laplas | e1c98a0ade9b2f076c17c90bf42bafe1814fdbce24eb85cc401a72c1e1cfa601

Analysis

max time kernel
68s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PC-Set-UP_SOFT.exe
Size

9.7MB
MD5

bf7a18436887c2ba24ae483096365f35
SHA1

01ff678f52d94a278ee5e14164eb7b9599675ed6
SHA256

e1c98a0ade9b2f076c17c90bf42bafe1814fdbce24eb85cc401a72c1e1cfa601
SHA512

d498f9bcdaf8389535f7ef16cfb73acc4d12b0f37b1afae49d5d8f731d147d19808d59fe010fe7195479987cd4a13461a5180aacc77364bff5da9e5f01dcc128
SSDEEP

196608:RljSlVLHRCRaAKd6MYhMMy6oqX4w7rDdYuXCM4+e:PGvXZdyK4ny4CM4R

Score

10^/10

laplas raccoon f49765d62e02586d0fe162b5d3a934ad clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

f49765d62e02586d0fe162b5d3a934ad

http://5.75.159.229/

http://212.113.119.153/

http://78.153.130.123/

http://212.113.119.35/

rc4.plain

Extracted

Family

laplas

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qM6mYpRk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	PC-Set-UP_SOFT.exe

Executes dropped EXE 4 IoCs

pid	Process
4108	677yHC88.exe
3548	9mVlY7Sy.exe
1048	qM6mYpRk.exe
4244	svcservice.exe

Loads dropped DLL 3 IoCs

pid	Process
1828	PC-Set-UP_SOFT.exe
1828	PC-Set-UP_SOFT.exe
1828	PC-Set-UP_SOFT.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	qM6mYpRk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 3940	4108	677yHC88.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3596	4108	WerFault.exe	102
2476	3940	WerFault.exe	105

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PC-Set-UP_SOFT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PC-Set-UP_SOFT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PC-Set-UP_SOFT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	PC-Set-UP_SOFT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PC-Set-UP_SOFT.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1828	PC-Set-UP_SOFT.exe
1828	PC-Set-UP_SOFT.exe
1048	qM6mYpRk.exe
1048	qM6mYpRk.exe
1048	qM6mYpRk.exe
1048	qM6mYpRk.exe
4244	svcservice.exe
4244	svcservice.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 4108	1828	PC-Set-UP_SOFT.exe	102
PID 1828 wrote to memory of 4108	1828	PC-Set-UP_SOFT.exe	102
PID 1828 wrote to memory of 4108	1828	PC-Set-UP_SOFT.exe	102
PID 1828 wrote to memory of 3548	1828	PC-Set-UP_SOFT.exe	104
PID 1828 wrote to memory of 3548	1828	PC-Set-UP_SOFT.exe	104
PID 1828 wrote to memory of 3548	1828	PC-Set-UP_SOFT.exe	104
PID 4108 wrote to memory of 3940	4108	677yHC88.exe	105
PID 4108 wrote to memory of 3940	4108	677yHC88.exe	105
PID 4108 wrote to memory of 3940	4108	677yHC88.exe	105
PID 4108 wrote to memory of 3940	4108	677yHC88.exe	105
PID 4108 wrote to memory of 3940	4108	677yHC88.exe	105
PID 1828 wrote to memory of 1048	1828	PC-Set-UP_SOFT.exe	108
PID 1828 wrote to memory of 1048	1828	PC-Set-UP_SOFT.exe	108
PID 1828 wrote to memory of 1048	1828	PC-Set-UP_SOFT.exe	108
PID 1048 wrote to memory of 4244	1048	qM6mYpRk.exe	112
PID 1048 wrote to memory of 4244	1048	qM6mYpRk.exe	112
PID 1048 wrote to memory of 4244	1048	qM6mYpRk.exe	112
PID 3548 wrote to memory of 3484	3548	9mVlY7Sy.exe	113
PID 3548 wrote to memory of 3484	3548	9mVlY7Sy.exe	113
PID 3484 wrote to memory of 1704	3484	msedge.exe	114
PID 3484 wrote to memory of 1704	3484	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\PC-Set-UP_SOFT.exe
"C:\Users\Admin\AppData\Local\Temp\PC-Set-UP_SOFT.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\LocalLow\677yHC88.exe
  "C:\Users\Admin\AppData\LocalLow\677yHC88.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1032
      4⤵
      Program crash
      PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 296
    3⤵
    - Program crash
    PID:3596
- C:\Users\Admin\AppData\Roaming\9mVlY7Sy.exe
  "C:\Users\Admin\AppData\Roaming\9mVlY7Sy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/L8YQiQAR#rEAfv2UEb62wzmdkDYM4xtmsauqJqq1Sw55VCESnGCY
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb376046f8,0x7ffb37604708,0x7ffb37604718
      4⤵
      PID:1704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:1296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
      4⤵
      PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:3404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
      4⤵
      PID:384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
      4⤵
      PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
      4⤵
      PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
      4⤵
      PID:5992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff699a55460,0x7ff699a55470,0x7ff699a55480
        5⤵
        
        PID:5432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7857567440658953684,11743117442025589526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
      4⤵
      PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/L8YQiQAR#rEAfv2UEb62wzmdkDYM4xtmsauqJqq1Sw55VCESnGCY
    3⤵
    PID:1052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13690854271891454365,68528418705969814,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13690854271891454365,68528418705969814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/asRkjRSD#KOFfqwwIUHDAYQF7I_jmk7VP7MHdMnC6CpfjbOvffcs
    3⤵
    PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb376046f8,0x7ffb37604708,0x7ffb37604718
      4⤵
      PID:1064
- C:\Users\Admin\AppData\Roaming\qM6mYpRk.exe
  "C:\Users\Admin\AppData\Roaming\qM6mYpRk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4244
- C:\Users\Admin\AppData\Roaming\252TFKlG.exe
  "C:\Users\Admin\AppData\Roaming\252TFKlG.exe"
  2⤵
  PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4108 -ip 4108
1⤵
PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb376046f8,0x7ffb37604708,0x7ffb37604718
  2⤵
  PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3940 -ip 3940
1⤵
PID:2768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\677yHC88.exe

Filesize
251KB

MD5
26b02242e05cbfab57cec7654da6d5bb

SHA1
fa160aedb2ceef7af75e52e9f37b6878f5c011c5

SHA256
a7822c8b395e8d171ba566691780240e3a17b58a6cb8266d676fd54a542af556

SHA512
1a0d9c32bca30eecad3a2cb4e40902172b21f360f010cce88129806d33acccd630c19c590359cac6286db7205c014aaf4ea9e16cd9ec7b659eb5d821c2cd7fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\677yHC88.exe

Filesize
251KB

MD5
26b02242e05cbfab57cec7654da6d5bb

SHA1
fa160aedb2ceef7af75e52e9f37b6878f5c011c5

SHA256
a7822c8b395e8d171ba566691780240e3a17b58a6cb8266d676fd54a542af556

SHA512
1a0d9c32bca30eecad3a2cb4e40902172b21f360f010cce88129806d33acccd630c19c590359cac6286db7205c014aaf4ea9e16cd9ec7b659eb5d821c2cd7fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\677yHC88.exe

Filesize
251KB

MD5
26b02242e05cbfab57cec7654da6d5bb

SHA1
fa160aedb2ceef7af75e52e9f37b6878f5c011c5

SHA256
a7822c8b395e8d171ba566691780240e3a17b58a6cb8266d676fd54a542af556

SHA512
1a0d9c32bca30eecad3a2cb4e40902172b21f360f010cce88129806d33acccd630c19c590359cac6286db7205c014aaf4ea9e16cd9ec7b659eb5d821c2cd7fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
114KB

MD5
dbaa2f12fab1a5bc256d45263ab93d42

SHA1
99015a045f39d38384512d3b68b851f21c712d3d

SHA256
3bf747f381cf0f207c8493e52c189098aed6b688f5c98d0d3d1bd1c5238ddd57

SHA512
7e84481be3f9a435b139dde5dea3ffdb71acebacc1774d03db9a08f772f6c64a340b77c4eb8a9c4b3e2f80bfdfc19ca5b975dc7537925eaf38165b25eb8cda94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
66KB

MD5
3b196209d4495dadf275cb2b11f671e8

SHA1
d1f11d97c81da3692d3e8f3b8b9610608da3e1c9

SHA256
059e067f143bd5b85e1b18e771182c2ee2f5fa212406d182668a7c9f21b572c5

SHA512
0daf1970a583e3d09b9b7a9b035d8d7f0e47962152085b377ced809fec565492058e011947f842354e9428f70191bd760e745f6bcbb390f1543385d824d33dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
88KB

MD5
94676e314a869cea8b70fc6698cb2c48

SHA1
c681f9ea637011a45fa30e4750098dee378880d5

SHA256
92090a2fc2ee13f67411a5e5778e3265e7401163c87beffa8e0392ccc765a8e8

SHA512
59bbfe9127e937271e5ac8443681dd48c7bfa882bdbfe3e340ea145ee8b6852d9a612d67f51252985fb0e11b37cafb42eb3a7e33b39c3af9aecdce3c5bd98e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
49KB

MD5
6c84cfd6016a386cb871456973043421

SHA1
7322f7fcf5bb54b4e7d9ca99e41944b464270519

SHA256
7bf3529c2e416891eb94168f9d93e9edb2931187ad4fa6045a78b013461fb87a

SHA512
5f32f95557db9614f34c26c1e174e673a6874877e656ea51f0e74ec81865af7a750bd5ed71d7f177d936ff0e61861ef1b652e9a6cebd7e6dab3da33266b95817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
21KB

MD5
dfaa1e60dafae8f24a5ae5c94487d98f

SHA1
46b5ed1a8c586c5670cd44929b541a92ccf6d59c

SHA256
c4a4710f9ef91580f3001ee6547215894064d3b3505d7fa7bac0c13091695c14

SHA512
08141987c979ebc5a8a75f0897a3987ed0e54c93f851931af2168b854f6fd952f6b4ef476287758ab9aa3c512e2647c81551d37a39957da56806ffa298c572fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
178KB

MD5
bd03a2cc277bbbc338d464e679fe9942

SHA1
cbff48bce12e71565156bb331b0c9979746a5680

SHA256
983b0caf336e8542214fc17019a4fc5e0360864b92806ca14d55c1fc1c2c5a0f

SHA512
a8fbc47aca9c6875fc54983439687323d8e8db4ca8f244ed3c77ca91893a23d3cfbd62857b1e6591f2bc570c47342eed1f4a6010e349ef1ac100045ef89cbfd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
179KB

MD5
8b4f872c5de19974857328d06d3fe48f

SHA1
32092efbd7938af900e99d63cf25db246c6bff26

SHA256
30f77a5ff0bcba46d4e760b0c939a5ff112da0d3ddd13a261834134e00cc21c7

SHA512
c7b87b142cef8e1b31e5561593db2ac5eca2c578a724204464e9ede977c8107f3d6748e9b52d072aff04eef07b232b8f19286aa2267bc325c57926db1a2a3e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
96KB

MD5
64835035649f645c21e6b9429095abc0

SHA1
bf1b3e56e9c8ee50d9414603933f3a1d263178c3

SHA256
a08d865c4c2c59e79d02513b9c92b236e3dbb510c46d4bdae21335fd8a615fae

SHA512
392ff4f0e6081fb48dd2a2f23b80b23bd2cab263b231fab5e95c368c077ff3b2ed832163d63fba7242887e508131ba9db264a52f8c9996ac48e936b287b3cad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
68KB

MD5
d74c0efac1a9c59152b0325932d399f1

SHA1
a472eadb5b431a4ef40e78ed79eaed9bb8fc8135

SHA256
e8bedfbc203b2d09457d44a4ddfaadfb770d637e332f41487438fa9a7f5352f5

SHA512
8b54060e0a7fa219fb96ada3c4beae832727540d8872a231f71c2a0cddc3abaf061eb2687595be3f4fbfd996bbe0488f44e1e042b28c2aaa45d51f03d0b4e689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
29KB

MD5
c53c4b781f53b21562990926425abfd3

SHA1
fff91c4acd5d0c187ad634b79b2619dae9af58ad

SHA256
1692f9c36f3aaa9d3e251a92fd2615b55d6f8e8e0bb286fa87184ecb4e20525c

SHA512
85041e7dd1eff82db0355a471ed64114d214bbf5d9b6b54f5f741e7a83b56f38dd591c854dc16c748db806ffedf896076c8a31af7664429c373497f68323c7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
73KB

MD5
24f5698b1565383c364407eaf8a15313

SHA1
d8994b924a914da185b11463405686108092f9a0

SHA256
19493c1da8c0075e696f6552c794ae1931c09fcaa03b441c822a5aacb2d6b5d7

SHA512
71f88ee47085bcacc1452aa8358a349c807dcf90e5ae6cef008c9cdc954e8779a74d64c020b174d57c1e2bad35fe87a027568d4291367877c1bd4c03a3d8d0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
36913db9dbbd1f234c4d0d19f677e44e

SHA1
59f509b8a9c701af3d9783783a3543f1ebc8fadd

SHA256
015d7c1b19eafbf036d4565ba11bf4641738d346bdaaf26009f5ba3233207e61

SHA512
0d041b048ba1f416b2766b6486918af9c57ee5a4de225e50f66e3fd6ea5d21a6e3abb929897c8378174db7f07808b3e4f7d47a0494648d7ea311d6e089d81f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b008d1e9846ae50866ccd90fe7ce63b2

SHA1
50edaf30f89e842b3afc8a4795c7f55b72769251

SHA256
704fc23929d31490d07dd2947507c3d57a10151a601d113e81b1beebf91d4bc8

SHA512
cf291783b316ccb4ffca2003c7a38a1aaa26f7db05e52cfeab060c3100e7e09c2fcb9734294e5585c3fb6e3bc73c6159fc954298fe304ecc5a9bc9197dbb83d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
54dd10ededfdce0206dfab9709cc8705

SHA1
3aba83ce1565c552ea61df0374fa99644e1d3ab1

SHA256
e95ac848be499938aac6df5822c8661e812895e037c5732ba83f6690754e029b

SHA512
712e197bd9df97603fd42f502b29eff00b0b4e93215d362cf159b1a3b0f18167daab129ef6b031b0ed652a73dd2890bb50f4a3bb57f0a5479551a4416789fcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19b2bdee4d3eefd3b241df8af66c1a9a

SHA1
ee3659f9c778b270f505c267a59d41f693ec6a31

SHA256
ed4ebc8916a9f1bdd61b077153f538070cd0d766b6e83498e3bafae3b4f5e413

SHA512
7f241e1b9c47120ec389b8c9935f93479885916e26153a2ebd960e1b956fe3329b2dc5c95d4ea11bb3d7aea422d1e752f5a2c44406191130617a836e24b0c7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
912803ad80cfdeae61c30233cd21667d

SHA1
457b3fcacbe69fe8badcff384d33fceda033c152

SHA256
229fa4844da9695d798ad41ce68e8e73e523b84a0efa09801772d4adf46d2ca5

SHA512
879432285165e08a615336a8ced4daa6bef5601c8f8087dd81bc17468a72c3b4228f3e86d6b1613eb3155c0027081d7bda2c5fd0de55725c9840931b331db952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffcdc1e093ac7a9dfd8183929e626442

SHA1
e51099b9150d866a97869e507f596cd7476e96e6

SHA256
9c1100958fcd0c5d2b724861cabf665f2e9d92be8cc88e3f54c62ecd5ea6ef48

SHA512
1b1e1b5037c33c1ce06d3eeec75b05144c0d4a703c1db67ba8039185a2ffdf4af637918e05f57d3f6626f7c6e5aa788d49aa997ad954cb563c840640661ce2ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d4f4404e0c10eac34bfa60a7ea4081b8

SHA1
cf6ac51ddb536e2a7faf42d08839df3fe9fc8152

SHA256
6c42fd4a81caab1dcc0cf3d27c873c4d32f74215ec8658c28e0ab34a283478f2

SHA512
c6cdb8ece34d10bf683b2ecc2d10bfdee5e3acc7e7009605b4244fc7d88f42b651a8af888a9b8f9651d8f5efc64257d471fbb9b2712ad83637a886f397ecafdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d4f4404e0c10eac34bfa60a7ea4081b8

SHA1
cf6ac51ddb536e2a7faf42d08839df3fe9fc8152

SHA256
6c42fd4a81caab1dcc0cf3d27c873c4d32f74215ec8658c28e0ab34a283478f2

SHA512
c6cdb8ece34d10bf683b2ecc2d10bfdee5e3acc7e7009605b4244fc7d88f42b651a8af888a9b8f9651d8f5efc64257d471fbb9b2712ad83637a886f397ecafdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd44c1b67cbf5c2b7ac46efd6434e780

SHA1
919611823559144eb3b5feaf228d8e0cb037ac62

SHA256
42a9c773e26ebcc4acb7fa7574e96f7975f3197d870ab8a537f61c606b2884db

SHA512
c565f33e14f4a228eecff612224911e1382c38777c07cdf2232eeaa6a17e724367ce9a4f7b251c6371888b054890199097e76dfa5cb73aa48f150069695a5008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
aa89a20eded47391a0e851becb66e51e

SHA1
f2c7a4f200f073a0ce62d94f110b25d0b3d3fd18

SHA256
5fcdde89cc02b506b639557c7d3b3d50db3b6aff0170e3f69e8800c5926c85af

SHA512
13d76c036cb4bf284e1c9a21188b4c9511afa49868b65ca7c58fc218bd5f1224cac182906f892986af7ed67be35091ac76aeff0b11ba4c3d8e526f3014e5e161

Download Submit
C:\Users\Admin\AppData\Roaming\9mVlY7Sy.exe

Filesize
52KB

MD5
13e943e4a218b36c30fcc7fe865d5d93

SHA1
9fb188959cc18b754db75a50240973abe05d1635

SHA256
3fd21096eba51f31191f95a3771c54274748666f101868a5b061847f0853cdb4

SHA512
c3d646f145f7044d37fbd7eaecba508eb8d54be4741216c9d75e43f44c0370dcc67d05566e9772519f44c1c34e3bda77466e7a12ce0cd6b00e7e895ec5d6241f

Download Submit
C:\Users\Admin\AppData\Roaming\9mVlY7Sy.exe

Filesize
52KB

MD5
13e943e4a218b36c30fcc7fe865d5d93

SHA1
9fb188959cc18b754db75a50240973abe05d1635

SHA256
3fd21096eba51f31191f95a3771c54274748666f101868a5b061847f0853cdb4

SHA512
c3d646f145f7044d37fbd7eaecba508eb8d54be4741216c9d75e43f44c0370dcc67d05566e9772519f44c1c34e3bda77466e7a12ce0cd6b00e7e895ec5d6241f

Download Submit
C:\Users\Admin\AppData\Roaming\9mVlY7Sy.exe

Filesize
52KB

MD5
13e943e4a218b36c30fcc7fe865d5d93

SHA1
9fb188959cc18b754db75a50240973abe05d1635

SHA256
3fd21096eba51f31191f95a3771c54274748666f101868a5b061847f0853cdb4

SHA512
c3d646f145f7044d37fbd7eaecba508eb8d54be4741216c9d75e43f44c0370dcc67d05566e9772519f44c1c34e3bda77466e7a12ce0cd6b00e7e895ec5d6241f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
079065e9c00f10595862ef9fcc8fad7b

SHA1
e92c8c6996442a55085172724c39e4cea0cdbb4b

SHA256
f59b6eb9fe9b0788b48438eca8296ae9deac8099b7725427f72bedac44132f57

SHA512
ae48ab1b7f9ac57ca5eae8f2183a43040a09f93162321ce3eec524415194e0e03daf016a3514bfe1abb14fb7da35e009ad2794f44ee191e96f976f1816107c7a

Download Submit
C:\Users\Admin\AppData\Roaming\qM6mYpRk.exe

Filesize
5.8MB

MD5
e7a69210f26c7944b6e267d0d73af320

SHA1
cc03fe693690e4f45a7cca31782292f69e505801

SHA256
64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

SHA512
44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07

Download Submit
C:\Users\Admin\AppData\Roaming\qM6mYpRk.exe

Filesize
5.8MB

MD5
e7a69210f26c7944b6e267d0d73af320

SHA1
cc03fe693690e4f45a7cca31782292f69e505801

SHA256
64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

SHA512
44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07

Download Submit
C:\Users\Admin\AppData\Roaming\qM6mYpRk.exe

Filesize
5.8MB

MD5
e7a69210f26c7944b6e267d0d73af320

SHA1
cc03fe693690e4f45a7cca31782292f69e505801

SHA256
64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

SHA512
44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
329.8MB

MD5
d695f51c54aaaf59f73e6dfb0f225dd8

SHA1
b7858b88a0b69c542713757788b37db120c52894

SHA256
2550c638be48f7fefc90b6bca09a1eba4fdeec19031ae8012c56435542d75c29

SHA512
82d5b8f9aeb66ca3b181fb1ce635649d84a8c9f0f3df65c71bafb4924e7ab3f06dd124cb59036597ed12a010df47d47e6af9bb7a3b327a7e515ac80a55977960

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
332.2MB

MD5
303aa132133e5df5a141f7117766ee0b

SHA1
de67570d76eb97e510ec7682cc1940185b4490b3

SHA256
8a8ce26b05a4175892cdab97e377d8dc913d43fb883a27b1985eabfa097d51f9

SHA512
afd6331db2cefdb7d71307250f897f6e58ff41dbb5e41b93c847cf011a1530992cc52f4f5b668fc267699117a11497a1fb8cb01b58f2e8d2d0a504e8a12b6471

Download Submit
memory/1048-251-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1048-252-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download
memory/1828-134-0x0000000000400000-0x00000000014C0000-memory.dmp

Filesize
16.8MB

Download
memory/1828-180-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1828-133-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/3548-232-0x0000000000A80000-0x0000000000A94000-memory.dmp

Filesize
80KB

Download
memory/3548-248-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3548-258-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3548-255-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3548-257-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3940-234-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/3940-233-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/3940-227-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3940-246-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/3940-247-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/3940-249-0x0000000007770000-0x00000000077D6000-memory.dmp

Filesize
408KB

Download
memory/4244-273-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4244-274-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download