darkgate | hxxps://monitor[.]clickcease[.]com[//]tracker/tracker?id=fe2024jBOEFIqErNt79&adpos=&nw=a&url=[//]otiunmonisky2m[.]com/?utm_content=rtBkoWoLSE&session_id=fxAQqVnPIX2BzHVbcAo2&id=BZnZ9&filter=jUKHCOeAdd-bmIDF&lang=ru&locale=CN

Analysis

max time kernel
468s
max time network
448s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://monitor.clickcease.com//tracker/tracker?id=fe2024jBOEFIqErNt79&adpos=&nw=a&url=//otiunmonisky2m.com/?utm_content=rtBkoWoLSE&session_id=fxAQqVnPIX2BzHVbcAo2&id=BZnZ9&filter=jUKHCOeAdd-bmIDF&lang=ru&locale=CN

Score

10^/10

darkgate stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 13 IoCs

resource	yara_rule
behavioral1/memory/620-750-0x0000000006360000-0x00000000066BB000-memory.dmp	family_darkgate_v6
behavioral1/memory/620-751-0x0000000006360000-0x00000000066BB000-memory.dmp	family_darkgate_v6
behavioral1/memory/8-787-0x0000000005BC0000-0x0000000005F1B000-memory.dmp	family_darkgate_v6
behavioral1/memory/8-789-0x0000000005BC0000-0x0000000005F1B000-memory.dmp	family_darkgate_v6
behavioral1/memory/3744-816-0x00000000054A0000-0x00000000057FB000-memory.dmp	family_darkgate_v6
behavioral1/memory/3744-818-0x00000000054A0000-0x00000000057FB000-memory.dmp	family_darkgate_v6
behavioral1/memory/2860-836-0x00000000048E0000-0x00000000058B0000-memory.dmp	family_darkgate_v6
behavioral1/memory/2860-837-0x0000000005DD0000-0x000000000612B000-memory.dmp	family_darkgate_v6
behavioral1/memory/2860-838-0x0000000005DD0000-0x000000000612B000-memory.dmp	family_darkgate_v6
behavioral1/memory/1212-857-0x0000000005770000-0x0000000005ACB000-memory.dmp	family_darkgate_v6
behavioral1/memory/1212-858-0x0000000005770000-0x0000000005ACB000-memory.dmp	family_darkgate_v6
behavioral1/memory/864-877-0x0000000005B90000-0x0000000005EEB000-memory.dmp	family_darkgate_v6
behavioral1/memory/864-878-0x0000000005B90000-0x0000000005EEB000-memory.dmp	family_darkgate_v6

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	reader_update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	reader_update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	reader_update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	reader_update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	reader_update.exe

Executes dropped EXE 11 IoCs

pid	Process
620	Autoit3.exe
3060	reader_update.exe
8	Autoit3.exe
320	reader_update.exe
3744	Autoit3.exe
3200	reader_update.exe
2860	Autoit3.exe
2064	reader_update.exe
1212	Autoit3.exe
3520	reader_update.exe
864	Autoit3.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000000731-764.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1748	msedge.exe
1748	msedge.exe
2732	msedge.exe
2732	msedge.exe
4544	identity_helper.exe
4544	identity_helper.exe
2276	msedge.exe
2276	msedge.exe
4988	sdiagnhost.exe
4988	sdiagnhost.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
4884	msedge.exe
4884	msedge.exe
5088	msedge.exe
5088	msedge.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3436	7zG.exe
Token: 35	3436	7zG.exe
Token: SeSecurityPrivilege	3436	7zG.exe
Token: SeSecurityPrivilege	3436	7zG.exe
Token: SeDebugPrivilege	4988	sdiagnhost.exe
Token: SeRestorePrivilege	2916	7zG.exe
Token: 35	2916	7zG.exe
Token: SeSecurityPrivilege	2916	7zG.exe
Token: SeSecurityPrivilege	2916	7zG.exe
Token: SeDebugPrivilege	3156	taskmgr.exe
Token: SeSystemProfilePrivilege	3156	taskmgr.exe
Token: SeCreateGlobalPrivilege	3156	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
3436	7zG.exe
2228	msdt.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2916	7zG.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe
3156	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4944	2732	msedge.exe	85
PID 2732 wrote to memory of 4944	2732	msedge.exe	85
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 2356	2732	msedge.exe	86
PID 2732 wrote to memory of 1748	2732	msedge.exe	88
PID 2732 wrote to memory of 1748	2732	msedge.exe	88
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87
PID 2732 wrote to memory of 1580	2732	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://monitor.clickcease.com//tracker/tracker?id=fe2024jBOEFIqErNt79&adpos=&nw=a&url=//otiunmonisky2m.com/?utm_content=rtBkoWoLSE&session_id=fxAQqVnPIX2BzHVbcAo2&id=BZnZ9&filter=jUKHCOeAdd-bmIDF&lang=ru&locale=CN
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c6c046f8,0x7ff8c6c04708,0x7ff8c6c04718
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,8110047253806016930,10527821061775745969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3470:132:7zEvent28653
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDFCDAB.tmp
1⤵
PID:2060
- C:\Windows\system32\msdt.exe
  -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFCDAB.tmp" -ep "NetworkDiagnosticsSharing"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2228

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:4452

C:\Users\Admin\AppData\Local\Temp\Temp1_reader_update (1).zip\reader_update.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_reader_update (1).zip\reader_update.exe"
1⤵
PID:4244
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap134:96:7zEvent5915
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916

C:\Users\Admin\Downloads\reader_update.exe
"C:\Users\Admin\Downloads\reader_update.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3060
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:8

C:\Users\Admin\Downloads\reader_update.exe
"C:\Users\Admin\Downloads\reader_update.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:320
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3744

C:\Users\Admin\Downloads\reader_update.exe
"C:\Users\Admin\Downloads\reader_update.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3200
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2860

C:\Users\Admin\Downloads\reader_update.exe
"C:\Users\Admin\Downloads\reader_update.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2064
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1212

C:\Users\Admin\Downloads\reader_update.exe
"C:\Users\Admin\Downloads\reader_update.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3520
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bfkdhcf\abkfgge

Filesize
1KB

MD5
98d64d3974ee5da0d6df5f70d977bc19

SHA1
332c92257f01fc2aac3a87cc74efe84dd4ef0e27

SHA256
ce255f7268d0bfb8415ea941bf83b1e855d5004baea8fe6ec363f0f5586fc3dc

SHA512
2b983ebedd5e8a744082fc99b6e39d4fb2e3385ee2e44f894cfab0042d3268763606b2371b483b8c5d6b5a5afd0346f365e3ba45529fec715c5389573e3aa91f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024021516.000\NetworkDiagnostics.debugreport.xml

Filesize
68KB

MD5
1218bfc48d005ac930e56f7de11a55c4

SHA1
289c48fc3af111789ba8038502e0f3264bd75bd4

SHA256
af2c53ef9229621bd7a99b4c79263429619f4b2d81c94d46129e462e23ed0459

SHA512
bfc496d4c71d2ff97c16337a14ffa90b51507192c9d3750e06658185a37b6b114d31f4ec248a5a9281186614805e2b892c6c13d8e813cb3c2d7f76fd0390aab7

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024021516.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
274B

MD5
715901033e21166afec36784c2f85b00

SHA1
861b760a8a70ed4d359372415970ab178db4d268

SHA256
d3eec44429ef0e50fd412df58d51e5c1c8be5a63f296f6f7f4cfcfb521fff6ef

SHA512
12e972bf645fde7fe43c5c5afe577d039a0bde6b93a51f95544f2500a502115a09bd01445f0de5a38b2cb86d621aa910a3830a5334ef685f4533b448eeb814d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
344B

MD5
aad0f722dad26c8ee9a511703229ed95

SHA1
88e7090b3ec99cfeb084d8cef9bb928de26443df

SHA256
b419d9fa978694e505a60edca6090f158f67b5898a1d96ae9e125a1e9885d08c

SHA512
9bfa4574c9580ddd393f13a4d860c94e6d19d3ed957076c4e43c223931e9f37482dae090b95b6c0145a9cc3541fd135f70ddcb88cc560cba83adb2244ab8da77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b05992b69363f2ec5cc423b491f19af8

SHA1
4292b24832837020adac58a133c0c0ea8b733c7b

SHA256
c03d385dadae5d269a7d242c3cdee1dc2640a4860274af2fa9ccff47e5541f0e

SHA512
05bafa785cb459a4dc60d948f76951745e25d8b6fa3d66392bef9406b9d7bc5224e79605b67a469a687ed7d54a94fd1880e8371b1b50c085dc2c7782e727fe1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0700e2c7a7aeb195332c2a01e8742107

SHA1
b15884811792e3b52a4acaaa500851a923ed44da

SHA256
fbe346824d6825a339edafa350138f35a1ad0d56ae9c3574b8aa0a8fa5d2c78e

SHA512
a1170e119875dd49151b39f996cf907143ebf01963615995ead5d3d4c1a6c099890105cd48c14be77e0580723727b52042a4aefffbcdf9a55a62191dbeb1defe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa790a786c5a456f61ae873cd429c9c6

SHA1
b2c3b0fdb3d0e4287ed0327f0a6e735d96ba1f0c

SHA256
e4e0349aeffb5e2cc41776bd6d36174c5f08c50a69ee7fb0f7c5177793f2458c

SHA512
87a4b77aa9b1d0cbafcd8f614156d71d5f8c4aea4bfb54089488f0d893cd63a6ae2c7b87c8616085f78c22aee8dc522cc87bb7a2d8a75596c9604e830338daf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea793bc58b8c896067aba55751413234

SHA1
88101815756d55634688d4e789c615d075bef740

SHA256
b788d9d70370660a3da529c159208138d848a86a346485030dc5a2c1d50fba68

SHA512
94cba986abd0add66eafd96bff63c565d0fd7c3ed5ef80cc114a8cb82ffdc4b4b72d25e5054b4ace976a14d1a392ec19f2ad06d4c25ca208060df4e175d9291a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f4cdd74e897d7ab4b8214cba26f248e

SHA1
1745c6ae96fac83a647856ea3dea21cc7095eed2

SHA256
1e73d9b22775a5a2209d1214acbee0dccdc07bc926e3d8ed2faac06f1266e64a

SHA512
ed87715c7b93f25300e7a34b997703dbdb7df2e565b39f44a7aea865dc2d483477c2bc1718a18b63efbd65cf1e346f3a17b2458c93c2316d06ad5fd4f6f44de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffd69447153535a63008f0b38cbca6a0

SHA1
7d31048b2b29fd7963904beb655f36ad5251a323

SHA256
4f14c29d6898566f793c13e7804a1f65ab34a46a4e8085c9c78fded7b3bd9311

SHA512
f85c3cc1056f9b3e3fb1c3bc075727dea95e7a0f67a351999e6ed760044871d938a8152ef6eb8df4c14a437f3834712033bf95b539013db810581f6e44ca05bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20aa28b78bab23e2de04983ba637dbd7

SHA1
fafe74b2523b2ee86ac57673840c3595e7e7dc5d

SHA256
66c0daba85baaa9b65133a0f0436baaebb2d6274eaaf515171fb3d24cdda805e

SHA512
0a2f6daabf8a05c5c079ac610daf2712988952e69f7e386744df63eaac13f6aec4a73dc9aaadc9a7d2f428d99de6360db6900ed34c92e6d457acee0c85617c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfce0f1ca0ee1d2db941babb08837b60

SHA1
fedfde0f926d8cda47842041e3c3095bd395f115

SHA256
aad0f820e1b4ef9727fcb58bccd8edad5b4e56a27aaf313ba9651fb9c9808526

SHA512
b812ed72b976da11553ecaf81052079c89ca8b1e860b18c748e56e4b29017ff9e260a10a76bbda3ca6a7a3fed75f78f745d6ee6bb52a5c27c9e4c3b21a572791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
202732acf98721a8edb3486c33b5d12b

SHA1
4ad46cff3b18cf8b0d1790b5b566724e398a9aef

SHA256
63413b94499a706014dc53beb2f2cb5868f3efc60860d4ffb14d1a1d9c3ec4ab

SHA512
81f6d4308f0ceecff7b0f06d4f4124c5d7e00d98011480c57174c931d2b309e0df8fd76e7e2cab64dabcb36e7343775991d8796997040d1f118a1536561fe86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d256174110f6c79341757ea88b09703

SHA1
657712deb161538062fa508fb0f0c567e9d58a59

SHA256
0cfc3c85c5b690407e076b9f4f8e07038324310e961f4ce4e00fa5c6c8b884e0

SHA512
6ecec6c17d9d469490fa441c500754485487bc9b2bc0b3a9e59c020616cc5c7856416c1ffceca87bb0e4b7f96415d1c506affbe80f359e121aa4b3bbab2ef35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ddf3148d8c6bf74d5cb0967ad764ccc7

SHA1
4cd8390726c8cdd3f438b1a2bf8ebf4fcc61e8ff

SHA256
6e752402c1756cea0859b07cfea6dc543052695e01c92b11eb0da203715687e2

SHA512
a28ab6fca20f282ebbb8e06c49ae2c894525ff21c45913d80dbc79fdafdbc0711c1ed1c6207e8d4d55675e2f823b4a9991553ca28f08d1e0b909bcbb0e0af5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d629adaf22f38a8fa984ee97f97a4a78

SHA1
d83b78d627c00214cf75a1f4b62447edd9b6c5cd

SHA256
2132ead0035237ed33273f49c1a1291c2c70783dd57bf71afec99b318d20b8d3

SHA512
2a40de1e7dcacf8449b2471eb84b47e2041b2ff8cd1cea217bb2b5eb435c6c4cdbda5209cd574280334520bdabe754ee5c0e20181ebbbe61664ffd57f79db35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
880d4ded718d2b56fc882e8d7a5b009c

SHA1
f7ab96e7fa66ed1bbea3c6e1ccb1fbaf468e37d7

SHA256
3a557c058b67761cba3a5ac875e23c9f922b6e4aa8431bdb19f921bbbdbe4e43

SHA512
6f661707df824f6b8d41d07c158f21486980b7e354acd0a85192ed59f04cca9b86d1900b5990ab612f7dcd76b0e13b003b28c2334e4c3f825548a70565d975b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c957937dc4a3dd8459041404a5725017

SHA1
e6c9cfb6f678235f6370c71cd0be27b7a8d212c9

SHA256
be6ffac2b3463af433d39e3090292877308f0e55b5e87011d45d3f17af308299

SHA512
b7f9ccdedc242d0abf55edc95e3d5a0b9e4911b76d6bda1f61cfd8a30d07087f1a75aff70570a11f57a93b15470c4bd07503a946ea52f0f4de7caf54508f7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsvb1y10.2qc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\dHAEbDF

Filesize
32B

MD5
0b1337ecb123fe1e28884e3156589f83

SHA1
76abeb220aefed8a7a91b96215b957a066e1b7ef

SHA256
42e848ec1747db18aeb404aeb3964bbba859884d16daaf28c04fbda2e35fc6df

SHA512
bda39921b73363f51bdb742b052a7a4b1d6049a6e56761e216d08e3c0b2ede41839c2d8f04453e07a5293248fa163360575628e63a9faa2a2af0a089486fa1d7

Download Submit
C:\Users\Admin\Downloads\cases_2024-02-15_00-46-26-576001_18.cab

Filesize
299B

MD5
6a7b1aed7b8aa84879010d75d6d43f0f

SHA1
04910db33ee97ec00100d9e7e9f9f5124077dd53

SHA256
513bbfeb12480b60313f1475632ebb66626854cd94f09f43366839cc8bb502c2

SHA512
9412a415d7293e2bf300225545b1ef72718213ea0072b779191ea06f5757de570ebbd94ca1a7a7d63f801621421bed53e8dcfc7ed4c4d36f6614610cfafd6162

Download Submit
C:\Users\Admin\Downloads\reader_update.exe

Filesize
1023KB

MD5
a74ae422391a22b5469135ae7f0cbf7d

SHA1
c475b69e647c55c94e4cb654af3e3248280fb5af

SHA256
2f13c4d57fe43929fbf507699fc6701459b0a118616776995d437787ba558042

SHA512
496ed98f57818fe6240d8ead975ff6e31857a6df92b3dbbf6b8d091eceb32e7a0a71c42d70d0fd75f3f102eb3a36145d9a7d54060a9ec79c37432d62c5afac22

Download Submit
C:\Users\Admin\Downloads\reader_update.zip

Filesize
496KB

MD5
0bb063d129162e8c93830fdbcf2ba416

SHA1
b94061877b45dda085ef56c03b09c210a6b78a20

SHA256
34141756b9cc1ed73041cea7f5b96ba54098ac91aa11a74ada2a4dcfdf05f574

SHA512
fa31c12a344406a683cd9bb943351eba344ea8c9bdfd38e498ede07809b8d43f73a5cf317fcaefad5beb5f96f76b6be14dc666c071f271025b16ede5a15d05d4

Download Submit
C:\Windows\TEMP\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_22822394-bed3-4046-9018-fe13fcb633c7\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\test\Autoit3.exe

Filesize
439KB

MD5
293f197cf49a2875b86e9fb9f4fc6acf

SHA1
31e5199cb91a9f574ad69fd1baac272ac9ad21d9

SHA256
7668b3dcdbfcaee3d3171b3b05050f9056941c28627b9fe039c6bc74de83d923

SHA512
f61b8c6ddcc985f3ca01585b2caa1b924b401f7107ec13dcb99a0e7356f040ee719d0ee51410bb1a0bb238b1acb932941c37a1335eabd610bffa1418688acb10

Download Submit
C:\test\script.a3x

Filesize
473KB

MD5
30a57489d8db61af2b43b3a5e796234d

SHA1
31bda33394b533f33147b374c9108d8762876590

SHA256
b21aca04205df1d33b2218cd986621abbca52070f2f21ed1bc24294f8ab09f31

SHA512
647dbb85c863808aa88ec5c7f15a4fc0ec16f9cfe7fb923778efd1365bda1e0d9a37d9f9950d7eac6a31717da3bf38dbdf41adda68485fe3074d76a2d389b17a

Download Submit
C:\test\test.txt

Filesize
76B

MD5
570fb19bda07644952532d2bee7593d7

SHA1
c434be58213f885cbeaef00d47877490e8ef4c9a

SHA256
7b7228217776234e8c03c7b48cfa51f4284553151158b6bfbacbe3d9f348f25a

SHA512
abd1230cd3c000cd8a4f5100883b46b467c10993cb94fd2ad868b2bd6bdcef8fef7bc3021d38d4f042e9ad8ddfbf6f92d9779325006be936c0992186bc546e66

Download Submit
memory/8-789-0x0000000005BC0000-0x0000000005F1B000-memory.dmp

Filesize
3.4MB

Download
memory/8-787-0x0000000005BC0000-0x0000000005F1B000-memory.dmp

Filesize
3.4MB

Download
memory/8-786-0x00000000046D0000-0x00000000056A0000-memory.dmp

Filesize
15.8MB

Download
memory/620-749-0x0000000004E60000-0x0000000005E30000-memory.dmp

Filesize
15.8MB

Download
memory/620-750-0x0000000006360000-0x00000000066BB000-memory.dmp

Filesize
3.4MB

Download
memory/620-751-0x0000000006360000-0x00000000066BB000-memory.dmp

Filesize
3.4MB

Download
memory/864-876-0x0000000004690000-0x0000000005660000-memory.dmp

Filesize
15.8MB

Download
memory/864-878-0x0000000005B90000-0x0000000005EEB000-memory.dmp

Filesize
3.4MB

Download
memory/864-877-0x0000000005B90000-0x0000000005EEB000-memory.dmp

Filesize
3.4MB

Download
memory/1212-858-0x0000000005770000-0x0000000005ACB000-memory.dmp

Filesize
3.4MB

Download
memory/1212-857-0x0000000005770000-0x0000000005ACB000-memory.dmp

Filesize
3.4MB

Download
memory/1212-856-0x0000000004280000-0x0000000005250000-memory.dmp

Filesize
15.8MB

Download
memory/2860-836-0x00000000048E0000-0x00000000058B0000-memory.dmp

Filesize
15.8MB

Download
memory/2860-837-0x0000000005DD0000-0x000000000612B000-memory.dmp

Filesize
3.4MB

Download
memory/2860-838-0x0000000005DD0000-0x000000000612B000-memory.dmp

Filesize
3.4MB

Download
memory/3156-881-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-887-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-891-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-889-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-890-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-888-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-886-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-885-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-880-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3156-879-0x000001C37B7E0000-0x000001C37B7E1000-memory.dmp

Filesize
4KB

Download
memory/3744-816-0x00000000054A0000-0x00000000057FB000-memory.dmp

Filesize
3.4MB

Download
memory/3744-815-0x0000000003FA0000-0x0000000004F70000-memory.dmp

Filesize
15.8MB

Download
memory/3744-818-0x00000000054A0000-0x00000000057FB000-memory.dmp

Filesize
3.4MB

Download
memory/4988-533-0x00007FF8B2CD0000-0x00007FF8B3791000-memory.dmp

Filesize
10.8MB

Download
memory/4988-534-0x000001CE6F0D0000-0x000001CE6F0E0000-memory.dmp

Filesize
64KB

Download
memory/4988-535-0x000001CE56A70000-0x000001CE56A92000-memory.dmp

Filesize
136KB

Download
memory/4988-540-0x000001CE6F0D0000-0x000001CE6F0E0000-memory.dmp

Filesize
64KB

Download
memory/4988-541-0x00007FF8B2CD0000-0x00007FF8B3791000-memory.dmp

Filesize
10.8MB

Download
memory/4988-600-0x00007FF8B2CD0000-0x00007FF8B3791000-memory.dmp

Filesize
10.8MB

Download
memory/4988-544-0x000001CE6F0D0000-0x000001CE6F0E0000-memory.dmp

Filesize
64KB

Download
memory/4988-545-0x000001CE6F0D0000-0x000001CE6F0E0000-memory.dmp

Filesize
64KB

Download