eternity | hxxps://www[.]upload[.]ee/files/16286995/Amax_Autofarm_V4[.]3[.]rar[.]html

Analysis

max time kernel
308s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16286995/Amax_Autofarm_V4.3.rar.html

Score

10^/10

eternity credential_access discovery spyware stealer

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe	eternity_stealer
behavioral1/memory/4460-297-0x00000000000D0000-0x00000000001B6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 18 IoCs

Processes:

AmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmaxPNB v4.3.exe	AmaxPNB v4.3.exe

Executes dropped EXE 22 IoCs

Processes:

AmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exedcd.exedcd.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exedcd.exedcd.exeAmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exedcd.exeAmaxPNB v4.3.exedcd.exe

pid	process
4460	AmaxPNB v4.3.exe
1408	dcd.exe
5708	AmaxPNB v4.3.exe
208	dcd.exe
5916	AmaxPNB v4.3.exe
2948	dcd.exe
3332	AmaxPNB v4.3.exe
5380	dcd.exe
1148	AmaxPNB v4.3.exe
3028	AmaxPNB v4.3.exe
2528	dcd.exe
2284	dcd.exe
4760	AmaxPNB v4.3.exe
4576	AmaxPNB v4.3.exe
4152	dcd.exe
1220	dcd.exe
1956	AmaxPNB v4.3.exe
5604	dcd.exe
3788	AmaxPNB v4.3.exe
4528	dcd.exe
4792	AmaxPNB v4.3.exe
4412	dcd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dcd.exeDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2128 NOTEPAD.EXE
3120 NOTEPAD.EXE

pid	process
2128	NOTEPAD.EXE
3120	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
1936	msedge.exe
1936	msedge.exe
2576	msedge.exe
2576	msedge.exe
4916	msedge.exe
4916	msedge.exe
1660	msedge.exe
1660	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

7zG.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exeAmaxPNB v4.3.exe

description	pid	process
Token: SeRestorePrivilege	1296	7zG.exe
Token: 35	1296	7zG.exe
Token: SeSecurityPrivilege	1296	7zG.exe
Token: SeSecurityPrivilege	1296	7zG.exe
Token: SeDebugPrivilege	4460	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	5708	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	5916	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	3332	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	1148	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	3028	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	4760	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	4576	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	1956	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	3788	AmaxPNB v4.3.exe
Token: SeDebugPrivilege	4792	AmaxPNB v4.3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2576 wrote to memory of 552	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 552	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1032	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1936	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 1936	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe
PID 2576 wrote to memory of 2184	2576	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/16286995/Amax_Autofarm_V4.3.rar.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbd3e46f8,0x7ffbbd3e4708,0x7ffbbd3e4718
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3332564952648632406,11965658591346668737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\" -ad -an -ai#7zMap26113:98:7zEvent20924
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\ReadME.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2128

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1408

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5708
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\ReadME.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault16fb9532h6d48h46cbh8030hcd5fd149bbe9
1⤵
PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbbd3e46f8,0x7ffbbd3e4708,0x7ffbbd3e4718
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,11213182320771697825,232529615023093047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,11213182320771697825,232529615023093047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,11213182320771697825,232529615023093047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:3232

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5032

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5916
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2948

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:5380

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2528

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4152

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1220

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:5604

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4528

C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe
"C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
178b5d139893c78c19dbff48a94f7dc9

SHA1
bc0a983f3a769028ec88614438eac3fe3d1126d5

SHA256
57bbe4d5cddf52f3bcdee6013f653f5e532fb4987c88d9bbe389a8261af29820

SHA512
0e87c2c504e7e320746e7aec1197183a9e1d57af2e1583d8e73eff053954f94b09942a9288e48c9d0af05759556084c19a27055fc592501e0589c9a639fdde9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
dd4d9466e5d3164ebc55ccd096b33b0d

SHA1
53a435ee2aaa5d5233af2a20262b2d8ea5fcfaca

SHA256
10cb34c886efafdf70c3dc5be10ce79b3b9bcca31d484a3129be6e63479613b1

SHA512
ec8140efda595d3b81a950dd20eb6ac149486860b9b6c47c8b089fefc4b8ae8030d5aea968f18d5b3966788787946540fce713566cb252692abd5e7bec9fd208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
14be5624a1436976f94c8559b7e68e26

SHA1
c2d5054575ae2ea5b756833ab22a9590711ac535

SHA256
618afd012f66629ecad13922a7ecdcbc634c14f007e779b26f16647f4df09ece

SHA512
e2057b3567cbb2889911987ca086920393649f6880529ef0f5e64b4de0d88e28feb4febe21e9ba461ba4d9524e8ac4acc12e1f9a5d8ef671b548f8a4a3282261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4925e28457a3c1a505137e57b39ccc21

SHA1
68b42473808aee23c7b7eb0c883e4b56b4e24404

SHA256
82db94cf220941f787e0f953f9484e9c6419e386b8715a8bbe67b5c5a2b59942

SHA512
29af93fd65fad496428e1764914ddb0f3e238d4535a8a18564b501018b4d7e4c142a0a19e2fd0f016d9e1cfd6a55dd709b9e3b00a16e9fd95776237e830248d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ae213e028bfc8146178b9766640404d3

SHA1
66bf45aea2e613726dbee43fad25cfd06d7a8c82

SHA256
0ce3b4d7042af94fa492188c6e0c0a7f293a1a3209a9c2947ad29a004d61edd6

SHA512
0f077088cfde6ae6bea0c0c1e99c154508ea53649f97f3f54ca407eababde9784d04f3f220748d6ddf0c2fb9911bc6c25492af7f5e1fe8725d20791d8d20faa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3bd692bb58cc48a47efe44516fabb233

SHA1
ebdbc630e9bc98b503a0fa5b5fad09d69783570b

SHA256
9e4578649283da080b286b5d7a3889098e55c9677cec79c00fddda68c7de96e7

SHA512
7f43f1c2b374da0791c9bdd8e1b8800ee4f990288af955fe1e0bf2ba08b19d69ad5af34816bf7a6f643693cae51f9a3dc102f1e49790e4ef2bbf33e27af0bac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9737d0a7fa05247e3b5a027dcf9588e7

SHA1
2253d45ba8a3945dfc6e9005b25160e81c33a273

SHA256
16844403b488232fb8ad06efec3c00f3f9409ee03f1df34ef225f31405e415d5

SHA512
910c8324a4c20f353a7617cc11facea81c59092a798e737314afb7a4ff02ca084d34746c5faa589ed3ccf97758eda0e727e148a707a277eb1f8c90449b0ecfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6056d1830237132b1c4863f40d087aed

SHA1
6b6bc40ff3d7d475e7561021144f4df117d092c4

SHA256
88ef58a0a8e3dcf61340ac9c90010471e859fe30e616e90d8e1c1d69eb1aafc1

SHA512
eb426d11aace27c1317d23b78009be6e403d1695b6415f6603aa0d2735f72c5fd704fc35578c98ade352b5b624e7e59e05b39a1e55a5981f7ae88a9ff38b5c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
82aa5e13536eb525510be0dc9f3c354d

SHA1
8b7fd4b4e640a7bcceae6b50b0b154e98b3e1d91

SHA256
6017d0b2dd02953c483f2ad9cf8461d79e0794967548155a71b6fc676c9eb0b4

SHA512
c3f314bdc188ec08c974fca90383322908548e009422be6114cd1b5e5a9c9edfa48b60eb49aa733549de1852a6ca536aec7daae1af5b5c78385b008bcca1f21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
5e9e7ff8cda3775216424fb707808e8a

SHA1
235432018c3c715ec2b4376897734375e3d7ea06

SHA256
4866d1e72e7f64910759b575c80bba827a08a828e2a3f83553d1b0dc66d713c0

SHA512
bf81212d49d0124dcdd541025bc00e8b156a2babadcf39207a5dd4398565a44aaaa968066f3e0e725c5587cced176088b5a99b8293d04355400e7cdde4fd4733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c0a183b99d56a3f768f3ea11d9f87d62

SHA1
c152de7da521d33e3c9ab732dc8ac49263ec3608

SHA256
33fb8f4bc79d17fd5db01ba9471cdc3edcb0458888eb17febba767bbd4eb931c

SHA512
2462a1638190fada1a19f4a2f0b114a113c547af99a98ac104d4e9554d0bfadd5cbc41c510cc83f7efa8a7fa16e309340200d33ad8e69a4c51627df4e7688d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8a5111e2718f190836b41dc89afec3c

SHA1
9b187e13a314a7c8e8f12b8db09813d557a8b2e6

SHA256
79170561b87016d4d2506108a686bbd4c09e2c42203a6ac97195fcd1ed504355

SHA512
7c68b45ff6ecdf5270978026c9fcf6dd6c02bb7486e104969c3d1b5cf3dc161eca3ad900b6dfb06c12acc36db41cc4a9e310df097ca08de0ee672e880e57ce8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c44fd9f8a871a39387d17e2df67bcd62

SHA1
5ed44b4d7029cb8e440614d633cf16487ec503bb

SHA256
6e6a3be2cc69b16bfbb40ba026706566dd02b142e1179a4b46a1c5bc8a2aa8fe

SHA512
a85c3b93dd866d22be92852eb5723fe1eb1f20be5d1912270200e10b707454c50e902b3d70fea98dfcd88469fb5fb56f58204f1eacc21d52e99f39d39b7d2e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581ff7.TMP

Filesize
1KB

MD5
5107548153a1eb4539826dd6db302952

SHA1
7fff19c439c615da6f36fc53cf4a9c49cc26a756

SHA256
d3367eafd17314a58224359219ffe5f6769725288eae844c83d4c5b6a42bcd90

SHA512
9b8bae869df3052540928cb471154324299b58c82b5ab59e00adc9209925935bb9023357e049c040b1cbbd483600ab84bd4539dbc0c2a6401e70b04fbecc8f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
a1906ca1399e3843b214fcd6efe7352d

SHA1
3e104dd1b2f4303d79767a8f9724f2249be0ab86

SHA256
0b5e025e634f22fbb0758070163c671633f1770a11b19e3b50a80aea0d9fe8d1

SHA512
a8c9369b576cfeb30e4e3d0b37a42db6c92293cae6ed3d09aad190ebb33d37db17652b5a4ec8dcea6eea33b6f4a680e3400d8cdb751c31e10c8a57d9efaaaba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6dfe08137f32d8d04058b9e8ee19cb92

SHA1
68ae98236b8e576dc9085ff46dc742ad289a7101

SHA256
5086be811d28c33e1ecc6df65a5b427339997a3cb42e168d5285e13ae5d15664

SHA512
2c7159957c5f51a9f6516025dedddccf41844c9a3ba7aecb9ee8124178d793556fdf6898d17022a6ee79f9f3853a31ad1cfbc5217346c1a2ca5a63eb68d1d71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
895b6cd13dcc7a68b8950e3600cfb2f9

SHA1
d128351d3b6b9d9e81ba6e9c9e7b5ca80e8acd56

SHA256
91b1064dd306626904e5ff297acc28f6d75f6eec555586d97f9664d6e8bf7684

SHA512
3145dea4c69c2611f231bff2374c1f6a98af2b5f8b74bb76091f1f41a6b0feccd40e800a8ab85756857b83f087353aad09f69885236fd7a349d72a8d07f72005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
26d2adc24c4df76ea5d232519f8134e9

SHA1
c398422fab6f4d76179e8597824d2b81849558b4

SHA256
99ff7f6289fa3380eebbe0f0443c76ee25911ecee8c26e3a7c076c366f88f6ae

SHA512
7b7c626995bdd528ee28a04a1110a307d7c3736967a870b90ff5361b1dd67d0a53203b790688194fdef8736a96ef81ffe0de73fa19c23b8e64ead0fd3e41f4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
32ac221482c4d5aca39bacbc6249cd48

SHA1
0d5bb758b6eb035ff29e5dae68a1150d1393d14a

SHA256
c410bf4f5deecd9c8052f3d0e1a033b553c4699416584aaac4b1fd3fc7ca176b

SHA512
be29137f2ba70bb9cc63b1b5569f5eefb6f58bac424ccc010f50ef30259b800a2768b394cb4a9bb5c9febb7eb8e511d0d1254bdb975cde97d765f25f364bb3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f52a6bbfa6f0477489cc8b8047a9ccbb

SHA1
1060c92fb9294c9b5799b885634ae2765a773851

SHA256
352474870ea6064a654e5a730481dd5b9b330de9f824d8f429a84934409ae756

SHA512
4f3f7f84cc9b65316b353f75906f591d4ec3adc982c5acb94e296b22f443fe6854765fabdde4bc7209b3665ab5dcfc75c317ba2f1355ea8127ffac8aa3002390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
5B

MD5
a470cceb3e08f6a6471a3c628947fabd

SHA1
455918d10ae41741def4da8e29ee221d8edb60a9

SHA256
67f955d2aade1969697e6785d082a88294ff08acb128c993055f118e983c778f

SHA512
1e437546d2b0e129b4169c537eeefb525fecb636eec7235db2851d3b628cddc6ce6d73f1e00583ee22b7ee9aadff4c84796375d1f081203419187fc16de81c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\267baf97-7b71-4723-95b9-a7844345d4f3.tmp

Filesize
10.4MB

MD5
2b7fe1cc9db78cb66bfdc70cb4848b13

SHA1
09578e22edc733c7f4355d6efae6603401af51f8

SHA256
38147151337e13b03b77d53678e31719df9da58b0d6fbd9b487548920cd6b195

SHA512
d1aee68c2bc5480e8f8abec81685db8cf2cda2013a49498584c6dc231beca6eeeb17406e50e1e8bc3f883afdb31c0afbb480cbc91287e705d0177c1c708346a8

Download Submit
C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\AmaxPNB v4.3.exe

Filesize
887KB

MD5
3a55e43d2333ea53b5a65aaf1972ed9c

SHA1
b83acaad62fe89a62d00ba4fa27da69c901e3d53

SHA256
f4453832b23561dca0b465f49742c8ef13ee588fca0b16d88e44c27b43b14b7d

SHA512
9237fa82153e1074e75344c23c875443a44468692a8d43d903798903ca15539ac3ed3cf8135bc70172ddf265e5699d67d5636d9a3b315a308583ae987a0e195b

Download Submit
C:\Users\Admin\Downloads\Amax_Autofarm_V4.3\Amax Autofarm V4.3\ReadME.txt

Filesize
1KB

MD5
006e75e4a4ade84ca798e398faa7f28c

SHA1
78eaf88cf8e405c2ee6a28dff9affd5378fb4a09

SHA256
511dd28ae0a0419fe70f221b5e4a187eb9974445f0c08f5cdc0e15d23c2bbd30

SHA512
6578c0415b82c1b6ed389183555432fb58987f9b193b146e70ae4bb6647dce46d2d5cc1d3a4ad4360443a2fd0988332203ddf898103eae0dc0d134a341a21224

Download Submit
\??\pipe\LOCAL\crashpad_2576_TTRMLGYICIVYNVSK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1148-407-0x000000001C500000-0x000000001C6A9000-memory.dmp

Filesize
1.7MB

Download
memory/1956-432-0x000000001C2F0000-0x000000001C499000-memory.dmp

Filesize
1.7MB

Download
memory/3028-414-0x000000001B9A0000-0x000000001BB49000-memory.dmp

Filesize
1.7MB

Download
memory/3332-388-0x000000001C230000-0x000000001C3D9000-memory.dmp

Filesize
1.7MB

Download
memory/3788-443-0x000000001B6C0000-0x000000001B869000-memory.dmp

Filesize
1.7MB

Download
memory/4460-297-0x00000000000D0000-0x00000000001B6000-memory.dmp

Filesize
920KB

Download
memory/4460-299-0x0000000002380000-0x00000000023BE000-memory.dmp

Filesize
248KB

Download
memory/4460-298-0x000000001ACF0000-0x000000001AD40000-memory.dmp

Filesize
320KB

Download
memory/4576-429-0x000000001C040000-0x000000001C1E9000-memory.dmp

Filesize
1.7MB

Download
memory/4760-428-0x000000001C060000-0x000000001C209000-memory.dmp

Filesize
1.7MB

Download
memory/4792-444-0x000000001BE30000-0x000000001BFD9000-memory.dmp

Filesize
1.7MB

Download
memory/5916-379-0x000000001B940000-0x000000001BAE9000-memory.dmp

Filesize
1.7MB

Download