hxxps://github[.]com/enginestein/Virus-Collection

Analysis

max time kernel
206s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
5188	GoldenEye.exe
6128	GoldenEye.exe
2620	RdpSa.exe
5204	GoldenEye.exe
4788	GoldenEye.exe
4196	GoldenEye.exe
4252	GoldenEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
76	raw.githubusercontent.com
77	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 493496.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{62d03cd7-adf5-407d-8837-39324fe02f4c}\RdpSa.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{c5a71f8b-6248-4a50-8a9a-b3e6e23dd463}\icsunattend.exe\:SmartScreen:$DATA	GoldenEye.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1156	msedge.exe
1156	msedge.exe
5044	msedge.exe
5044	msedge.exe
1628	identity_helper.exe
1628	identity_helper.exe
1676	msedge.exe
1676	msedge.exe
4488	msedge.exe
4488	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5144	msedge.exe
5144	msedge.exe
3652	msedge.exe
3652	msedge.exe
2964	msedge.exe
2964	msedge.exe
5196	msedge.exe
5196	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3900	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1008	OpenWith.exe
3252	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
3900	OpenWith.exe
880	AcroRd32.exe
880	AcroRd32.exe
880	AcroRd32.exe
880	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 3132	5044	msedge.exe	85
PID 5044 wrote to memory of 3132	5044	msedge.exe	85
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1504	5044	msedge.exe	86
PID 5044 wrote to memory of 1156	5044	msedge.exe	87
PID 5044 wrote to memory of 1156	5044	msedge.exe	87
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88
PID 5044 wrote to memory of 2264	5044	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aa2a46f8,0x7ff9aa2a4708,0x7ff9aa2a4718
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5248 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17599534899144314928,3683566824583995359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5196
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:5188
- - C:\Users\Admin\AppData\Roaming\{62d03cd7-adf5-407d-8837-39324fe02f4c}\RdpSa.exe
    "C:\Users\Admin\AppData\Roaming\{62d03cd7-adf5-407d-8837-39324fe02f4c}\RdpSa.exe"
    3⤵
    - Executes dropped EXE
    PID:2620
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:6128
- - C:\Users\Admin\AppData\Roaming\{c5a71f8b-6248-4a50-8a9a-b3e6e23dd463}\icsunattend.exe
    "C:\Users\Admin\AppData\Roaming\{c5a71f8b-6248-4a50-8a9a-b3e6e23dd463}\icsunattend.exe"
    3⤵
    PID:2120
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  PID:3564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3900
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\1e0b984832b2282e86d923947c0a9244.7z"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:880
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:2740
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F552F5358E0606552EECF0A20B078E76 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1880
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3DE888B6E7FBC31EE182DD02E23B4BB5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3DE888B6E7FBC31EE182DD02E23B4BB5 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
277KB

MD5
57b74cedb501ecda4ffa647d051ed167

SHA1
f04fd9bfb224664060245934305bec4ce2d26ce7

SHA256
c3ae24dd6b0e570611ea13b4f24e3b50ce0c6906c9ce3ba72105e4c91a660b1c

SHA512
eaaea014ca91d459a89a6f1544617f3cf3801521187fe757b08144125fe02ecd880e03726b28e32139bb752dbd52ec4133f707bb8c84e8a9ad26da54353a4d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0f9845247346fcd64502607cfdd3d7e4

SHA1
0e5c4c465759d2b34b3335bede05e2d1f36bbc8e

SHA256
7980b275baadb46ab8891fac8a2c341220435616c5ba1f0bb87f75152a9ec77b

SHA512
e862bba1f961718b7a94ca87218fb6ebe610dcf12a0c21421200d4933fe8ea3e8df39f0734c1c779a508ed0fa2831714575b2b96a96ca589a345b6cdf85e88bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ac3910719467aa5bbd2c46394adbdfe6

SHA1
fb274cc1f9c76376b49e59b68156a68950f32b07

SHA256
352bf740eddd0f6a56f3132051e218a3813512ed35d9d392e3d14acf2207abe7

SHA512
51d7565115c7e1d642e900b80df5a24b814413e050b6ee7271eed86627d6c0a5f89b824db1059a178ec5a7b7e4d4d178aba00aba9707a6d5a91f78c76579503d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70ebe529198d6a720dc3497f1a8f889b

SHA1
d2d5a1dafeaa47a514acaf080cba1fcac80c1cc1

SHA256
7eb7d239b423771a5f46e0f4a5d1a357c161546533da6aa827c0ce0fde6a9477

SHA512
72ad8db3af62248e55e1b69c46954e75805ef636ffe52eb6ca733518d91a78bba28d8d56bd374a04357464fee3164cfa1eca6d96981240adf6436b5c78284fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47df023a9f1882ec936527736095c8d1

SHA1
4cdccf525da2d5c5961d66914594a723a8bcd401

SHA256
42a3ae96f6fb3b257c2e40eb0000828213803392ce6c4344fbe038d210bd2664

SHA512
44c15a553575a6876ae4973df625381a2fccf4b9065305a9dbdd6b68b174302018ec212c6138b799cc36595312d6df9d68f221ee7959ff32fcbb51df377c7860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a84e6d2168149258f42f8ea8018807bd

SHA1
ac537fbc0c77ac70c0c849052aa32f6f0886a209

SHA256
f215f553c905b1184bb5e9f29795a27235f1b47bd0b836fb1929f815a726fb6a

SHA512
5d20c2e9553b85358b593d7503bdaaed7aef9522d3187e73f59544d3e95bd316f9041f1a2faee5f56fe9266fe7a49bec3ea5e8477f7a6e201531c2353e88ba24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82dc17025600a25432fb4ee0f3bd473d

SHA1
fe565d5bf26e4238dd3cd5ebdf29ecf5b8facd95

SHA256
444e4dbc2e8d2004d395009f442be56712d06d777ba10691718491cedca8ce09

SHA512
e7a34570931fc8d305f132f897dc6929076494060475388bf71a3ac0d577d5a3a24048716c88ed776f61a2e1d7e43f7cc818e949ff8a8656ad2fd9ccbec5d692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eecc96ed8cdc344bb15a8053345555c6

SHA1
3564c17cd42069cee70d2b54009c390e978fe17e

SHA256
b4c57351b28c6359ee69c64d13e59a293dc06999881680a8df526d1fc9c13a28

SHA512
28c8ad3dfdbe6747cfbfa0e79079803472102febb937e658abc00456c57ee31ccfed9e52d006596c5a8b1e4e6e7b097bb97449ed361638d31a46224b95c2151a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7a90049f52975f3e578c5c6ca271c8a3

SHA1
ae612d19adfa951daeaac51f9d2af548c72dfefd

SHA256
9f9ca5b5f3a7f7335a8bb5a8a4aeac9e0e94ae2f9fdd1f598b1be58f02e3052f

SHA512
d917c80d42e65161971e4cf056ecc1ed2442e20a4cb2d9694fc508f9bebacb4e5b0850eb1f587609023b94ae46348c3f3c5ed255b9fb0533e1ff68d93742560b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8969d96182bc6781f5190d858ec71eef

SHA1
c82be91ff15345f0b0ef131f6b429bf340bbb210

SHA256
45cd7e9d5bbaf5ca01a097cfc867ba82f89aad7f604416ca4985486bd84dd1f9

SHA512
571faffe5d8cf272967e8e83b33736ef4380f94fcd14d6139471b46ac6e5597a5a9cf863394ecdb371a29e0f46ce404d80eff76d8e34261e02d1222522c3cd2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69cbd4b93cd3105c77bb9c155f2940a0

SHA1
5e4f5c3bc36e1f8c933cd6bc654e63f11beb4455

SHA256
99c3a10a47b242ab383f2ca01c66c2c0155c97f59ff8b85ddf3be75cc45240fc

SHA512
acef9649e4ca8ab4c4a7d67f8ac3c62316d17004bae3c2d8becacfb05fa6b943d162e49f2d9e9458a4bde37d5a2672e566b60f960aa44e75eb85ae2dfb5dde98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
82dfa3fc903aaebae91e6b45a189c5df

SHA1
55a94dfe77c511c23ab9bece436288308a5a14ea

SHA256
012850cfe4045ffb3060b4e0ab3619db352bc2689629f4252aa494485853d825

SHA512
03b6a2d4c8266d6c3aea11866791a795e648da682cb57f29432f6a57d17bfe0a929c893960cac853cfacd0c0fa11e6948c47fec4a0a346302fdb5ffcf4f10df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b63ec9317bc7fac090bf768cca9facaf

SHA1
ee0e0bd8ee863a09cb1b334301384af9b65a3cbc

SHA256
b501ef436356ad444bd5d1695cd3612fc37790f98b2606398a2027404ffc90d1

SHA512
59273b14516faf0e22edda696e17d4f91533806f4e16f9dd5c36aad0f52ce0785c664301dd8b8914b97b8728e8e9c825a714fc34dfee4856d994f1e5ee5d38ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
668b8b93630f4d3787f9f25fd3d7cc8d

SHA1
9817294470b206bc25f8be2cacc295a727967b1c

SHA256
b770bd9d472d1421e479bf4b59b2d88f53f7b0dff398ea244731e1df425bbf40

SHA512
d29543aa3c86ed0c2cbb81e1cd6a1cde7f431e2a1f308fed91c31aa95f42b027d62c81991b8c21cc041d11d7654805e88c3764dbee87e9f80311a25002c2dfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
774722f01e59deb1e2f83835931f8148

SHA1
eb70b94f5f9dc8ec300ffc881ff4e8a405dde621

SHA256
b21e105c7cfbf56fd44c94a4f1db99c5b94d098991f19a261f08463df2cc8909

SHA512
c32e73dc9e35d542f4badbc0bee9e2247b48568e7b125f3b56331e41588814b3c93ff0657bb1093e6585a5c83b5595bcf36748326adccd87c1793c9764b41f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42df9d08be11f4961621a3fcfa372ac6

SHA1
f144340bbf3993834ad9ed06777315ae1431b716

SHA256
cb1bbfabcca5bdafea9e6e9eb712313a5313869bed73900afca6911f77ac5225

SHA512
a00171fc646b070f4073377295d3b267b4bb7080b71f969b6c6a325aedb27c1026919747a0f4d2845500e3d302906556132cc081ac4a9f48a5a0bd59e2a630b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
584e8e26789354d1ac9be4a130e6b7bd

SHA1
54a4405e886239eac277ef8be6265d24f3d21e40

SHA256
31e814f6453c3461b063724fe988349010e16dea6d0071626dc78b6d85541312

SHA512
c36525423b722d07abe41c63f1a597e80c51dba9da3bd8196b8cd6d96eb4b45c49db6993163e2d8125847553ad4471c1dd9a26af076018505ee63cab0e6d5f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
897b49900aec113e57376b0488d86c1e

SHA1
8909b31af26826ec46aea7cd143aa4513dd48819

SHA256
a1c581b98eca8ce06dbab918a038fef3677dc53d4129ce2f7331bb1941549016

SHA512
d783e7c5738a38fbb15bfd64abf53fdaa3b38c0815c968180b5d92b721edfedfd6a67c5a5039c7b504eb36465a62f0bab86618e98849018b238d4a678e875cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5797bc.TMP

Filesize
874B

MD5
2d2c86e9bcd41e385960640a9c2178b0

SHA1
2458a7ea9066dfe3332be9866345f6ae21694310

SHA256
764ea6c98b583f3ee2f88f52c3cef3ec0bca12f8658df7361ec00c8d579b26a9

SHA512
0f47ea7526ade8d63e553d92d0790ebaadbb7aea553f445fd699c9410e5bfe46aea64dc547077f0dbc8dcde681ca325746f002ddaa37f3886b5e3693231eab5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10af320fafa6d2126bc4cb0d5648741f

SHA1
e70712acdf982c78d172e6ede3c41466b68288c2

SHA256
252db0b992bc38106ae56e6913812d83a83eabf689cef72cc966282400b1e379

SHA512
698fc78848e19d2734f333c798922bdab8a1aa216fa92f7c2292e7f46e5ea67ab36eba34ff460638856471a724960b8fad35bf19e296ce7513b4db85ad3a8e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6b3229ea08f5a3a9f9d6b780c72d9095

SHA1
b0c150823aad764e3cc205d4356b486f2db418b6

SHA256
a12894a488eae642c09c9a92d2d57ff2383d37ccc350efe41d758c3f025867a5

SHA512
54bbe052c178b869d52b9af49b17e733b62e6571bed39aea68674e06bc8ca2dc60906790158902ef375f0af1ab4d4edd625dac28a7ca483753caa994dddc1426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
12d453d3d69fe608a55d40176bcd906f

SHA1
ea9f0923e40d4e65bcf697c807ec5ef17fb6cabf

SHA256
ddf62db204232ebefa296fc054db619bc6ef726dce1a89f8a71926c60eed8e1d

SHA512
aa23c50a520c21adc988f50dbcd12dc3c8f458428131c7e8ed645209be03d5c2af450294d73b92ee169bad758d90c9eb73f7a4b1c73b614da4f2a1b43107b9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c68d8e1ec5226f830f7937e2f616a282

SHA1
6af5462147cd0f11efbb639e97e62ba990a2aa82

SHA256
6a6c85d4dab52728a5be2f39dcee171dd40a51c140872524e268be59adb4ddcd

SHA512
b96c29f7492bc06a0a45a87b01b1a5106da2a74bdd1190f66ccfe9b502e73d7ffa9394cb18899ea6d34b02239dd5e1f66943d02453cfe252b0f5bf2f71836eec

Download Submit
C:\Users\Admin\Downloads\1e0b984832b2282e86d923947c0a9244.7z

Filesize
266B

MD5
9822cefaadf17ce741397c1e08c86222

SHA1
f1755116560770a31da7e50d2412326bc8d1b36b

SHA256
03affd363484292a255883b16f267aa8f734f644cd81ba4aa85c4a89d2788a86

SHA512
103d0ecfb045913af505b7d656cc62c2c0c15562699a767ec9c46fc9da7e38b55ac8be2d2c7b268e72eb693a4f6d178139b9e1a7d764ce757c0d8e4637e93bc8

Download Submit
C:\Users\Admin\Downloads\697158bcade7373ccc9e52ea1171d780988fc845d2b696898654e18954578920.zip

Filesize
3.0MB

MD5
40879d7587eed9df399dc5ec0e18d305

SHA1
e8660a88bc70457259b13c2198bd7b0f88827cd6

SHA256
d30cd1e5c765f6cb2ddfc16c8f1611ef575ef6b8fd7030930bca9433f8edbe25

SHA512
4eaccb3edadc0685c2e845a199e34cfb18cbf17054b5fb4276ef0a1c4a5e46cd397ae8fddd57f5cc9a39c4ba3625a3216f7d44cf090a12949460b5bf3675635b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 493496.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\satan.zip

Filesize
143KB

MD5
d309e1391579364a758c67fafb3b6e8a

SHA1
d36d77044dce9a03766fce192629e6d2bc2e8dd5

SHA256
595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163

SHA512
b1c5af6894983c58564a2b3b63e36edf0a2e5f6e6ab5268030eaf3027326dc2a9fc31e449a7dd12078a0e878afa753872e309e0e16bb58997e7fd3b8c03aa6cb

Download Submit