orcus | hxxps://oxy[.]st/d/iEYh

Analysis

max time kernel
277s
max time network
282s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/iEYh

Score

10^/10

orcus nursultan alfa (prem)credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Nursultan Alfa (prem)

31.44.184.52:15288

Mutex

sudo_3kpsys7y85z4fdhjp3rb8mhbg022ckhz

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\universalwordpress\flowerdb.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00090000000235ff-682.dat	family_orcus

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00090000000235ff-682.dat	orcus
behavioral1/memory/6184-684-0x0000000000A60000-0x0000000000D5E000-memory.dmp	orcus

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nursultan Alpha (prem).exeNursultan Alpha (prem).exeregasm.exeNursultan Alpha (prem).exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	regasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe

Executes dropped EXE 13 IoCs

Processes:

winrar-x64-701ru.exeNursultan Alpha (prem).exeflowerdb.exeflowerdb.exeNursultan Alpha (prem).exeflowerdb.exeflowerdb.exeflowerdb.exeNursultan Alpha (prem).exeNursultan Alpha (prem).exeflowerdb.exeflowerdb.exeNursultan Alpha (prem).exe

pid	Process
6888	winrar-x64-701ru.exe
6184	Nursultan Alpha (prem).exe
6336	flowerdb.exe
2296	flowerdb.exe
7020	Nursultan Alpha (prem).exe
4848	flowerdb.exe
4188	flowerdb.exe
4852	flowerdb.exe
6148	Nursultan Alpha (prem).exe
5964	Nursultan Alpha (prem).exe
1492	flowerdb.exe
6864	flowerdb.exe
2980	Nursultan Alpha (prem).exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 4 IoCs

Processes:

flowerdb.exeflowerdb.exeflowerdb.exeflowerdb.exe

description	pid	Process	procid_target
PID 6336 set thread context of 6096	6336	flowerdb.exe	190
PID 4848 set thread context of 6040	4848	flowerdb.exe	198
PID 4188 set thread context of 5980	4188	flowerdb.exe	200
PID 1492 set thread context of 4368	1492	flowerdb.exe	223

Drops file in Windows directory 2 IoCs

Processes:

installutil.exeregasm.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe	installutil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe	regasm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Nursultan Alpha (prem).exeinstallutil.exeflowerdb.execmd.execaspol.execmd.exeflowerdb.exeregasm.exeflowerdb.exeNursultan Alpha (prem).execmd.exeflowerdb.exeflowerdb.exeNursultan Alpha (prem).exeflowerdb.execmd.execmd.exeNursultan Alpha (prem).exeNursultan Alpha (prem).exeflowerdb.exeinstallutil.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flowerdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2576	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exetaskmgr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{4126F903-0601-495F-9C7F-779CE17F1570}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 504931.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2576	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeNursultan Alpha (prem).exemsedge.exeflowerdb.exeinstallutil.exetaskmgr.exeNursultan Alpha (prem).exeflowerdb.exeflowerdb.exe

pid	Process
3652	msedge.exe
3652	msedge.exe
2228	msedge.exe
2228	msedge.exe
4552	identity_helper.exe
4552	identity_helper.exe
6120	msedge.exe
6120	msedge.exe
6944	msedge.exe
6944	msedge.exe
7040	msedge.exe
7040	msedge.exe
6184	Nursultan Alpha (prem).exe
6184	Nursultan Alpha (prem).exe
7068	msedge.exe
7068	msedge.exe
7068	msedge.exe
7068	msedge.exe
6336	flowerdb.exe
6336	flowerdb.exe
6336	flowerdb.exe
6096	installutil.exe
6096	installutil.exe
6096	installutil.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
7020	Nursultan Alpha (prem).exe
7020	Nursultan Alpha (prem).exe
3988	taskmgr.exe
3988	taskmgr.exe
4848	flowerdb.exe
4848	flowerdb.exe
4848	flowerdb.exe
4188	flowerdb.exe
4188	flowerdb.exe
4188	flowerdb.exe
3988	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
3988	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 55 IoCs

Processes:

msedge.exe

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

7zG.exeNursultan Alpha (prem).exeflowerdb.exeinstallutil.exetaskmgr.exeNursultan Alpha (prem).exeflowerdb.exeflowerdb.exeregasm.exeNursultan Alpha (prem).exeflowerdb.execaspol.exe

description	pid	Process
Token: SeRestorePrivilege	7000	7zG.exe
Token: 35	7000	7zG.exe
Token: SeSecurityPrivilege	7000	7zG.exe
Token: SeSecurityPrivilege	7000	7zG.exe
Token: SeDebugPrivilege	6184	Nursultan Alpha (prem).exe
Token: SeDebugPrivilege	6336	flowerdb.exe
Token: SeDebugPrivilege	6096	installutil.exe
Token: SeDebugPrivilege	3988	taskmgr.exe
Token: SeSystemProfilePrivilege	3988	taskmgr.exe
Token: SeCreateGlobalPrivilege	3988	taskmgr.exe
Token: SeDebugPrivilege	7020	Nursultan Alpha (prem).exe
Token: SeDebugPrivilege	4848	flowerdb.exe
Token: SeDebugPrivilege	4188	flowerdb.exe
Token: SeDebugPrivilege	6040	regasm.exe
Token: SeDebugPrivilege	5964	Nursultan Alpha (prem).exe
Token: SeDebugPrivilege	1492	flowerdb.exe
Token: SeDebugPrivilege	4368	caspol.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exetaskmgr.exe

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
7000	7zG.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exewinrar-x64-701ru.exe

pid	Process
6356	OpenWith.exe
6888	winrar-x64-701ru.exe
6888	winrar-x64-701ru.exe
6888	winrar-x64-701ru.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2228 wrote to memory of 1772	2228	msedge.exe	84
PID 2228 wrote to memory of 1772	2228	msedge.exe	84
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 2488	2228	msedge.exe	85
PID 2228 wrote to memory of 3652	2228	msedge.exe	86
PID 2228 wrote to memory of 3652	2228	msedge.exe	86
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87
PID 2228 wrote to memory of 2328	2228	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.st/d/iEYh
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcf3246f8,0x7ffbcf324708,0x7ffbcf324718
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6812 /prefetch:8
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:6164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:1
  2⤵
  PID:6172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:1
  2⤵
  PID:6280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:6288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:6924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:6932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:6472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7040
- C:\Users\Admin\Downloads\winrar-x64-701ru.exe
  "C:\Users\Admin\Downloads\winrar-x64-701ru.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:6708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8548 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:6756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:6356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4907826995869399723,3396320891339643650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6472

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\66965d1c70224717802eba9ab388f0cf /t 6856 /p 6888
1⤵
PID:6916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21766:102:7zEvent17734
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7000

C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe
"C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6184
- C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
  "C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6096

C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3988

C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe
"C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7020
- C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
  "C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{c04bad94-31f3-45e3-94b7-537a77169275}.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5340
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{c04bad94-31f3-45e3-94b7-537a77169275}.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3888

C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5980

C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852

C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe
"C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6148

C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe
"C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5964
- C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
  "C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4368

C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6864

C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe
"C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flowerdb.exe.log

Filesize
1KB

MD5
663b8d5469caa4489d463aa9bc18124f

SHA1
e57123a7d969115853ea631a3b33826335025d28

SHA256
7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

SHA512
45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d0dc488-e550-475f-b1a5-d3113971c048.tmp

Filesize
10KB

MD5
f26207d9e958af504379f4cb4882e04d

SHA1
36770a72996b1c1f2a67f5fe45506631dcec0ca8

SHA256
66ef6d090f33007c58dd0ded8884933c70e28439ee7da1dae6131264690f4b25

SHA512
d2274116a9879a49ef7acc9bd856f08829b72c98c27fc4f23650c9f6643542e4e99f48b251ef3e46febe960778463edc5b91cd35236fba82f15154ccb8b498d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
41KB

MD5
2a8a0496c0022a0e67d77d3446340499

SHA1
ed76b29d574b4dbfa9e5dd3e21147148a310258e

SHA256
f348937ab6c6d9835af1f55e3f1d3c51197dc1c071630611ebc6d44834fc44e9

SHA512
d3767a8eafe019a15c2142d1160271ecc62f6e7d5623c0ae5fade269c8c9cf7de3b80678ed64bb9546bcf4d80fa66e11cacd19f2a7e295a6fec2a64ec8068c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
1.2MB

MD5
d20f500f9e4e8bc3fbf885d3e9036b32

SHA1
8eff61e7789c5bb7564be8cc3225ff10393a30b1

SHA256
088c9b305f64ae73af52bec73101e6bb1914b8e0931cd1d3aee8944a3abd18bf

SHA512
4d85a1aa21fb92d51bfd01a104c847f79e4c14d4f2202b6c14e6275f05ca699ecdbe56bdb7c556f8a651832440201bda80a7f1e3c11778fb22c201c9aa032642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5cfb4e0c6ef7560f14996e10a0e9c273

SHA1
822a02772550ad461000b6f07e70f9156576d1b9

SHA256
a50c38f6c6dce74c00ad97d0b9b623bb97630fa296a97e73cd5ea9a19c07a7c3

SHA512
eb2f7153f60c5339e91cc470fcf4b1c56fd567cdd04682f02816ca05ba1f483e719802f1abe5467ac4f15df6ba14fe1567b0653b8cd8f81d6159715b360f42e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ff958364638d7135381c9e03fe3b715

SHA1
b4b246435746b4c7bdd1e91fdf192fb25c855da1

SHA256
5c1e3cb3c0546908c4a0ec5faa6cd72efd99fb2bd188f0eb1d062fcc89f46c7a

SHA512
04aeb0acb15911f819b26e74901ca8b355a10015b0363d28aff0b4f1e39f395361293f3f21d19072b6b1557022526f9a10fcd9b27a87984b1ac644e09e667f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
74fe6f5f3a41022d071e90dc3c8cf38c

SHA1
27d8b2ad3e451af770f77e8bced633dfcf0114bf

SHA256
9176d4bc525626742d765506fc795afe374a99ce9ba3f78e8f3bf84cd1697269

SHA512
71334ddb10852ca0d5353daedabec62678c6f53db49f776c32bb5cd8a90c413716a70ad6018d5162103722416e8750d2b20381a49a62730ede05b0109764f27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
141ee5d823cbf0ddf3e476b5f363b67e

SHA1
33c006f9c311687abef7e123f1dc16557d857e6d

SHA256
60ef0c98a2d5dd68237b92567da9c1c62da81dc8c7ac2c6167fc9b983e0c5f32

SHA512
15879e6b3bf8ecf343ecc2e4f17536d5af305ca94d9942ffe925941ae0e359195cb303945029614e1b7877f28f168dd8ece3578dc3ac77d5103f439af61659b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
9f0845a889de933ea9d1427c7a977b45

SHA1
a60a0421dac19cb677d2caa189a2e138d282a684

SHA256
6d2e7649e7005a6d829cd6c5b57e47263841543953a4f7d054565ae988436037

SHA512
55e51645ab3b65c232f51ae01ee63243915e6fa94b0e5209446523513c77d21be32002d70d89f891fdcb41a4a26a52809bb6b01a28c96c448e1f16ee4372131f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d43f39622141f770b8c09c3efa65906b

SHA1
ad3f2370670fe76227653649442541c50c68829c

SHA256
b8c7659e57d0959a94eeeba5cbfe01383a801b4362643f07a90f8f0bd5e5ae9a

SHA512
6724c1b5fd243f37bbb772efaa90a4c76ea1e1a6e6a7dc7fbe0c2f4c389c42f78fcd00933835d117d74068aaeef43b41dc1baedf2dc74972be644e5ae37baf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
408cb8969ab98f77e226ca80657b31ed

SHA1
590321abb207ca9c1f2b3705f7bff9c5312bf60a

SHA256
e934a29d8a7812b1a39618721a4cb002e3d8372f3dee4e193531b83817c283fb

SHA512
10cd1cacd9cebf3d38b6f29a30bf43796b6fbdbd255d8ef7e862164335e2e396b4d7b91d8895b9110e9b39f68b0ceea8ce9135610c696823653ed82939813e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
5783f3dcdada5b2f3c1d94ec5166e2df

SHA1
929a3efbd82d891de2d4eb8b387c760ac4ac0a20

SHA256
7d1fbe46bdabcc8df71c33efce31a06cdd1264373255a248bc8f7c36ce24b395

SHA512
9dfb072364b1d9031df550352dd0b901177bdc46ac0811d9304626fac19706ad7090dc445f5039349602668c6c8a0aa2df2c84e923780f2f5731f5f9534f5f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d7b30c17bde850dcb91d2317c23e2dc9

SHA1
1cfa69a204135d73f3361166b99f5b308651f4d0

SHA256
e08a69e4c461ea0c777d9083fbace88b3ba3eb0cdd2b71ff1fffc39eb1a9af5e

SHA512
8eafea9c366752d5aaf9324d2a8d315c4b831780919aa45da3189bd07e4126ad0ca0a5ab70c5f37970293dc4967e6432fd6493866ea436bbf673ec23758ba4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ab1b91e3af32e8afa516df6ebff2d668

SHA1
b9aca71a9b0b95890177a1e3a146bdce5c117808

SHA256
bed9ce71aa42bfef64eb31b72ff064a6b5a4cfc6ca8b962902fa510ddf3a2ba4

SHA512
9ec24643c7cb4f50d99f2a91b2e3922ccf411e190ec13d263cfe2e58391bd4f52566bab867904152dc6043b147f8b6ad149525b26c6dcce58d951f2d9e47b241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e06fd3020c37913761e42b10dfa48ab0

SHA1
0a492877861afebd127aa66e3935280338defd6c

SHA256
23d0b6c0926c4952af9ea7d5b1752ca2ed9941b316cfc9a1da4a5505d9f7cd89

SHA512
b2d660368606ebf3685c34107e87754a1c07d07062508d949b5734c3fbc3ca0417268069ba5baec260b91c5adbbb55c53765cc51fe0c94894a9504c6804065c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b00174e26fc9f8ca92fb9246a2a488cf

SHA1
e0e0926d95617a09533ea2552cc6e99e62458f43

SHA256
62c12bea159f23ac2c95523f4815d5e7c479ae7cf332ce8efa9d5c663a769552

SHA512
e03061bc77f971f17c589fd59c5b8ca7a16be24666f403b34a51439d9f6fdae165df55156ec33cf6d29434c068c640af3aaf08ef42d98bbfd2ec1f4c948e0550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
7f8c9a1fedce3ff5477eb18bc0e494b1

SHA1
1012dd028af466e64f760c9eb66a2b66ea15ca49

SHA256
caba245681edf27e5c75ba828445bdf1a0ef6bd197eed5fb6abef2474d15c2e5

SHA512
fac848b561124876bc2ca4808d0c87ebc59b877c7cd0014a1b2051092943da092e07563730d6ccb70f08d70043310ded748212ba8aaf7fa5bd106216d00dfada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ccb56a8b54d335d95d0c30aaa9f42be5

SHA1
7f5900abd0ff9feb974bd009a64a9ad81a967556

SHA256
76ab66ab6c7ce64684b50bd144c0032f4dd4a498bc8009a206d4e74b57baa974

SHA512
9db2bbe6b6fd69f6c4bfb34b9b05500fd2d7ca128fddebb504a9ece035c5328cdfc0c8d4d1c6b02513a2c03b3361eb2447a94ebbf30983622a1ad012a0cd3d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b4ad1.TMP

Filesize
48B

MD5
abca75cbc337846af54fe73c82507699

SHA1
541aa9f3698e3ca0738c54a560fbc8d64a61c090

SHA256
48af031b5a3f1b300aaf987a21ff2ac44c8784cd2358089ee9895d39178b9617

SHA512
84fa7e85beaf878885b289c59ad808611a6465f01f20dd92147b80a3762af08972b3d2673cba1a800296f1ee3c2f8e6fdedc0363043f9dd4e2494767af740ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
08d0bcae209baca955827c360df2764e

SHA1
6a10a8ba606529a9a2e1db4d64024555e8453b33

SHA256
7d9b5a47d415e71ed4036ef955ce65232c9bf62e8ddc73221d6f676098f87e9c

SHA512
10b24b7a6ca9215ebe1543c7b4c5b7f0721db9d90634af7ac5ab7675efcad6485e58cca0e24002be27224f501941d0224fab94fe1809bc5cc4f4b5bc21d08b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
de7809cf65e678ff88ee3fecb5357cfe

SHA1
1060b2e395b5780abc1c1795c9888eb9db1701d1

SHA256
ec333ad4dfdc31e03d75ef0f950160824576735cd16673fda29c55ab3952361b

SHA512
4e70e52ef17b58db8c422be1987f86c0345ef8d3fa6eb0c117964353366814ec9dc278670372507c2aac1c6b92059b715ea2933d0855c96ea7b6bb3f70f07753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4690eb2aafffe208a74cb9e59e4c69db

SHA1
43362f51f7584a60f2da2d1513482d2107b19a32

SHA256
3a898a72f6e09ad37852fb644c9bcf9b5a1bbbb876f421c17c4a0b39467ebb75

SHA512
b43be10a6ca5d416e296826452524ea20f5376c0191778f4d1e7c2adb2f9a417159e0b3be795584ef26e99e43b2a95a459c6381e7034a9cdc0895346f6550feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
70578395849d4386c5b6a63e623823d1

SHA1
078ecaa72597f9c8776ac8022f857c8d75f03a1c

SHA256
c6d4221ed70563948aeb743ebeee8775a75f49af7a447f6b88b23ea77fe83521

SHA512
2a652fd3c908f1c211c36517da37f6b5ebf50b440a02f42afe6802ed423b94316d50d9258f8140b053ea5ae07807018fca3d2d24f5abafb07f8105c3a2e2adb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1cdffe8c1f4c024215e3870db5000563

SHA1
62b9f40f85acd20322e45dc291476db6a581b168

SHA256
12132bf0f27409181be092eec07ee7e4786676360d6159f5610c8dcf17c277c3

SHA512
2a3c4ee370c26e561f62b44ffeaa37b71f2e0f6fa3912dfa94d8e7491803b74508d3e212ff912c8b9a88293b3cfdad38e908816d08a47dd593abe648d66f82e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4115b99d4f5624eb4b51000ee05018e5

SHA1
c6684913208cf3fa3d758cf5b95a986eb2802f5c

SHA256
f4c3aba6569996d870a9d0f32ec608da2a6dd59ea4d76732843a476775ce3a00

SHA512
bec4c6c34398223550b06714daf46d598c960ef6daa32010e896ad3b95284475f816890fe25835cb4a54f894dcc478d30f8328ce88bd47041881dff8377e4e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e61f32b9d0235d15f99917d56f7386cc

SHA1
59e9b1faa8347356646b8d9f01466e9ab8dd7c05

SHA256
fddf9610b7d2a0c38e556bc5a77999063fc40087f12aef666ece92b11351fab7

SHA512
c03c83a741a5b7808b744b09236a2165fcd64c63fc64af786c8301924ff2ca0219a24874056a254f1d5857741d8937a4d815c77a2b478a4bbbe47bd7a3e8e451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2728dc50a52be0ef08a1a3c1b566ee4a

SHA1
b80aa7424afa8ba903656d431a052b0cc592b783

SHA256
bfee202bdb3004b40401b530bcdba6ca417700a7e07d756afa2829252681608c

SHA512
dcf1c9b0782b693a460f4d949ed69b85a9bed8de206ad1680650d00a9fa92a8ff124152ca523b442c47e5902ad895e40ac398292c1a540d7c7488198705de404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
36b14711bb1ba739b397cee45b3dfd72

SHA1
e25b69d1baa067d60d0e4867897b2982790f6df8

SHA256
a72ae0c333eb1bf459ab4f385df42c63c741bd735d1a1f3ff1a3b0ee9096cdc1

SHA512
9625aa24ed37f87bb74874c94897b7b5721b32d0e91e8e18b3c6b87982cfb7c2cc94af805bf756f7fa30181a89088856cf70c365893d23366fb6b48a108a399d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
169b81219b052408a1969fc25157e53f

SHA1
6ead64a08d67e73b88eb0c0c9bc56dc6e18ee6d4

SHA256
ee3d0dd02e37c613aa60501c5d177b7a51d27768bc9f1b5d178366453b48e41f

SHA512
307a00d84ba33073acdda08d0f3e1561e74d00736ca6594d045cd6fe3c6459c9252ba4bdafcae2b3cc8c5a27a2353ab0c38c008b6b602f4202ef7703a030c009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b149e7808c787420f2508d9e53ec5719

SHA1
b80e8f623b4b09f02df6621be182c4569432a58a

SHA256
c5d42de09540a405153b013a29f9a2c36c99507c4ace8a4910ccc901a3e419e6

SHA512
5c0dfdca322b7d93969455bb86bfab805a7ccff922f911c84b3b96297ecafacab73ec236913fee68a91447b76424800b4dfd087a0e44955775eff19fcbd56d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1d2533bb4e4d9509f3d51b192565bbdc

SHA1
713dfc397c13b69c7b9d400a35155c5457c482aa

SHA256
4058ccdbdcafa16228c33aa81bc90b7cbcb460e5f1dbea9dc8ed51fffcb6122c

SHA512
683264d2b8b1f6dcba2dfbd72d4b44b9d8e77858d45f4b49aac93816de6a6d06915c7af9837e4b5630bcd2ce4be602396df8cf1ae5b57270dca7ce55507f84b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
717542ca3a97f07351d1b96562398d24

SHA1
5db308d71e2a6a85a05f3e7c816230215f35a5fd

SHA256
7abf5110ac061a84c334d68d0010c0315a5fe1c218fbcc7a1774bc5b139f8d07

SHA512
df7cea13cb73846ce14bf4cd3c31a4e8014c5e41351958ca5094f4722930134c96b03b511dd7c7f27a95c523a97b47b4a747109696285add8ed2871b86ce360f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e53f.TMP

Filesize
2KB

MD5
a4a0f69d5d8766070fbdc0a10840dbb4

SHA1
f5a61b093664c3bf8dd75f1e1249820a12d61cb4

SHA256
8eefc32e8c84b35ce7d4318c748d84d68a8e286aef43a087c3efe26310fd9d7a

SHA512
3f9b33142e2fd48bd2682ce523428367f0b14a6becb64e2879ade9da56f39b329b6200004dd7dd25985e05638e895b7152a188a4f85ae1b5e5aef0561b0b0273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7eb0e209913be548f4815c4ed86bf5e

SHA1
d880301ed72e8f67023e1fc088566ddab68a65e2

SHA256
8e3797dcec4eb318343aeb219b296f4a6b037e6c588fe6186743b3e8dfb9f834

SHA512
f55c781f32cb849cc23c975eaa5055058ad0d5d55f5b32c7a41f4e70dc930fb544fe56d76cd3b6c6d4f4ec35f4e341bf0a2652f83e11d8540fc7b4779f81112b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c16b3ec5d221314b4ef39c3ff07c93df

SHA1
82174c07fd577d871febccfc981b4bad89a2ba8e

SHA256
b0d1bef8bf961d8add82c2e4eda20a42a6e6d62025da8a48271739e078dc42a3

SHA512
f590b62a21d07efbd04f7f677f7609a08263e0c8897564c46753d53713dd598b2ec9c9c85c796d4b69b494760fe4062fa74ed47f514f3073984dc000a5ef4767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bffe3dc86d77e1e030b46cca1571b8a1

SHA1
4240b1af4a3ffec9fea5986aa94f132945389d7c

SHA256
aa2038257eece1175fca05b5c650976227f2a9feb8d86d7da348ea2cdcfdff50

SHA512
a068150e37c676f10740910d0260af4c51becb986eed776b61ae51e2690526b4df28c5473422c953209d0d8de93c0add9fa680eed08e6519e43036e2e73c3dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8d2834099c3531f82075a18a46edda77

SHA1
c2f30300f62430c5da1c52be787b2be787d277d5

SHA256
b1c1264f2bcdd350d63aed543b2b6a368f0a22fa3025ae31d8b02e6b0eea36f3

SHA512
396da1a6bf2105067cf557cef3866a6c779d83684dc8dba1131d44c1e408ad345f0cc6d83fb1feed74313282366971b80808a715243bb400c52a2e07f3198096

Download Submit
C:\Users\Admin\AppData\Roaming\universalwordpress\flowerdb.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\Downloads\Nursultan Alpha (pre.rar

Filesize
2.6MB

MD5
ab8c6500da0272daddeb36ccdb7f7cb9

SHA1
16398d1a1debcb8e9202e5c18dcf753f3706ced5

SHA256
0c43b0e4fd4f24df5a2db515d7af5d6f127d2ff3bbcc96fb91fd82f7c40763be

SHA512
7d63e091b209e2d0c782cef5435098ad69ff786fab2cae60b3f6f872fd5e00e926c8da11fad7ef7949d9566e6b558527e6d5470aa2ed54f0655410cd4f4e15be

Download Submit
C:\Users\Admin\Downloads\Nursultan Alpha (prem).exe

Filesize
3.0MB

MD5
e2a52f78fc1dc2eb561fd5d77892d642

SHA1
ffe1dd532e08911537d01f51f21c1ce181f4ac71

SHA256
6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb

SHA512
e7f2abf0165735cba2da3e40ac44941135bad31c38f15dae65b66a77d3239487f758c286b95cebc17a13fd27a561804f34104c8d8f42d21ea845b3de16df6c73

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 504931.crdownload

Filesize
4.0MB

MD5
b53fd2f7cd34ae24dd15b23d2eab08bd

SHA1
994ff51c42d8ed9e8a98b66a7adc172c2fa75c95

SHA256
2177fcc6c2105a01472358ad32a5ce467b4943d69f891cb30bbc82ec42003c60

SHA512
763b2f03a8264bab2f64b99b573d1224537bfb345dfd88da48699f7f42d55dd74ac34272e64f49c20c4534b908f1a1d6e6e9674464bc2e0f33f0ac2f56919d60

Download Submit
\??\pipe\LOCAL\crashpad_2228_DMNNOFRVKBUEYHMP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3988-755-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-744-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-754-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-753-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-752-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-751-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-750-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-749-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-745-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/3988-743-0x000001F43C6D0000-0x000001F43C6D1000-memory.dmp

Filesize
4KB

Download
memory/4368-1280-0x0000000006E00000-0x0000000006E4C000-memory.dmp

Filesize
304KB

Download
memory/4368-1309-0x0000000007200000-0x0000000007218000-memory.dmp

Filesize
96KB

Download
memory/4848-789-0x0000000005B70000-0x0000000005B82000-memory.dmp

Filesize
72KB

Download
memory/6040-801-0x0000000007570000-0x00000000075BC000-memory.dmp

Filesize
304KB

Download
memory/6040-821-0x0000000007680000-0x0000000007698000-memory.dmp

Filesize
96KB

Download
memory/6096-715-0x0000000007030000-0x0000000007096000-memory.dmp

Filesize
408KB

Download
memory/6096-739-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/6096-714-0x0000000006910000-0x000000000691A000-memory.dmp

Filesize
40KB

Download
memory/6096-712-0x0000000005C50000-0x0000000005C68000-memory.dmp

Filesize
96KB

Download
memory/6096-713-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download
memory/6096-737-0x00000000071E0000-0x000000000722C000-memory.dmp

Filesize
304KB

Download
memory/6096-727-0x00000000071A0000-0x00000000071DC000-memory.dmp

Filesize
240KB

Download
memory/6096-726-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/6096-725-0x00000000076C0000-0x0000000007CD8000-memory.dmp

Filesize
6.1MB

Download
memory/6096-767-0x0000000006A20000-0x0000000006A38000-memory.dmp

Filesize
96KB

Download
memory/6096-741-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/6096-742-0x0000000008140000-0x0000000008190000-memory.dmp

Filesize
320KB

Download
memory/6096-740-0x0000000007CE0000-0x0000000007EA2000-memory.dmp

Filesize
1.8MB

Download
memory/6184-689-0x0000000005990000-0x00000000059A2000-memory.dmp

Filesize
72KB

Download
memory/6184-688-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/6184-687-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/6184-686-0x0000000005710000-0x000000000576C000-memory.dmp

Filesize
368KB

Download
memory/6184-685-0x0000000003070000-0x000000000307E000-memory.dmp

Filesize
56KB

Download
memory/6184-684-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/6336-709-0x0000000005F80000-0x000000000601C000-memory.dmp

Filesize
624KB

Download
memory/6336-707-0x0000000005610000-0x000000000565E000-memory.dmp

Filesize
312KB

Download