9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
Size

1.3MB
MD5

4d528c349a52e5e6c2895232b7aa6e2d
SHA1

e948bb66219631d078d556c25442364129312044
SHA256

9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165
SHA512

e95f44f81701275b8c2a60b6980522c5ccd8d1c5f7724019f33780735cdaafae8dc6a87d5e8a03b2bbeab0b2ea7e0ba38271b07550d7162b2c0a9fe1b128e5c7
SSDEEP

24576:YUU3jIP9B0ua2tdRUV5G0329TqgszJLZ5TGpszIokcF0K+QjX:cQ0x2tdmXgqgszJLbTMqhtF0PQ

Score

8^/10

persistence vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/392-132-0x0000000000400000-0x0000000000671000-memory.dmp	vmprotect
behavioral2/memory/392-133-0x0000000000400000-0x0000000000671000-memory.dmp	vmprotect
behavioral2/memory/392-137-0x0000000000400000-0x0000000000671000-memory.dmp	vmprotect
behavioral2/memory/392-150-0x0000000000400000-0x0000000000671000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\beb782b9-db6a-48c8-bd88-cdd316bc5008.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221127235632.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe

pid	process
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe

description pid process

Token: SeDebugPrivilege 392 9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

860 msedge.exe
860 msedge.exe

description	pid	process
Token: SeDebugPrivilege	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 392 wrote to memory of 64	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 392 wrote to memory of 64	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 64 wrote to memory of 3580	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 3580	64	msedge.exe	msedge.exe
PID 392 wrote to memory of 3620	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 392 wrote to memory of 3620	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 3620 wrote to memory of 1064	3620	msedge.exe	msedge.exe
PID 3620 wrote to memory of 1064	3620	msedge.exe	msedge.exe
PID 392 wrote to memory of 860	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 392 wrote to memory of 860	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 860 wrote to memory of 1028	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1028	860	msedge.exe	msedge.exe
PID 392 wrote to memory of 3652	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 392 wrote to memory of 3652	392	9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe	msedge.exe
PID 3652 wrote to memory of 2444	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2444	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe
PID 64 wrote to memory of 1636	64	msedge.exe	msedge.exe
PID 3652 wrote to memory of 2864	3652	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5d445226e34dedc82b6b0d708bfd40d1c191072f4dc1840f537d56b962165.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://зябука.рф/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2fb546f8,0x7ffe2fb54708,0x7ffe2fb54718
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18079757206375250143,3752447831901522122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18079757206375250143,3752447831901522122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:3
    3⤵
    PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://зябука.рф/chity/klient-games/chity-na-warface/42-chit-na-warface.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2fb546f8,0x7ffe2fb54708,0x7ffe2fb54718
    3⤵
    PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,18229327633349616640,6753587292146999180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,18229327633349616640,6753587292146999180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2888 /prefetch:3
    3⤵
    PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vk.com/wocheat_wf
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2fb546f8,0x7ffe2fb54708,0x7ffe2fb54718
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2920 /prefetch:3
    3⤵
    PID:4460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
    3⤵
    PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5764 /prefetch:8
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:3820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
    3⤵
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
    3⤵
    PID:3380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
    3⤵
    PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6532 /prefetch:8
    3⤵
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1155434898880903163,1319815889470218428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
    3⤵
    PID:1916
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff67de05460,0x7ff67de05470,0x7ff67de05480
      4⤵
      PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://goo.gl/3Czgpg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2fb546f8,0x7ffe2fb54708,0x7ffe2fb54718
    3⤵
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16725622649208087260,6576470475444793705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16725622649208087260,6576470475444793705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 /prefetch:3
    3⤵
    PID:3632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
8212d70c86ce431d59072c64f70a8279

SHA1
b221f0de1fb741bff50d0536566f1a9602757ee1

SHA256
b43ab742a745a5293b46de337819f22995835f52e29656ff8fb2eb5a1f569229

SHA512
08925c1502691ca0eebc03dcf82ba0efba59a3c480edbe7ace5632fcd2cb4d03895bb3babd41effa627b162bd3d88d51b8daeeadd657e49d39b4ebb202281d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
8212d70c86ce431d59072c64f70a8279

SHA1
b221f0de1fb741bff50d0536566f1a9602757ee1

SHA256
b43ab742a745a5293b46de337819f22995835f52e29656ff8fb2eb5a1f569229

SHA512
08925c1502691ca0eebc03dcf82ba0efba59a3c480edbe7ace5632fcd2cb4d03895bb3babd41effa627b162bd3d88d51b8daeeadd657e49d39b4ebb202281d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
8212d70c86ce431d59072c64f70a8279

SHA1
b221f0de1fb741bff50d0536566f1a9602757ee1

SHA256
b43ab742a745a5293b46de337819f22995835f52e29656ff8fb2eb5a1f569229

SHA512
08925c1502691ca0eebc03dcf82ba0efba59a3c480edbe7ace5632fcd2cb4d03895bb3babd41effa627b162bd3d88d51b8daeeadd657e49d39b4ebb202281d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
2455b80da25cc4d475bf3e5844fd093c

SHA1
d33acf0f8672856871f7a7892650b0542da6e683

SHA256
35de30524958609cfcaa013ac390db8ff1044f19347738c14d68afac8fd2d71f

SHA512
fc88431acec22dcdfa238d598a2b4719ef99964a31f7963df51dae728626eecca62b836eb02d5d0d5a5c06051a7dfdd2fe24716d67f8bad188ebe8a2eee20c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
2455b80da25cc4d475bf3e5844fd093c

SHA1
d33acf0f8672856871f7a7892650b0542da6e683

SHA256
35de30524958609cfcaa013ac390db8ff1044f19347738c14d68afac8fd2d71f

SHA512
fc88431acec22dcdfa238d598a2b4719ef99964a31f7963df51dae728626eecca62b836eb02d5d0d5a5c06051a7dfdd2fe24716d67f8bad188ebe8a2eee20c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
2455b80da25cc4d475bf3e5844fd093c

SHA1
d33acf0f8672856871f7a7892650b0542da6e683

SHA256
35de30524958609cfcaa013ac390db8ff1044f19347738c14d68afac8fd2d71f

SHA512
fc88431acec22dcdfa238d598a2b4719ef99964a31f7963df51dae728626eecca62b836eb02d5d0d5a5c06051a7dfdd2fe24716d67f8bad188ebe8a2eee20c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
2455b80da25cc4d475bf3e5844fd093c

SHA1
d33acf0f8672856871f7a7892650b0542da6e683

SHA256
35de30524958609cfcaa013ac390db8ff1044f19347738c14d68afac8fd2d71f

SHA512
fc88431acec22dcdfa238d598a2b4719ef99964a31f7963df51dae728626eecca62b836eb02d5d0d5a5c06051a7dfdd2fe24716d67f8bad188ebe8a2eee20c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
2455b80da25cc4d475bf3e5844fd093c

SHA1
d33acf0f8672856871f7a7892650b0542da6e683

SHA256
35de30524958609cfcaa013ac390db8ff1044f19347738c14d68afac8fd2d71f

SHA512
fc88431acec22dcdfa238d598a2b4719ef99964a31f7963df51dae728626eecca62b836eb02d5d0d5a5c06051a7dfdd2fe24716d67f8bad188ebe8a2eee20c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
69e0f0fee00061109ff954205e460b22

SHA1
bf500ad1f4fdeb2d4e2683ce823abe8e188a7cea

SHA256
fb06638e19afe6c755adc88b36fcacf21c599fda1830cfd760dfe5fb73b69a8a

SHA512
9d27a11da42ee21a92d3c3503a91a56d8389df0827462f023b70c98053b95712156f4397b3a1f7b4430f9bf75fe54de0a1ab89393162b272eeea8a4f4ea10c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
69e0f0fee00061109ff954205e460b22

SHA1
bf500ad1f4fdeb2d4e2683ce823abe8e188a7cea

SHA256
fb06638e19afe6c755adc88b36fcacf21c599fda1830cfd760dfe5fb73b69a8a

SHA512
9d27a11da42ee21a92d3c3503a91a56d8389df0827462f023b70c98053b95712156f4397b3a1f7b4430f9bf75fe54de0a1ab89393162b272eeea8a4f4ea10c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ac62af6a8805fa4ac8ac64fd2901538b

SHA1
8dac8ae876840498de6e85555b159ffb9596642a

SHA256
f12633f73e1310deca69a8440447ef2e5279903816e78bb20eb7120b09661b50

SHA512
e9cdbb96cec88cfbc65148e1cbb3a24b6e1cd0aa8df84f26a6f108b86d01074e50d85192f8b87029e38da50cab4cf2ce4dd192202cbc08b7de4a3887f58bf28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ac62af6a8805fa4ac8ac64fd2901538b

SHA1
8dac8ae876840498de6e85555b159ffb9596642a

SHA256
f12633f73e1310deca69a8440447ef2e5279903816e78bb20eb7120b09661b50

SHA512
e9cdbb96cec88cfbc65148e1cbb3a24b6e1cd0aa8df84f26a6f108b86d01074e50d85192f8b87029e38da50cab4cf2ce4dd192202cbc08b7de4a3887f58bf28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
57f5c3b9afb1377114131ff758d620a9

SHA1
e476a53880899b09e60233e48234856d8b736e67

SHA256
df6b23d377174d2a6a9e4acc7e837aba97178f80b1b8ee1eaac03540181b2132

SHA512
a7725d9c4f70e99c6440c9a536e51c5f0ff2c9d386781e71f774fc45095f0996247367f845b9bc6221a29da3f7d572ce96cf3e3e16e9694cadfd227a3d59f1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
4f85c3ed05cd8698badb53ff8cc92246

SHA1
8f1776d20385370f4a2d2fca648757ec31b2bd33

SHA256
83369aed3e81833a31d240931e08b898eaa7d01331a802b763e9c579ec386ce0

SHA512
216fe98ff17906935c5eb2784cdb179a0b3cec72dcc29e724ca4dadd05ee1809ecba3c33f09fce73b00994cf41d38b1d4b7d2c3284d13925d21e2a57f769c64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
4f85c3ed05cd8698badb53ff8cc92246

SHA1
8f1776d20385370f4a2d2fca648757ec31b2bd33

SHA256
83369aed3e81833a31d240931e08b898eaa7d01331a802b763e9c579ec386ce0

SHA512
216fe98ff17906935c5eb2784cdb179a0b3cec72dcc29e724ca4dadd05ee1809ecba3c33f09fce73b00994cf41d38b1d4b7d2c3284d13925d21e2a57f769c64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
4f85c3ed05cd8698badb53ff8cc92246

SHA1
8f1776d20385370f4a2d2fca648757ec31b2bd33

SHA256
83369aed3e81833a31d240931e08b898eaa7d01331a802b763e9c579ec386ce0

SHA512
216fe98ff17906935c5eb2784cdb179a0b3cec72dcc29e724ca4dadd05ee1809ecba3c33f09fce73b00994cf41d38b1d4b7d2c3284d13925d21e2a57f769c64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638051838451439920

Filesize
4KB

MD5
24e578ce3eb7d21e67b12b3d6c0895c8

SHA1
6e6289ba3a5303902895a75655948307947b4301

SHA256
c19e5a8a714b72444339d2f3e4fe22af7ce3d7d8e405fee6f0d966870498862b

SHA512
07f2cf579f61408bc6a44761a183462f8fbaf4e0083df404cf63f9c5f5cd3c8e13f34b87afaf8748bc31c7e5010aebf4614a64f6d15abc6e64bfb611d7c950ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638051838451439920

Filesize
4KB

MD5
24e578ce3eb7d21e67b12b3d6c0895c8

SHA1
6e6289ba3a5303902895a75655948307947b4301

SHA256
c19e5a8a714b72444339d2f3e4fe22af7ce3d7d8e405fee6f0d966870498862b

SHA512
07f2cf579f61408bc6a44761a183462f8fbaf4e0083df404cf63f9c5f5cd3c8e13f34b87afaf8748bc31c7e5010aebf4614a64f6d15abc6e64bfb611d7c950ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638051838451439920

Filesize
4KB

MD5
4c8c8af1a7e4c5ca325839dcc628eb21

SHA1
ac60c6b1829fa566aca46a5bb959f1f6cac6dd7c

SHA256
6820a9e0237b036cab433953e69e03a55fc5234f95bb86cb478f57148cbd755b

SHA512
ea0ee6b9494a0cd4efba9d94fd5bdf6cfbfc3ce858beaf6b5b000284c7efb32723c198a7c0cfc10e8526452d6aa6144e6daa7c5b414b8a6d310d7fa58a37a70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
\??\pipe\LOCAL\crashpad_3620_LEEPKRKCLUHCCMFY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3652_UUYXIKKKGAWEPOEQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_64_XEYJFFQAAICFODDL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_860_TVCNQEBLXYIIZGKI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-139-0x0000000000000000-mapping.dmp

Download
memory/208-236-0x0000000000000000-mapping.dmp

Download
memory/392-137-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/392-132-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/392-133-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/392-135-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/392-150-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/392-138-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/392-136-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/444-234-0x0000000000000000-mapping.dmp

Download
memory/860-144-0x0000000000000000-mapping.dmp

Download
memory/984-230-0x0000000000000000-mapping.dmp

Download
memory/1028-145-0x0000000000000000-mapping.dmp

Download
memory/1064-142-0x0000000000000000-mapping.dmp

Download
memory/1080-220-0x0000000000000000-mapping.dmp

Download
memory/1292-191-0x0000000000000000-mapping.dmp

Download
memory/1552-214-0x0000000000000000-mapping.dmp

Download
memory/1624-228-0x0000000000000000-mapping.dmp

Download
memory/1636-162-0x0000000000000000-mapping.dmp

Download
memory/2140-238-0x0000000000000000-mapping.dmp

Download
memory/2196-210-0x0000000000000000-mapping.dmp

Download
memory/2328-218-0x0000000000000000-mapping.dmp

Download
memory/2396-224-0x0000000000000000-mapping.dmp

Download
memory/2444-148-0x0000000000000000-mapping.dmp

Download
memory/2532-212-0x0000000000000000-mapping.dmp

Download
memory/2864-164-0x0000000000000000-mapping.dmp

Download
memory/3036-216-0x0000000000000000-mapping.dmp

Download
memory/3092-167-0x0000000000000000-mapping.dmp

Download
memory/3188-232-0x0000000000000000-mapping.dmp

Download
memory/3264-239-0x0000000000000000-mapping.dmp

Download
memory/3380-226-0x0000000000000000-mapping.dmp

Download
memory/3544-168-0x0000000000000000-mapping.dmp

Download
memory/3548-240-0x0000000000000000-mapping.dmp

Download
memory/3580-140-0x0000000000000000-mapping.dmp

Download
memory/3620-141-0x0000000000000000-mapping.dmp

Download
memory/3632-178-0x0000000000000000-mapping.dmp

Download
memory/3652-147-0x0000000000000000-mapping.dmp

Download
memory/3820-222-0x0000000000000000-mapping.dmp

Download
memory/4460-179-0x0000000000000000-mapping.dmp

Download
memory/4480-180-0x0000000000000000-mapping.dmp

Download
memory/4744-166-0x0000000000000000-mapping.dmp

Download