hxxps://wearedevs[.]net/exploits

Analysis

max time kernel
264s
max time network
262s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://wearedevs.net/exploits

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\""	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\""	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2796	Multiple_ROBLOX.exe
2560	rundelay.exe
1068	rundelay.exe
764	rundelay.exe
1040	rundelay.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
116	camo.githubusercontent.com
117	camo.githubusercontent.com
118	camo.githubusercontent.com
119	raw.githubusercontent.com
127	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe	msiexec.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5a5aa4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF93E9C472794C3861.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a5aa9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3B0EFF403ABA3343.TMP	msiexec.exe
File created	C:\Windows\Installer\e5a5ab7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B9E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEB137969D3772356.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB7BD59F2C27DA59F.TMP	msiexec.exe
File created	C:\Windows\Installer\e5a5aa4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF69AD59C4A8A07E25.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA2E54235514176F2.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF546A4D899B387308.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF07F88846FA749829.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File created	C:\Windows\Installer\e5a5aa8.msi	msiexec.exe
File created	C:\Windows\Installer\e5a5aa9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A62.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a0a26a5bdad282120000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a0a26a5b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a0a26a5b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da0a26a5b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a0a26a5b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundelay.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RMWRMTZQQJDQBIPFOHJW.bat"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "238"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JDOJELQIIBUITZHXG.bat"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_PC Defender v2.zip\\"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\PackageCode = "793E8A3EDC915D546911442ABED08716"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\SourceList\Media\1 = ";"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\AdvertiseFlags = "388"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\DeploymentFlags = "3"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\ProductName = "PC Defender"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\SourceList\PackageName = "[email protected]"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_PC Defender v2.zip\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\InstanceType = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_PC Defender v2.zip\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\AuthorizedLUAApp = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_PC Defender v2.zip\\"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\AuthorizedLUAApp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\SourceList\Net	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\AuthorizedLUAApp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\AdvertiseFlags = "388"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\PackageCode = "793E8A3EDC915D546911442ABED08716"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\SourceList\PackageName = "[email protected]"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\InstanceType = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\Language = "1033"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\Assignment = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_PC Defender v2.zip\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__\ProductName = "PC Defender"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]"	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Koteyka2.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PC Defender v2.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PC Defender v2 (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 935811.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Multiple_ROBLOX.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2560	msedge.exe
2560	msedge.exe
4084	msedge.exe
4084	msedge.exe
3252	msedge.exe
3252	msedge.exe
5100	identity_helper.exe
5100	identity_helper.exe
3000	msedge.exe
3000	msedge.exe
1360	msedge.exe
1360	msedge.exe
1880	msedge.exe
1880	msedge.exe
1192	msedge.exe
1192	msedge.exe
4456	msedge.exe
4456	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe
1584	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3504	msiexec.exe
Token: SeSecurityPrivilege	1584	msiexec.exe
Token: SeCreateTokenPrivilege	3504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3504	msiexec.exe
Token: SeLockMemoryPrivilege	3504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3504	msiexec.exe
Token: SeMachineAccountPrivilege	3504	msiexec.exe
Token: SeTcbPrivilege	3504	msiexec.exe
Token: SeSecurityPrivilege	3504	msiexec.exe
Token: SeTakeOwnershipPrivilege	3504	msiexec.exe
Token: SeLoadDriverPrivilege	3504	msiexec.exe
Token: SeSystemProfilePrivilege	3504	msiexec.exe
Token: SeSystemtimePrivilege	3504	msiexec.exe
Token: SeProfSingleProcessPrivilege	3504	msiexec.exe
Token: SeIncBasePriorityPrivilege	3504	msiexec.exe
Token: SeCreatePagefilePrivilege	3504	msiexec.exe
Token: SeCreatePermanentPrivilege	3504	msiexec.exe
Token: SeBackupPrivilege	3504	msiexec.exe
Token: SeRestorePrivilege	3504	msiexec.exe
Token: SeShutdownPrivilege	3504	msiexec.exe
Token: SeDebugPrivilege	3504	msiexec.exe
Token: SeAuditPrivilege	3504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3504	msiexec.exe
Token: SeChangeNotifyPrivilege	3504	msiexec.exe
Token: SeRemoteShutdownPrivilege	3504	msiexec.exe
Token: SeUndockPrivilege	3504	msiexec.exe
Token: SeSyncAgentPrivilege	3504	msiexec.exe
Token: SeEnableDelegationPrivilege	3504	msiexec.exe
Token: SeManageVolumePrivilege	3504	msiexec.exe
Token: SeImpersonatePrivilege	3504	msiexec.exe
Token: SeCreateGlobalPrivilege	3504	msiexec.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
2396	[email protected]
2396	[email protected]
2396	[email protected]
2396	[email protected]
2396	[email protected]

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 4616	4084	msedge.exe	78
PID 4084 wrote to memory of 4616	4084	msedge.exe	78
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 3708	4084	msedge.exe	79
PID 4084 wrote to memory of 2560	4084	msedge.exe	80
PID 4084 wrote to memory of 2560	4084	msedge.exe	80
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81
PID 4084 wrote to memory of 400	4084	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wearedevs.net/exploits
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd657e3cb8,0x7ffd657e3cc8,0x7ffd657e3cd8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8120 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4124
- C:\Users\Admin\Downloads\Multiple_ROBLOX.exe
  "C:\Users\Admin\Downloads\Multiple_ROBLOX.exe"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8120 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,67340995514998341,15425694066286252803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\Temp1_Koteyka2.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Koteyka2.zip\[email protected]"
1⤵
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_PC Defender v2.zip\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D60F998EF8C2FDDFB97A9D6517132835 E Global\MSI0000
  2⤵
  - Modifies WinLogon for persistence
  - Modifies data under HKEY_USERS
  PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
    3⤵
    PID:4268
- - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
    "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2560
  - - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
      "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
      4⤵
      Executes dropped EXE
      PID:1068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6F1AD3360E8111577929DFAC2FA9EC50 E Global\MSI0000
  2⤵
  - Modifies WinLogon for persistence
  - Modifies data under HKEY_USERS
  PID:4772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - Modifies registry class
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
    3⤵
    - Modifies registry class
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__ /s /f
    3⤵
    - Modifies registry class
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__ /s /f
    3⤵
    - Modifies registry class
    PID:704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290__ /s /f
    3⤵
    - Modifies registry class
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /f
    3⤵
    - Modifies registry class
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
    3⤵
    PID:4896
- - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
    "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:764
  - - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
      "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
      4⤵
      Executes dropped EXE
      PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_PC Defender v2.zip\[email protected]"
1⤵
- Enumerates connected drives
PID:3832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a5aa7.rbs

Filesize
14KB

MD5
8d607a1fa356f3d61a97152931d6652f

SHA1
58146a60d38bdcaec8f3498db112f63f02df01c7

SHA256
ffbfaf43ecd088e471db2401cad32558fa503927b0d389693ee4c4bcccd761b3

SHA512
f776b2b7708d498f24788274149396f19b51dc13b587f28cd5db2bfc3a2bc5c7e34fee4bc1e02af6c58e415f502c401debc752839c8a23c74623c21284737300

Download Submit
C:\Config.Msi\e5a5aac.rbs

Filesize
19KB

MD5
c3458ad4fe2ab70528b136cf7897fa54

SHA1
50c210efe0433875103fd0e8f8b7ce5d3f9c6070

SHA256
0ca0b3b9b0057a37159086ca20c8ebb62abfad030e6d1af73fee7d399b8e3add

SHA512
7826d7b9598c3bbaeeba5f5b35846210f3c31a8f746ca271212d1be61b5bf4a68317da22f75a2012c944444955fb93fec89062712b7d9d33cedcae5db7c76ee3

Download Submit
C:\Config.Msi\e5a5ab2.rbf

Filesize
21KB

MD5
b84df77564555c63c899fce0fcec7edb

SHA1
e63e7560b3c583616102cad58b06433b1a9903b0

SHA256
912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9

SHA512
857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a

Download Submit
C:\Config.Msi\e5a5ab3.rbf

Filesize
9KB

MD5
ce8ee64c66e92bbb46231b1be06aba22

SHA1
5bb368fbcf57d92d8c83a4487fdde7e713ed3a24

SHA256
d4f066db44f8ec61d8ec183091bead9578022c2385d4f7552b32f1b0c53fd26b

SHA512
aa31399cde6457dfa727f3f21074efb8f1f5b7ff5bfee6e54231082e7e8f5d4b6d4df90d70529aaff3935bb3ab86dc86ac1a0d85429d247fdcff9720f4e2c0ec

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe

Filesize
1.2MB

MD5
f37c2e31bd57905b90de048c58221dd4

SHA1
95d3972a5c6cf223e70d01e11e04a798eea59f8a

SHA256
352492ae2be4b4fcfe97a76f5318abe2351d9c4d33d6438a8f2fc87ed6601a06

SHA512
8bb6548c9a8ab47e9380ef0d01fd824c84a12469b29f5874de2969359a81d122aa379973608592ccee556b6639bfe85f920346e2f2c104ba5c333c57ce091680

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

Filesize
93KB

MD5
d96a5175eecd752ca22f41bad80870c0

SHA1
00f68eee206c2a6b07dd86e1cbf008c082a8032f

SHA256
c3ab412d3ea0232bb891319fe9ac79b1ed0a61d9251a574c9502a6cef0b1f5b5

SHA512
918db6e7728d2890fbd3afd8a9f4da2636d6eabe0cbeaeacb379db9ea779d7ba6133ed4b367725487bf18c10874f5700be5d252d527116ccf879842afadbe13c

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe

Filesize
71KB

MD5
700b2d86d181087fb3cd4341b84dfc4a

SHA1
0ebe41d1fe0525600cba709c52ad9f863e14a6f1

SHA256
70e6b4cca1250309228a68db665e48bc8f1291e1fcf856d2d1e8f7e4b4cf74e6

SHA512
2ce7c2619a459267b0c1e09eb026fac04d907283b4417917cc12b87badfe03728c1dc97e288256134a5555fd9935f2e9729c351338d828190bde73b4c7236ea9

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

Filesize
86KB

MD5
46b816356a5e05f65bfaed216106e7a0

SHA1
e7c55d7b4d2887a93ea55e55ed45ee57f8fbe9fa

SHA256
7eb8eecdf4654171f721a58a44d19ba2a1f35d8bbdabf38bff9f1c3c31fc1d19

SHA512
54cc8b6e56bba14608c95e5c678c00ed363e7e0cff77f9799ed3654022e13c883136b6477e2aa4b753c7ef8331033369168900f61bd36b35384dc72c4e60e3be

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

Filesize
43KB

MD5
c05ccc260692e8bfb5b6ba7238dbb943

SHA1
4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

SHA256
0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

SHA512
7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat

Filesize
60B

MD5
cd01898e046826db2a1f1248b3d47558

SHA1
58f26f9ae8fe09c0d96bd898886b238ee94077be

SHA256
66272ab5f27b5052a7f8c344bb6d352fa3367220513c98139db7a99a52154efa

SHA512
3feb2a242d5752aa79a825a44fe77bfc79f5a56f4fb3a12e60402c9c87bc42042e515f73fb9034633d8e152ad3458a03891b6ed6d13cb6f7942d8741dd215081

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Defender\PC Defender.lnk

Filesize
2KB

MD5
1aee21d4a8277c9328216ebc5b1486bd

SHA1
edcd24318f0f216ace112ed068625d7e7b3d0330

SHA256
8ae2cd54df5ff9869f71fd1bf43a451077d1d97b1033311a6ac897faf91ec1d6

SHA512
efac88e9cc88dd20e27afd20d410fc8aade4a420f7be5f02c301a3980139ee9165a7078e41f2846e14b00780bfd50b088fbaf180c0e280910981d7f135fd92d7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Defender\Uninstall.lnk

Filesize
2KB

MD5
c2e899733d62bb2b1158991c53ca82ce

SHA1
3041f24b9030eba48a21b0488c5805ef5dc0cef3

SHA256
aeadc3f1361051633a8a05eae87209b249c12d4db15ed57617e2a0a0c2046379

SHA512
eac1595b838e9dc26f40d02733e6e8be8517fbc35548afd86ebc67111670461a8a39dd68409a8f3e008ed49ef56051ce6e01931d5c5934c55ca4e4ebc3ae67e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
50KB

MD5
69a9df00aa5af4cf5551e964fc0913e7

SHA1
ce385a903e267508c2dd14a720c492165e46c55c

SHA256
e55d80629f74ae077700054523dcab9efdd5923762ccac717a29be0893c6904e

SHA512
5e74cb8bf7a9b22449eaab822153f3cc001cc1c3db25373d88b7883079c7a091c875fe08eeea4eb93a5c49395317c94a789dec9479a07facda9bfa7b782692b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
138KB

MD5
552f49de74c701c76d30fe0d57592d4f

SHA1
6fd290520585cc5fdf1e30592ea2a348518fd186

SHA256
fbee4ab2d02d4b47a7f48339371fae5354a4974d2e14d9fd1d5cb56bf92482ca

SHA512
ab846e8d3ccbd39d99d65f8048ee5eafe16a99cdfc4e53b2f1dd37d3cc5f8e73ff2c0ed207c424f22126c259c4614bd4fb0c9e3dd9d578f24982562fe3f2b17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
96KB

MD5
7118fe2ac39875bfe950312f9e4e5df8

SHA1
e0c10326dda29e78690271cc5a8679e749002013

SHA256
7607398d2e13258edc9119815079409664328cb593d2a11efe548349d057aefe

SHA512
87f7c25b2dba38d0ddd551b742ef7ab967725e70d8f7c5315d41856382d3e5d4b0b1c8df01eafab57a81e763fa0209ae316a41796e0cd6f803afe9ca4cf6333b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
53KB

MD5
dfe7434c30b63448655962bde5ee7787

SHA1
15d777410b2d813bb9830b45213b75250357fe3b

SHA256
dbdc10161bfe84ad932f809123cb7e09d5dc571f9e19e6934cf98e259ea68aa1

SHA512
7aa6302ce414fa18bd3ed31d279d428e95deb025141c368469df05f23294c6abf47d4bf2881d675c0068109a94156dcd5efcd28018b3a52500fe776de0fff2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
31KB

MD5
e8ed8d31648b6a7740e49bce0ed65698

SHA1
ce8550b8a0a6482a98f19990463788acf0f3c842

SHA256
822b9b1d070d7ee93cbf8c686ff25f0692c4be3d437364311dfc98e6efabf8a2

SHA512
d0a34412bfd82445a1d0b7a89d3c55989bc70a1d2ffa86e738eed7f26971a8adf1b19b0418847e317c5dbbfcc3bf84f12482eca8c531f326bda09390c4e90018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
56KB

MD5
b8f4faf32f9247ec5e5ca17bdc53f906

SHA1
f095a30ef3219f09abc7a746f22e7baf2ffc06c0

SHA256
6093d2acdc57537b3fac484dcf98dfd1cba6c2234bc7c98cb614f5ca204317f7

SHA512
e1b0064e411817ff5ec519758c0d501a321ba481168b68e336c647489a5df59d4aca37648a6bc97dec6ce7cf8a4d27a602b6e1bdfb8085fc6692ee41d516a274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
022774085962b4896bad822446d32c27

SHA1
1018c5cedb30167e52bff642d153934cfb7ec5aa

SHA256
d514e64cfcc59bef32d6a8fcb92658a94c268588ee6a87957d6030028ab7ee42

SHA512
3e296d19439de90a512642b72fb00e053f4bd6b3eba2da469bd1b4d41789664f1d5710c4f2cd4d8b9de79f03c31eeae3decdf1d066304b87df1c3b2c1d5deef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
19KB

MD5
19bc108465e0efbde12fee516586bbbe

SHA1
b9a8da0b083d325eeffc08e3c0bb82ada15359cb

SHA256
1bf3beabb0d06117b7cd17d84dd1af3d5da041d87ffe90ff1982207278344b47

SHA512
4b8d26a6f564a88a9e4dd873759ffd2414bb83e24f7da7a5a5cfb10dc25cf1a827d9aa8d02adaf8d37de47006323e7c6c03a70fbc6ad98d9fd6f0923f6ffe251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
49KB

MD5
1538b116ac1d82b34723c14506c116da

SHA1
915f43aa05de689aa64f33b842d1b5df7c62d7bf

SHA256
05337bfc960a7786bb8af2c8a19d203c099ca83fea11c1056612ef7d37d89b3d

SHA512
afcc85d5e84e87433f21acb5c6efb7851389ca65f208a1d86914846b0a90bfc14992218fa3b77c3235021ffd6fc2f184a0b730be8c47a3336191996210179f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
24KB

MD5
dc0ad025509c966716f971b6e0d36ee9

SHA1
64c5b5b0bc022961bcff062467df6cde579a7d5a

SHA256
ff30c58cbd4693a19a964c528b653c80ce1968b7db93a92a5ee9f3788efe4103

SHA512
3580ddfded853f05ce10d96292ae23ac2593079cb2bcedd1e5081d99e8aa54c7ec985cbbf29e5961425192a00ef639cc3969e5bc1f6450bcbbf855e3f161ea83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
44KB

MD5
39ceaf4aec6adbc7ec30a99e8f256ced

SHA1
65a6b5cdf7a63cf9e4da6c83dcd09c5f3bc767f4

SHA256
49f0c650e3f74c4803a2d9f390fd5ab19e082a99bfe7a64c30be767fcd9b77e9

SHA512
945b61af2ae0aee54da5db49de4f56c68436037936e7513347521ab207a94e98c9427f772d0da2cc85ed578194affec689c8f84516e6c303c334e091d46bcb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
22KB

MD5
3c5e701c6e24e90c51d996acad2b8581

SHA1
c5a0aecc80c3ab4894816792ea426217c1719ccf

SHA256
e7a95257d581a17eb6ea2a3576a89cc10183dbbe2810e4d0cad40d1d2164ccc5

SHA512
e7be50489b13908195d78392e18b4fad8096ccfdde1bbc4b282e0232f37406eb3fb41922827a963f86d924274e1f086133f15712a51cd23b8c5d3fc556537cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
65KB

MD5
c45d499f302fd479afbc097ee8bac78f

SHA1
5fbf55bee1ed1bfc4a7ab88238b302414257dc7d

SHA256
f7202006a5aaf0d89a4bc1a58ae0af8861c4540b7898f2771ed3cb4094273337

SHA512
b04648c10a905f3ec6cad883f893a6c30e8c63d46562449e43a52f57b49042106ff728ed37f0388258a9750a11436be1a16dd0f3b666c3d59fc0c306c939060d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
19KB

MD5
68628ceb90da59674fcb837277749b28

SHA1
b5564ba800acaa03dfceb0f4a23c088dc1cb508a

SHA256
077f88f8fbe31024d74e53d7e46e26f60ab6de38affbdb3152672977609ad1f9

SHA512
c12a9f70ffe39e03d99f42bac8ab857017cb50dd256fc1ec9634a899d2b33b9909a57a64be5031d1e9e3dac94ff3fa809fe9971418186f138e707765d0ecc3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
21KB

MD5
445346eb3721644cea13192731a75e46

SHA1
9e121dd238ebff74388898d3b3698f35f77f70ae

SHA256
8ae4ebb19179543dd7f60b0818ea4f00b2c75f888e1cf3e35efeab5ce4e66490

SHA512
5ce7fb98910069539447c6f4e8fdf776770fa43f0b6fab6aea3b92876907eed0c6e2c363fe5dda16738bf9051587c87cc10180b6832d8435e0ee9e55cc657b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
20KB

MD5
42c6e70ed442343d2b822cb0fe315a95

SHA1
1f384ee1523e58137d9ef4695c66ab259d0af2e2

SHA256
304a78016ae47ccd02451106836b9daca63201cb82a02157dfae99431ea8b9d7

SHA512
da1942f808f40c9cb943b5863b7d3af01c43ad4f7ad1bb1389969b1deda5116e4012d0fc6937bff8284645d33f4578a309e9899bdd80a47dca65547cde6fbefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
151KB

MD5
e0595142a80771d317d27440fd29b8e6

SHA1
db3710d0d8d60dcb64430c342c6fd921d6792fcd

SHA256
3ba245011d9a8ade367074a3774a786f50ca51d71a83956dbb0ad2647a14d7ed

SHA512
6d298295955fce4166720ee7cc42bf4562ff311b6820025a7ea710a19dd8553d8677fe194876db5e2e6440d9d21aeb603a6b3fcd73f656405428d4ec00dba288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
90KB

MD5
85269e23672c13bfc7e4f9a9aec5590f

SHA1
e7dd8ee4e3f93b3da5315c705f56571272ebfa8e

SHA256
fc58ff5e46e5a37d46fd63be5eb1d4e5fa8b39c839bd53bc7b4c0d90a8fbb078

SHA512
0e10b0ec2eda679042fb8a451ab1a268ff41a1a036e55759337d998493b9b53a61da043450fcb33b27a9789648d3c04d3bd7095b4e100423d244a8371de63cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a546ab464204298deb117eed418e0914

SHA1
59cfb0b8b938f7237a504cca4103c2d236e4a588

SHA256
febfc2a5003d38eee69d814bb7e45a031a5d0e8f9f5ff7c543246299d1944c8e

SHA512
ff1fd3016ae118c86719aaa570556c247f48a17fc387d205c145fd9a478c4971b64a377e7198d3b46fb35a0ae2ae789162adc4f8718670d1b6a14849b7ddd304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fcc3b535848ebd48d2062e548d715449

SHA1
14584be81acf4805dead1243a9b2eded64f37b67

SHA256
46037a1671cae8af1fda997046fbf4e94261e31a6ca2da0986a24b47728ae9e8

SHA512
9a4c2643f15ac8af8e8f036023dbc74dded898300aeff0929ba1fb980e1a062eaba03744cd4dc53d17400eda84885fe1d4feee2fd648ddb3b9f6cc55ef78221c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
bdeda2c526c4e50fc4a190f7477e1e48

SHA1
325def05d8eeb0374b3b966e14074fb149d46f02

SHA256
e47515e41d0f2fef4b410af7af1e0271af971b9b793184bab5e28152f173188e

SHA512
2f69d7984fb70c3e35e70341735af23fbaf594107f343a606b8cc18eda8ef23e087eab9378bfe1895bb4e1552e2fdf0531d1fbaeaa86de9fd98c11c246d4a0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
4cc7f2c28dde12a8da8f481874937ad1

SHA1
acc468ead27e4d8e2d542b36cfc612ebfdd53f3c

SHA256
ac208796564c9df5a8b977934f23e02ff24277654d7895f1fcaf8ae60ac0ddc5

SHA512
520d04fc20a699ae5ea80d055460a94d9a5d5477ea763fb2dbee7502556b5dc587532bc78cb33cc7f4c1da4702870339b802909dcf2c4ef4d9be56fddeac7e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6955f110fe6b21d92fc750f0972d722e

SHA1
e81e109adeb4e8a4c02fb3394452f797ae4a2efc

SHA256
f5c7a3b0c548562a6bddc804171b9419d9bc04bacbd04ca5e8ac50d0099183a6

SHA512
6f772640d2c2306d25d3e5460f85e67ff7037cd0483ba53a9d61ea1cbe4665f5af2958b1ab97ddb877e71d78b1e09e560a1ca550a285c10f1551ea35d698cd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
335bfb9c4ffce72a2d3e5a7386acc2eb

SHA1
1053473513b50ce7ca7f84dd77433106db13a6ec

SHA256
3428ce86f7a14ceb8f5201974530d648f1c1c6b8f6c86d0832d1e10fcfe37cca

SHA512
17d7b0652bc003696a7229a43c7c5b7109382226f9b2f602ae33b1383bc0238de6f5a9caf83493f1a3d9a215dff8136dc9b5713a91358a9cbeb1e163814c2910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3c4d0390c514a6dc646b525af96e5b3c

SHA1
243390b51b10137040408bb720f4e08404c3e250

SHA256
bd977b6a266a41f5a3e0add7380443c6c6f694927e86964bcf9ad6b242d690c0

SHA512
6bbbaf670f210430e7cec7842212cd51ddf00ea709df9ef2984cf3736d3e23e07aa9387971bfba0a86aebb082b877081457656c658e51e9598de0354943def5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
36f6e454add6f91db065e33a1e6154fb

SHA1
a9247de95e3bb9dd347150fad85c5de475edadad

SHA256
9f03422d4704e37afbdc282660bd19f225f30d8498657be6af404d283d0e703f

SHA512
094f7e82dcb4173d9ed62bb8608f3ad05a5759f7ad200f1819913ca89dd0925f39547398f94c15ad9533cf21b51a3dbb917f4e41ffa7a745313cfe3b7c2d9cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
79dac89545817bccc03c23d231795e4c

SHA1
6d710e3a133a92bde59db0206f26461cf6739312

SHA256
e590eab8b72a1eb5b8181d6b3141482e910f560c60d2ff597cea055de39bb715

SHA512
8d5b8b6631ddef35aceb058c21bfd8756c14a4a8eef1cc80012cf1fe43cc8d44b2ba9c576137a9ee9ccb058a9cfd9caf4481be9164d796675b593500faf0a323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
17423cd0ea487001c77a5ce5f707c2ac

SHA1
371ecafaab697c9cdb940732f39bb9672634636c

SHA256
e5a9b85aa52fb7b4865fa27a8d0866e122318fbd23aa7d817c3f953d5218f6d8

SHA512
61079e487087a4cffda4ef7954ed16b5daac2c279b509dff7787d3c3c6683db4d2c6b9162babb3f40e63b50f2f79fa37853ec11f63b0b31e9156ab2deddda9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3b7e6c1768d0c481faa06e6b8e9389b4

SHA1
a71e8a8ab9d206e1856f92da8a6156a5973b727f

SHA256
a7ae5466f058e85aa34821cb59257fe3cf6ee6b39e28cae8fd3caefc90868855

SHA512
e78417af76ed14a157320297a88b3fd583ab68040919a6a4fa745b030bab5e62c4744a7276c2cd0634bebf220e545c8584cac31cd524df2a28ad89ae08cd71c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ae66926384b0eb26fbd685c5dda0f4c7

SHA1
3a3ad3e1548b985955533d109664512d56d38ed3

SHA256
1cb0a5c23bf597eb9cbd81dd70de2dc3e053dec28ef69a76465a0df2b1f7e9f0

SHA512
1e1d28031347f8499180a948886da291faf2cb7272d8c9d8a662963b5211a8643ec46d6eb3d908b12b29c85c9c286a7b39caf78a2a24533240ea3d4440d06493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5e2a5871c44cc4bfa52bfc23949544c7

SHA1
10370b3842999356cef347b53db6fec66adb970f

SHA256
fca6285090e1916d21c8830f5e5e5e82933e6498d2358b1db1fdb864cdbbb669

SHA512
690541d78b43aebaaafba81b2436aa27fe45cc3df65e39cf6ff2ad674bce216311cd96015bc6473c889cbd8de4f8831804bd4b7e848b150b2da86fe59745bd3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c7f3.TMP

Filesize
48B

MD5
2e6fdf653720ffa02aa772618fb2b664

SHA1
e96137d63d879b012c9d55d1668c3ef3bde2e424

SHA256
132d7c3270f434f6bfcf858ac832d36679799e7e1d57d459dd4e48a6a2373daa

SHA512
f7f3c303c7e0fde38e686334a686130a797d130d8ebf039ac4db41467583b8fa5a639e9654591a3e192d02ab231628c1cec61659544482b1b37991e8bb44f4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
271d99a5036aa6c49ffca9afde4e588f

SHA1
608e19f0b50284f0ffd367adbed6ea8236a1d8a1

SHA256
087d4704f577eb62c1fb44762b96c78b568cf28d9451f48bc47ab6ac6755d29f

SHA512
09d75942ca89c3f3e8e5bbf7559534eb80e0d09b13450b4bcb7fe56d919a4ba3bccb51e6bb424bf04f3dd112f0740785ba79468b0445fe89471aafed0046be24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
24bfdba20daa69be77a2cb71a0274d07

SHA1
8a16f88db00d23351e744e804260f85bf6ddd885

SHA256
43729bcd94fe928b46db8241cd7c37fb7dd0e775a9c74a25c8fa6fa2defde5b2

SHA512
a222ca72219f8873173b19a483ccae3a5a5bd1763ddad5d0b16b9cf1f8cd3ff8204ffca2a148645426ba4c6d6f11c9d5efdb7c25df47d13a01c15f7463ff8fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2f744811e64a79b27ccb9e9dcce7d5dd

SHA1
c45285ccc80aa3171ba0ac1720676e8cd8666909

SHA256
185813daaf454026e48f9c6b9cf8465cf2613dac05e7d269e5cf9b254427ce11

SHA512
623b391bd8e12da1a99d49c8b38ac67411deda08476fee4504f559475e4dfe4ba82ca09d599f7ddfc585daa8cdad0aba00005e3e78ee9fd824018aafc83a6297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9bd874fecf7fda31d3dba511f571cd71

SHA1
1f07aa9962ff2f52d0429af7ef47147579e9f927

SHA256
cd3b617aaf365656f346b4895d2cc2b5ec36ec82722da96e287cfe282e10d25d

SHA512
1740ccc4efc32c9b7d13021141da83e480552ef3a61daa79fd900bcd4e91f7619cd36a923430bcdffa6b734d5291638c87b0c96cfe932bbc1b62ceacfee58bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
eae28bd6f0dc431710baf973c3080895

SHA1
d9b33d69520c343006069864da7d5c70fe00d295

SHA256
7471add052483c19bae653aa4bc7931641ff3ea47c48055f177729a67e351545

SHA512
30608ecf8ea4cc076845c60873c9b483bc435ae6380c8e84c0e0f005139fa112a43f015b761678276413f329d0153331057a032c379895c22cd6753d6edeec41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e53ae05582a26a75688173026958cee8

SHA1
8e077c6f75bacca90ea659c39b81de8742ceeb76

SHA256
e653c34be3fe0fa516496869985352b54520d3579dd1c6fbd89e86ffaaa9c38b

SHA512
04f4b0e48c89b16af6d5cdcbc55d2f2a6d0e54558900a8e07db2653cca02a8afbc12206bd24236b90824815a8a69047d228a3d94450c208d100b087a1b4e4609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
24094652ba5d15f291eddc2693247091

SHA1
7079a9a4118fa8fec3c3334abf61dd7360cd1280

SHA256
5e20b2fbfc24c818cdfddcc77504f56f8cd87669bf5637e6f68dac7443664804

SHA512
c59a0516e7d4c79d9155ccc9c1803d9eccdbea42b1468b1d5900d41ae050bd2ffb4299cc2633a7bb03a6e170c803bf6dfc3f7911e7a4652b50cb8684930ed3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
834996c4a8bdc2ebf270608d41674452

SHA1
fed52baccc6abe930b8d5eea78387e63205d2469

SHA256
3b244d3d3a5796aadb1d9be26b3dc6262f31f541e96342402f8c97b8ad51c4cf

SHA512
8addcb02224e743413db0b78a697b026af4d58bc828d57a5c6be0ee1a395b716a376a7ec985167be34b2291a460275c56c4aaaa030baed6385e211ab45222771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc08.TMP

Filesize
1KB

MD5
6b02234cae85781fd5c982f7d7651099

SHA1
0ba753519d7e935b530315a3beb70a9a8c27f230

SHA256
1c6d740dd9e798b93fed33f84dadf7dc7bb60809fc153e68e3d5f5dcc819b30a

SHA512
c12abad5994c501aedf662ddc6603492aa650b4b8d35a5ac9462230ca1b28900afc3f5cfdf43cb6d70d856392fff92aae01beda3f52d4e944a640e97a07ecb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34d9ce815ba9b29a068854449643fcb9

SHA1
73fbda518860c3388df6f0796e7a178b90500518

SHA256
08e698a17577cc8ebec4ed08f138631d76ca9c118cf2626f714a51eba2a6a9c1

SHA512
5f93bce4dec53c8393d8dea71469692b3f43de95c71cc89243b317b7225a7dd36540ec18399847d13d2817e68abb07340bce24c9476db98dfeed46a6924bcd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b9ce18fb766e7afb26ed125bc16a7ca

SHA1
73194555252cc00cd692545657e6d51abb859f83

SHA256
75e57903d853d7159166a6e6790d7e44d40a45d861f4ecc86219111823da1c57

SHA512
a36f95a10e0920fe0dfe0eeb1ff6a7e43549e582eec80142e02fe9f54f797240001a2fbec7b13563627b70c2361b8b69effa8e85bb85726a8faca56840d3cf6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
fdcbf347d82a5a71454162f57bd33a58

SHA1
222122e89ee74cf7bfd08e4ee32b77c7d170679a

SHA256
212899cc2f19f111d615d04e7ab2ea13f41b92e3df6aa242d9d41024d15f11bb

SHA512
593b296ca0d32207c4fdd8500beb54739a93405730c3b574adff05001791e0c539cfee5fca57a00f3c6f82c17d49f191a4fb696ef14856295f4331ec47240ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
74222ee6d73f9fcf717772be118a75db

SHA1
4c92ad81be3bd5532f84be94c2f868a803135ae5

SHA256
fde90c29722322f955899f17806f0d9fc298b5033938e7e2a3b08d14896c82ff

SHA512
4717c43d37a98a97c148ea22135ddce4e004d7e067aca6637e9c4541f1db26a0761ad5e2b32c8fdd7f0a25c6a17d2f72f88e0152411116324b3f8d68d2c92c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
5c8e59dc7c4780ea9144fb87e83f9176

SHA1
a686507225cf257f7aa515691c5e31ecd53d5c56

SHA256
216c61e3b607e8c84f33a34897c106b25a6083219f05bd5348bc03e7d3bb32a8

SHA512
a4ed49dcfee128dd965f6f1ed6aaafcfce56ca8be62961ba63924680937b5a9f0e59d5e518b2045070f2c9fed2fae55c569925ff4a7762ffcdff30d2b2f591d7

Download Submit
C:\Users\Admin\Downloads\Koteyka2.zip

Filesize
721KB

MD5
0b6957df7b5112415195636db7c6b69f

SHA1
1d539b1533b5e5f56723a1e3f256325f095e3ab3

SHA256
b5d89cd72f3ded5ee31a61775738c3881eb8984f37a265056055755847817785

SHA512
aa6378c8a76df76a8a0bfa90fc5bc7b3d00762af720f85016119b11cca9882c4c9e7eb2e9af2210fc8129c18e16b34ba65b8e0718b17d928dbcbec698ad6434e

Download Submit
C:\Users\Admin\Downloads\Koteyka2.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe:Zone.Identifier

Filesize
129B

MD5
57b9407d73b18eb811cf062c708c8724

SHA1
01d65c79ad3c8bcdb570c7a0f446c1ec2680474e

SHA256
8ff5a6e338a43af5025c205156244c36de34f2e60ab8d7d9c85d9d8d2b790e9c

SHA512
b950471ab43fe00f28f1050a737407f15772959960ead18ab50550bbd2ce4cd40028053b6a6952ac850bf000a398d4ad78966889a65561e967372154523e78b2

Download Submit
C:\Users\Admin\Downloads\PC Defender v2.zip

Filesize
789KB

MD5
cad618323b07c0f4f6273ae08df1779e

SHA1
e67715f81f83ce7cda32f12a116cc950b6fd0dac

SHA256
854113f2737ee276ba34fac399e8a615e4de4c712dd7a761ab0e198fa09d87fc

SHA512
efd9403706accfe996b5df58300b5e0a0b461727bdf7c5492e9914369fef09ae06cdc2d00d30ac6d494fc68dadcf423d800741f7c22d5c1d565ef3fc675c4565

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 935811.crdownload

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Windows\Installer\e5a5aa4.msi

Filesize
860KB

MD5
b3dce5c3f95a18fd076fad0f73bb9e39

SHA1
e80cc285a77302ee221f47e4e94823d4b2eba368

SHA256
df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

SHA512
c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
24dbadefe7571d0bc31483547b21ea56

SHA1
b832606d1b21ed41738adc109ad2f4093103f1e3

SHA256
669d506ed2857482c458f5e06d7b9a40e80ff0e4097a166fd8d472af818521ed

SHA512
ebf87407ff620030b845460cc3f609ccccbcc7ee55b0f0602eca0f2fdb61ef7f265285fe26b0b94dc3e149b0e73b54706957b919b3e610c8572c4451ff1077c9

Download Submit
\??\Volume{5b6aa2a0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2d2d9d9e-b52c-4d00-8348-53f1caa076cc}_OnDiskSnapshotProp

Filesize
6KB

MD5
1e4ac9183f47eeda0b10d5e624bbb491

SHA1
30512238656baf40e1ea0a1f84d63cb343c881ef

SHA256
e2161aaa1fbee1ac40217c98c2f7d3c63ca1c630faf522c7f0f239cf2df22df9

SHA512
f790f2d72fa5803d07df365fbac750260012c7f985aed39bed3366640b7dc3ccf67e4d210d69657c2c02d6b7519a928db0e3c985f8bea0bae244ce577a0afbf3

Download Submit
memory/1068-1842-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2396-1616-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2396-1618-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1645-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1617-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1615-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1614-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1613-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1612-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1660-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1661-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1662-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1663-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1667-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1668-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1611-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2396-1610-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1609-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2396-1843-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2796-804-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2796-800-0x00000000009D0000-0x0000000000A94000-memory.dmp

Filesize
784KB

Download
memory/2796-801-0x0000000074820000-0x0000000074FD1000-memory.dmp

Filesize
7.7MB

Download
memory/2796-802-0x0000000005A10000-0x0000000005FB6000-memory.dmp

Filesize
5.6MB

Download
memory/2796-803-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/2796-805-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/2796-1844-0x0000000074820000-0x0000000074FD1000-memory.dmp

Filesize
7.7MB

Download
memory/2796-1271-0x0000000074820000-0x0000000074FD1000-memory.dmp

Filesize
7.7MB

Download
memory/2796-1277-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads