3e4c1fed

Download Submit
memory/1292-1-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/1292-192-0x000000001BE10000-0x000000001BE1E000-memory.dmp

Filesize
56KB

Download
memory/1292-191-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp

Filesize
4KB

Download
memory/1292-187-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-0-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp

Filesize
4KB

Download
memory/1292-201-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-9-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-11-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-52-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-28-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-51-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-6-0x00000235D8FE0000-0x00000235D9002000-memory.dmp

Filesize
136KB

Download
memory/1428-24-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

Filesize
9.9MB

Download
memory/1428-10-0x00000235F1760000-0x00000235F17D6000-memory.dmp

Filesize
472KB

Download
memory/1820-254-0x000002A710200000-0x000002A710300000-memory.dmp

Filesize
1024KB

Download
memory/2052-324-0x000001F7414C0000-0x000001F7414C2000-memory.dmp

Filesize
8KB

Download
memory/2052-260-0x000001F740000000-0x000001F740100000-memory.dmp

Filesize
1024KB

Download
memory/2052-257-0x000001F72FF00000-0x000001F730000000-memory.dmp

Filesize
1024KB

Download
memory/2052-269-0x000001F7403C0000-0x000001F7404C0000-memory.dmp

Filesize
1024KB

Download
memory/2052-268-0x000001F740000000-0x000001F740100000-memory.dmp

Filesize
1024KB

Download
memory/2052-407-0x000001F72EC30000-0x000001F72EC32000-memory.dmp

Filesize
8KB

Download
memory/2052-288-0x000001F7429F0000-0x000001F742A10000-memory.dmp

Filesize
128KB

Download
memory/2052-326-0x000001F741D40000-0x000001F741D42000-memory.dmp

Filesize
8KB

Download
memory/2052-342-0x000001F742FB0000-0x000001F742FD0000-memory.dmp

Filesize
128KB

Download
memory/2052-328-0x000001F742990000-0x000001F742992000-memory.dmp

Filesize
8KB

Download
memory/2052-330-0x000001F742BF0000-0x000001F742BF2000-memory.dmp

Filesize
8KB

Download
memory/2052-332-0x000001F7430B0000-0x000001F7430B2000-memory.dmp

Filesize
8KB

Download
memory/3136-432-0x0000020761960000-0x00000207623AC000-memory.dmp

Filesize
10.3MB

Download
memory/3136-400-0x0000020761960000-0x00000207623AC000-memory.dmp

Filesize
10.3MB

Download
memory/3136-206-0x000002075C620000-0x000002075C630000-memory.dmp

Filesize
64KB

Download
memory/3136-241-0x000002075B7E0000-0x000002075B7E2000-memory.dmp

Filesize
8KB

Download
memory/3136-222-0x000002075C720000-0x000002075C730000-memory.dmp

Filesize
64KB

Download
memory/4148-2416-0x000000001C640000-0x000000001CB66000-memory.dmp

Filesize
5.1MB

Download
memory/4148-2415-0x0000000000B30000-0x0000000000BE0000-memory.dmp

Filesize
704KB

Download
memory/4148-478-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download