hxxps://drive[.]google[.]com/uc?export=download&id=1hAlWcWkWBZaxy4pRJxAO8ygp5uzoKH1F

Analysis

max time kernel
329s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1hAlWcWkWBZaxy4pRJxAO8ygp5uzoKH1F

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4168	##3848.exe
1988	##3848.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4544-1610-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/4544-1611-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/4544-1613-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/4544-1612-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/4544-1614-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/6016-1621-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/6016-1622-0x0000000013140000-0x00000000146DE000-memory.dmp	upx
behavioral1/memory/4544-1626-0x0000000013140000-0x00000000146DE000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
13	drive.google.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3564	msedge.exe
3564	msedge.exe
3892	msedge.exe
3892	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
4880	msedge.exe
4880	msedge.exe
5492	msedge.exe
5492	msedge.exe
4932	msedge.exe
4932	msedge.exe
5156	msedge.exe
5156	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
5184	msedge.exe
5184	msedge.exe
5652	msedge.exe
5652	msedge.exe
4396	msedge.exe
4396	msedge.exe
3312	msedge.exe
3312	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5564	OpenWith.exe
3312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5564	OpenWith.exe
5772	AcroRd32.exe
5772	AcroRd32.exe
5772	AcroRd32.exe
5772	AcroRd32.exe
5156	msedge.exe
5184	msedge.exe
4396	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4472	3892	msedge.exe	89
PID 3892 wrote to memory of 4472	3892	msedge.exe	89
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3884	3892	msedge.exe	90
PID 3892 wrote to memory of 3564	3892	msedge.exe	91
PID 3892 wrote to memory of 3564	3892	msedge.exe	91
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92
PID 3892 wrote to memory of 3920	3892	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?export=download&id=1hAlWcWkWBZaxy4pRJxAO8ygp5uzoKH1F
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd10f946f8,0x7ffd10f94708,0x7ffd10f94718
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8532 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8580 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8544 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8856 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9104 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8560 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9128 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,9558003634923914965,6164890809626619829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9092 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5564
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\VISUALIZAR-DOCUMNT-DIGIT.7z"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5772
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1368
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=459004AC9082A32FD1FB9ABDC3F942F7 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2388
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4DBF7319C8DA3E58791D7D4FDAF732A5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4DBF7319C8DA3E58791D7D4FDAF732A5 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2656
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BCD0A3213DA44101EE7C5ED5D8667D00 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4212
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=545076137A0A4F001F1A8B40AD375D17 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5E0D00F0B0C4BB93C567A8492E9D6A77 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1088

C:\Users\Admin\Documents\##3848.exe
"C:\Users\Admin\Documents\##3848.exe"
1⤵
- Executes dropped EXE
PID:4168
- C:\windows\SysWOW64\grpconv.exe
  C:\windows\syswow64\grpconv.exe
  2⤵
  PID:4544

C:\Users\Admin\Documents\##3848.exe
"C:\Users\Admin\Documents\##3848.exe"
1⤵
- Executes dropped EXE
PID:1988
- C:\windows\SysWOW64\grpconv.exe
  C:\windows\syswow64\grpconv.exe
  2⤵
  PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d94406b964753cc5222ab1343f54bb1

SHA1
a5e7de0781fa1fabb3cd89564f2e5693cb4dee16

SHA256
fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762

SHA512
1ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49dde89f025a1cce8848473379f7c28f

SHA1
b405956b33146b2890530e818b6aa74bba3afb88

SHA256
d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b

SHA512
53050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9c83f35a-965d-4057-9867-75b7a9672d0b.tmp

Filesize
24KB

MD5
7c43199d1e5acf5a31e1cbef990fbc47

SHA1
df7bd524b9b3175325c0aff3469ea7f2211d3061

SHA256
52a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22

SHA512
aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
36KB

MD5
373cd53c408180c939165335e627fdb1

SHA1
0e0978e79b93bc3df23d73c042f6b5f8c20ecdc6

SHA256
c884b19162a6f5a0cd8fff61c5ba35729a2bec074dee7f1b514f60a5abd77909

SHA512
906c2ab56861ab8a0fac560c3b508f69275eeacf294bc4afcc20c40fe1a0e8cbc16c7535b17ded0f3f8bbe4a336f2899139411708103a2f6c0d8bfe1be4d2a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.1MB

MD5
798e76073abe579251a34ee1dacf9b3e

SHA1
7e9294eec6545c8e1bbdb7849a73820cdca2fbd2

SHA256
8657f6d3867c20699a230df7939c02ca5fe065db2efcfecf5d8d864ca4873666

SHA512
cf5d69395e47fd4da4de0019a77162736c38f88ef0dd803d114388fbfb139a66083f51bbedd8ab205ab5d41f8464a685f4e0f6b5d3a13f7b91cbb211de14c7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
65KB

MD5
d37a0b50e8cbbc3de35d3d1e9e1185cf

SHA1
c898ddfa3f2c551980ab4bef4a463c3fd11021b3

SHA256
deb12434ba06baf14aed67ee8aa28f48ae856f3792797eeeab1ee218754caf04

SHA512
d52983a3cd1343454bb9bfecdcdb76791a93b15fe83a46a62ca668041fff818f94815b6c596c2794972e11df3f4139a86e480578cd5e332bf9325e6e5e1572ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008e

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eb2769af8df72451_0

Filesize
33KB

MD5
999a29fbb662f20d5ef95a6156f4ceeb

SHA1
6365a40dca177394b4bdc3f9c8e898d1f216f153

SHA256
97dc0861e61a8d7e6df613968211e55b27a5a661120ff1d8712594dd33a4042f

SHA512
da068f2721d9653835488e600d550f95bada5026fca91877b6c6dde6b283781b69ce392f21655f4336627a9d7ca06409a7c761d53733d8c300722e2a36d9b057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
2be09632e0fefa44dee2614026b4de15

SHA1
c8c25eba6fb836b58b7b4600c0f40ec636ef749c

SHA256
13f45100bc05e2da30580feda692e61f11f504a1c757f765715e19f6e4d67454

SHA512
298e9c0de12c6b0d89b3661640f1aafc5896e8e7fdc0805a250647fcac0e3e8c9bdd89fcbfcbcfd6e51c597ede97da664c1f878e67f5a485c8b41ff75e30a9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
75132e8f0f2b0956a6d929ba28a69c6c

SHA1
6086f68d31c94a2b176a14e685ce98667678e506

SHA256
356db9435c3e2383ae36046a22f5402064de74c7acc5c23462b24ffd4ff61d71

SHA512
4939d9d8473fb0cb69bbef4d85e57b375688dea4bd7c130020459f76efa883bcfe44b3590dd9271bebc17501b2c983cd8a472d6a71d1f88c1f67c4076b50019b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c8cb898f7e550d45d8f2beef0228566f

SHA1
0a9d927069d6bbb765ebd53a33bf85b3079a9fca

SHA256
7f6769ae20885bbc310da4fe1d015ed529e6376d30eb9b3f4b5b8ba7a4c6d537

SHA512
c313e44564cb917fda33d7d1402df62203046b9abeb871a9ad3a53bd783d7e2cec8ec2b5d8f6fa29186febd993397a4cc83503d0c4f713083f2b2cb0d0c22d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b3bb8e94868338310b3de66aeaa5fd59

SHA1
cfe1d3fbe090a0b95dfa177cc7436699cf943101

SHA256
56b989d71b4b7681df7e77ac02c50ef6b53be2ee1bb2488869234e8cbfa2c31b

SHA512
53d4ce1ae7443f0c311586956ff6dbe65814b31567ff53d7150009dc1b8baf7a81d56135c0c5ffbe05a4c278f282931ab962ca2765e79546471ed9a6e43f41c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c37a30d61c8a638c5bb4f46174e7985d

SHA1
9af63cdf34751c92eb65fe0aadbbe05bac6fad93

SHA256
274cc321fd2d71a4403c8353eb464b65c209d930fd0db26fb879c42b403aca8e

SHA512
f28b768b9f77de227bae9fd7d46cb5b66b21463521967b9d2993ab4aa7a42496393377ed110ee546951d9716255e8f95759ed53a478911bb338aa4842d61dd91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6c0d90a4159276c25a0084b46b2e7d8b

SHA1
60aa41cacdf4e7f30350790270d7579b784b958a

SHA256
36205a75ae5dd8558600757c81935ce42ce813d9ee5a69b06282487b135e77a7

SHA512
b90b59ab78b2d0a9387c5fee0bf71b75f2d385fc9e2b066c5194f586fc7962646ccb56f58b3755d35865757d3cbe389a60294b34b0b2d5bb3b50665a6857320c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sync.a-mo.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.ezyzip.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
a55b722da43d59ee4fb4b52292c1ee05

SHA1
018662474483d4307988fded7afd9eff752df95b

SHA256
e8ca0b9ccb2a9f5bc37396e708afff05e2f3923e35de7b2f382d405171abafb1

SHA512
adde22f3a6fd3dd99048b34f5d2f04d08f22f3e3bfcbed2052142fce7cead031ee78f2e18ae3d199a4eb29977b182a12b36c3936d81e6b5225e951359da5252f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
af0cd6ec73a9ceeeae626b517ec4bed4

SHA1
2347ed0a4e8d3172be93ff41159ed4ae5d15ba5d

SHA256
ec3353bc6ab7e916cb9cf34f07db2973269e80a768d38bdf25425695cb6b8c5e

SHA512
01059e9b19afcca88838b2a9f6aa2355bb07992b498ccd1bab8bfe374dc98242f96f69cd7026044d112849afed37980bb783fb7f2cf0c7bb27fea35ee0f4cb62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
228acfb2bd3745bd171a2770fb2e3c53

SHA1
259f3f4aa114ef376c51012bfb90bfc520a7177e

SHA256
8e1345d7410958f4bb2fc1c56902cb7b497037857b398d71cea1dd6e5a82ff10

SHA512
7e8ff5b308d889f6653ec16cc8723415c214d1c8c742c4627c27a46caa9b6de6c954d306edb962b6f229cb77ccf689b82be06df021b57601f7448984e57b361c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
667B

MD5
1d1dc8a5beab93616789c75fd217bd2d

SHA1
85ad6231ae094c050d65e50885549d76443c26f5

SHA256
06b7aac483b4c5950f55a2e7b748a4dc112e5cc90fed2e0c6154167c22f5e394

SHA512
34407cf4ee0191bceb6917041c08a54541fd581f52fa081ec818967b2d7ebc2d827209a811e9d5210699d8fbba97117089cb8c2311acc4f709add1bd92050dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
408b08e84f799f3281ce958ffe7f5143

SHA1
c47a16b6ab044c7c51315555910f8bc42f4c2a08

SHA256
bedd624b5985c2442b13cb67565e8c7d8e6961a877505ec7573893b9e718dbb5

SHA512
a103a217a9aadfb657c5a4a41e34533f8d7bbeeb04911ad1790dd5b0b4324b555aaeb10a26f9e6b742d7ee0d03339b4e5849ebab578bced08b9fa03c4d541485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e6918c426884eb62ed1bb0a75b9a6f5

SHA1
f59412b6750741d7c2c08ed4fc1531c2c1581625

SHA256
07e53e32e3ba8a1554e18a1bab0b77af385853b2da708af5f14804216777dcb0

SHA512
de989f52a8ee59e6f4e12749ad2d3033013210bb0f84e4cea52d56d908bb25ef60e440b329874c3e2e2670cd08bc98e1c307864cd6e7469542c25336ca58f6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a842ef93c2dca30a44f2507e542e868

SHA1
7192b07bd911360b6ce356c4d2c77ee7b93fe6bf

SHA256
45b5a47a033bb3d56ae2a16a4085f9addfc195862931e34ac02e6f8382adb8a2

SHA512
bed9bd36ec9d09e44324fcc18a11a4d3133530ed48fdfcfb1c65a611dece835e033689bc5f110680ac34384a549d9c564a7cd02486b96c7b39bd5c03244135ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
12471c0a296d8ce8108a0d319ac09347

SHA1
e5cf776c736384d52fa0b40f9a64e9a1c9474016

SHA256
ee6ba4f3f32a605423eb77a44c93a662903c1aeb2f83e13fe0317df2573981f2

SHA512
fcea434a90e23863a819317572c78bda67cfa74b7edb815cca97f5d2d7ecddf9ab04715295cb2fbc0b85d83f962bd36a85eb3078b952159ab7756b0ae1f3baad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
f9d100a696c18b0390308effc87ee840

SHA1
0dffb7676763460c1f1536d5610afff4246e739f

SHA256
cd70a179c54a66a05a164850f90e1cc5ef6addafff071c0ceffd1fe94b101f23

SHA512
dfe62febfc2db802f21860a43f68fb6d4f74dd894cc8ab87ac35858353ba33479f6c41543d75ff4a394c34ed286234f309932de1a72b42dee84e0a1b988ac5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
7ccb8355aceb546a10f98c72a2fee862

SHA1
7325821cf74767aabdcf0d36976c626259235d43

SHA256
94fe581ccb241c4dfff79b4b4ebb9fc49f8c35360361f474d8339785c9d1c57e

SHA512
ad51392c1ed754e344a455a208f550353f52935fa9c3a03271af9a02df7cbaf43a6e4cb830d99fd3075dec12d5d941c4c09b9caf837be640a64035c546b5da4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
b0681a8589e39088dd940ae6a66e2593

SHA1
915fa6d0d57574b32ad08a8ab225338e5051ac2e

SHA256
dbc81f189af770c7ce8482f23afb3378cbe867c53bc77eca3a5e722495589dcd

SHA512
3467c718def0e75c66abe88032195cda0a639cedbc08a76f5651a4c0fae4197a4d45f43cc5b592554844c72c94bd5f80b29bad587ba63144aa774e3f338a4d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce132e35c2db06af1a541d0ba6c837d2

SHA1
58cf4841e0ef96c3f9271a5321500737a67bac1f

SHA256
c5551164890c44b62ba76ca71eb7e4dc21addb8d68dee1845b873f0c01adfb41

SHA512
cfb6471f81ad15ce59ca33cf31eed51b488cfa4409fd49889f3e6031fdd4653ad9a9cd68cd528ff17be3638534de392d1ef6b36cb48ba18ad87f3b893f6bece5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3ccf5c38bce868f5bcba6cbd09013734

SHA1
f209fe99a83d87666b47ed92484237d89b2d518a

SHA256
4297ca2a5e242e31162980e076a27f22323cb9a432a93956992db90bdc02464c

SHA512
f15f1d4e64c11a5e42d55fd600e4a5b8ac5c86e0a39b93aa07a459989497db6ba20c66afd97cb5c638f9f89473fdfde61b15d67ea9c0d705c3dd512958e8f2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11d5339f5e75b5de7baa3691c8791f16

SHA1
945def6d03de05efb490642447b33cfe6e2449e3

SHA256
37df415be70ee93f79789e56d4f147f1b7e87f57b65e3e9425e42300b72ffa5e

SHA512
64c296fff223a8394210990710499a6bfa46d8f633a4f833cb6aff5ad0018a67edd6ac7e17b47549ebd9e6767f9d560cdd1c963c15c9a39261c9e28769b4d286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
45cd7f635fba4ee61666cc25985c736b

SHA1
f63f66d6ae269c2d542ab439004cd213f588d820

SHA256
9aeb22609f37589f6c6d213de0184ffaf23878e0d759dee4d6cf050eb2810d32

SHA512
e836a5ff69e47594502f09ea888c952263e3318677089c57b46cff61d48198397d44714d47591fb6af202d1d3036640e3f0f658ca2fdeb848d6fa85c4515f95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bc30e.TMP

Filesize
48B

MD5
25b2eba52a84ac8afe6cab2aaeaae5c1

SHA1
916f80fd8e2848f78a42b02dca5d20f625c2121e

SHA256
dd52ce663791f69f90734d1477586c3e586bc4979db089ba7338f95ae657feab

SHA512
6c10411487a03b4d94d48a7ac43cd43686eff8c57d91e85bc8dd966ab4361b82426938943008a7bba56d1b9eed28d31d92abcc1961992539bfbc62ff82027ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
9304785e18031a1a37e030bc727559fd

SHA1
cfbed78f6be513397bc225f195beec39fad1df23

SHA256
8eb19e3faf573e86a0f775e2ee8da5bf00169c137a1d7c8c0815df2932cea4e2

SHA512
f8077ec78f43c53f99256154845180112866f8ec2ae79931a871021681b16ca57254251267c7a6e1c4bb38ef9d7b680dc35b00a7577e80cc5ada0e35bf1f7888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
206dc4353cff16d3089878673b54c606

SHA1
8f577e166b607016d30e75e73c781e45870f0c5a

SHA256
c69696705bf33a1ecffab7087b5e7c86ff98fab113be6bca078b4a3d0f9829c5

SHA512
c98fce4a0cec5acc62768bce62ae62e3e72613730625e036a44572fef23652da761f651ea9d5fc11e0def227b903c6b93e566b122cebd8dbd92605fdfded22b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a6a088e0bd6bbd6c72260e5d77ebe07d

SHA1
8519359e4bcc9fcdfb4c2a6821c1d68f66f78ede

SHA256
eca721279f20ba42cb25253fb0dd0b73ed082b82a5c2f2dbd2746b46c85062c7

SHA512
535e87719aad4bcfba2c61b44055db2ae2fe5c9e51a6d83bb675b736b4e5fcf5129e292154f70df8e08c0db5a7c3983adf999a8458d171747cfb44d62c7ed1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
2c4680e56ddf6481a49dd723a170481e

SHA1
ab97e798114e6e3d600dc2a0c6e60f02db147960

SHA256
a3f947b15c1126ae82bff0f63252481660601ad79c58d587b199cc37e30a6fd6

SHA512
ac76cf32889e4619cf8eb494d44141b0d90b065c4adec9826c476c4a9de7a809e797652e8e2f049f036b981740768dbbcdd6f0022d2ef61b3a724f4ea42726e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d4457c0aa205f3ad9aed1ea111d6c9e8

SHA1
e36e94db4668baa92619ceca91ba43e06eb75c17

SHA256
160c9d9a63d31abf1cfa1e3793025fe4c459b0b08c046139f0fdca464e700c82

SHA512
2cafb7be25948899ba15da7a191a6f543d0101de423514a03d85a3655295526f1f5e33bf22538374c9e48f6c8415b2e2c95027c413a47fb14d9ae4c11e2df84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
893a994f9aefbd23524eac6545c1d210

SHA1
ea4a1bb436ad174e0f753ce99b5560eacbfe3243

SHA256
97ca4e89bc75ffdac23d2119520939a967c6b4ef80dea8508486f9c41740f071

SHA512
36b370bfbdcf8ba2b8fce78cec587e432bbe5a692fe08343d9e615bcf26e94233b618604dc05dfe9af2e9ef5380b8393de231165dfa41c06ab6f2744acc84601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e696e0caec6d6d925de200f6b8d88d73

SHA1
a3d4f8bcf19ef3fb7412e00a734fd16029fd438f

SHA256
c8a514cc721cb69c849ddb4d179105f0a73acf7c3c16ada42e12bd79bb8a7547

SHA512
50c920dbf44ea181ed6dbd32e92c9b1f352c9a72ae33226a4392a2c3dc709cc31d386a870afa42e3ad740d2890acfd6a0392b9fe46b532eecac08b359fcb560a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7a862df0f5e81e9d6b5dea6ba9b7e67f

SHA1
4576af6d1132fcf1547fae37d40fdc641602a593

SHA256
0e436ab0347b7fd4b94a32690325ef8ca96f8245c95a769c04a7580d2298b439

SHA512
549f6bd4b21e701e4a18ba5e1b3d2fa8e62277773a0a457f3d01b291f8c200126118eb306b23d35c9576ed71adbd5e5c083a6e7553bab8ec5ddfcf40c6506cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a857d263397381810b6f76ea2955e43e

SHA1
98e6ec3cef8488c535810dff87507cb7fa046ded

SHA256
24ab59b430824ce27fe1af146c1027706585cc007a328192fcea9be523213d77

SHA512
a36517af09a29351c6f30dec6fa2a9bbdc5763a2e1fd0bd41f9d4296d2513a6e78f40e4a663be94618b187597c036898ca194fe2854672246b988dfe139e3e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f1c0734c5644193cf05d0ae881481598

SHA1
de75d05312c439b66e1c76b4581f62afbd49a4d9

SHA256
4eababec5c98a5ba99c23bce3774f195c1d0a0e106e478700d74866c9b8de293

SHA512
8952ed4fefa5fa8fbc617310453d1679f0d1e359cbc59ca1cc67094ee9b5c7b85aa2639be6d03bd20e07996089ec93a1436d4877d03cb7131a255be7c18fd5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
b8f359f639d9bd931abe72e447174b3b

SHA1
fb3578063720eb39dc3334d1184f4a641bd28050

SHA256
01b49a93398c2b72794a8a11acd44050f70a4b07b9484ed81f1d1a595c7d23b9

SHA512
d6828ae6428cadb6e05655158dda68ac5530ad8c1e996e9e5d76c584db4e78a9047c1aa87f4e26760d20a2725b0d48fccb9140c416731ec32125dd172b44b4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
9c3f76d11c926d0d62c132d21fc2b226

SHA1
802078e87f63c4ae4913b107ffa0406fe0a4e816

SHA256
469e1d8f39acaf929943a624c4e1fab6930f48ad270931482710de173186f1a2

SHA512
a61ddc6062cf4e5242e43bc104c180ccf279358bce8b8e11324ca7ce12ea66ceb11552350e1614e7da08bb4e3725f85844d84bcdbe9e3db9b6a61d61d69df7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7aba3264b636bee345b04678002b7c4c

SHA1
24132d70b843eb465e5c4a59c7ccfb0ca1cc9684

SHA256
69b46cca3d6a2d7e49e6a423b6756caaeae609eedffafb7b56c6dec87214d3e7

SHA512
177cf13b3fc6e4088a859cca4d9bf145c28fdcd8195ff401e8ab20d3c5d07fbd6d10ddbe4d754f3143c59ce225eeceec9aa102f2bf482accbc7dd76d5b916067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582352.TMP

Filesize
204B

MD5
219401dcba599c05af356549a3607c37

SHA1
0c0515025061a4cb9045f5740569b552d1938fda

SHA256
4cedfc55e66691538db0bbf858f5f2c1fa3ee857be7b3fc8e5f58b4d8adbf687

SHA512
6603fba21a1be2465d6ab8c6b803c9a222e6eb507020b5d9d462da5014fdebfc60b581d90b3c60878d782e50c4e9cad7303a217ff1b26b723af7743954afabf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1db8de44e4cdfc809b0c76eb29a87a57

SHA1
9a0ca092303f42aa7fd0bc4f261aa3d9ba23c4ec

SHA256
8fbebf87f51ffaa6e5ba52471935a09e285d4c5564a7a8d7c23b4b10febfc5bc

SHA512
1b78858f12b9a1f826f3967d113dd6a2500804bb639138da22aabc8b6163b89503480179a40197c3d5e5c0a9e409b644b4aa4e593b6fdad42f3130158c0e423c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bac25f175259f903acdaaabc6db2021a

SHA1
fb320359da3c8e08b115df9c8886642fee367438

SHA256
70f06473c59503b95bcaa97bca2345fbcfabb236f748dc804e49aa1789b92b2f

SHA512
2f875cbdbd7c7e103163ea1aae451ac73c978013f05dddcf17ec3760f9a8b67e0184818f3924ca2ce8102923760aff1e20b0fee2dacc801ef5786c2e9346f16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f5656ebb7e3c67c2e92f3dac8ea97469

SHA1
6ab755ff9cddb9725d2e2b08c28e6483bd884e1e

SHA256
425f62bfc5e5a57078c689dcc9c4a4c32ee34da2b3e810b2d17472f7b931aa40

SHA512
f7ce965f573cc9cc84426ded5c3be3c79d3861da9b3e5ab9636bccb77b901389af4a10fcbd38ada8499ec93d71d3bebd8b05f482a301013e402fb6ff2a9d45d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea0fb5e561d72a3f9cd7216ee082c3ea

SHA1
0f89156dfc0ad072eac22a77fab20d44abbf8050

SHA256
3abbe236c74d089c121d80edcf6dad00372d8b6ff3382bb00766725831eedac4

SHA512
b1ad09d4ee0ea390dbd16bba62f5cd1edda519c7bfa2d0f40727d3e0fc9bd69f2fc56607f83a3eeffd231cb2de6849e1d2e69b4c1a45d8d8c7b4be750f29d074

Download Submit
C:\Users\Admin\Documents\##3848.exe

Filesize
17.8MB

MD5
636cf3b7d4cc040172027f5610348e9e

SHA1
4ec9f4fbe2e2dbeb23a8900fb2fd9c0be332a947

SHA256
56e316e055692d8e709163c973cbb1e64181ecbbd234dd8900fc6e663e0dbc53

SHA512
d10b47a95d934b1253dafeb691c711dbd74ceae007437d29d5481f82e4f294c72b9a2b992c4717f4f2c76e372788234f1dfdadf1a7118f78b1411c47b03a6efc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 166213.crdownload

Filesize
13.4MB

MD5
576a69127a38614a5fc3ee60e74246b6

SHA1
ab9d374a3d846a08078cfe308bb9b62fd664d222

SHA256
293fccd9102a0085ec096b1ea046d4860a6afd4b4abc398f8efc387b1dbc628b

SHA512
216b268f162f70d84487dab55850bac4753e799bdfe9de20e2aa62285a5d03ec8196be5fd3ca194bb95a0f787d791248b468457479730dd7722b6c5b795bdf13

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 324122.crdownload

Filesize
119KB

MD5
fa08427db79d36520aecda0325b5ad9b

SHA1
98fa5be4fa35ce80d0f4730fc523c656ef73248d

SHA256
b8a9e3c46ae734069021dad1f16b537bcd51319dbcf9b28b8ca2d86999a73e33

SHA512
7c75327c402b6ee9c45ba954f38c26dff45891a001d6b753d1d6151a6deab31f8602dc311a0943220bb436c62db98494caf9ebdfe2d134cb0eb5981eb769a723

Download Submit
memory/1988-1598-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1208-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1331-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1609-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1101-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/1988-1470-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1112-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1168-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1491-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1616-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/1988-1623-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1221-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1615-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1586-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1588-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1080-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/4168-1138-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/4168-1599-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1099-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1187-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1437-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1137-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4168-1167-0x0000000000400000-0x00000000015DE000-memory.dmp

Filesize
17.9MB

Download
memory/4544-1610-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/4544-1614-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/4544-1612-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/4544-1613-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/4544-1611-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/4544-1626-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/6016-1621-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download
memory/6016-1622-0x0000000013140000-0x00000000146DE000-memory.dmp

Filesize
21.6MB

Download