hxxps://drive[.]google[.]com/file/d/16MwbENvB3elvioZTAxL9nhwq3TuAOKqn/view?usp=sharing

Analysis

max time kernel
484s
max time network
469s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 16:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/16MwbENvB3elvioZTAxL9nhwq3TuAOKqn/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
6012	dismhost.exe
2916	dismhost.exe

Loads dropped DLL 12 IoCs

pid	Process
6012	dismhost.exe
6012	dismhost.exe
6012	dismhost.exe
6012	dismhost.exe
6012	dismhost.exe
6012	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DeviceProperties.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DeviceProperties.exe
File created	C:\Windows\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_65ab9a260dbf7467\basicdisplay.PNF	DeviceProperties.exe
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\INF\c_display.PNF	DeviceProperties.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DeviceProperties.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DeviceProperties.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DeviceProperties.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File created	C:\Windows\INF\c_monitor.PNF	DeviceProperties.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	restart.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DeviceProperties.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DeviceProperties.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DeviceProperties.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DeviceProperties.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DeviceProperties.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{3D9A2CC3-5E62-4F09-A69E-F7AB51571182}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4436	msedge.exe
4436	msedge.exe
2520	identity_helper.exe
2520	identity_helper.exe
424	msedge.exe
424	msedge.exe
4852	msedge.exe
4852	msedge.exe
5832	msedge.exe
5832	msedge.exe
4308	msedge.exe
4308	msedge.exe
1592	msedge.exe
1592	msedge.exe
3968	identity_helper.exe
3968	identity_helper.exe
5756	msedge.exe
5756	msedge.exe
3476	msedge.exe
3476	msedge.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
6000	restart64.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5992	bootim.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeBackupPrivilege	1384	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	1384	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	1384	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	1384	SystemSettingsAdminFlows.exe
Token: SeLoadDriverPrivilege	6000	restart64.exe
Token: SeLoadDriverPrivilege	6000	restart64.exe
Token: 33	4332	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4332	AUDIODG.EXE
Token: SeLoadDriverPrivilege	5960	DeviceProperties.exe
Token: SeLoadDriverPrivilege	1548	DeviceProperties.exe
Token: SeLoadDriverPrivilege	668	DeviceProperties.exe
Token: SeLoadDriverPrivilege	668	DeviceProperties.exe
Token: SeLoadDriverPrivilege	668	DeviceProperties.exe
Token: SeSystemEnvironmentPrivilege	5992	bootim.exe
Token: SeTakeOwnershipPrivilege	5992	bootim.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
1384	SystemSettingsAdminFlows.exe
1384	SystemSettingsAdminFlows.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
6000	restart64.exe
1592	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1384	SystemSettingsAdminFlows.exe
3688	CRU.exe
3688	CRU.exe
4136	restart.exe
6000	restart64.exe
1528	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 5116	4436	msedge.exe	82
PID 4436 wrote to memory of 5116	4436	msedge.exe	82
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 1728	4436	msedge.exe	83
PID 4436 wrote to memory of 4624	4436	msedge.exe	84
PID 4436 wrote to memory of 4624	4436	msedge.exe	84
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85
PID 4436 wrote to memory of 1472	4436	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/16MwbENvB3elvioZTAxL9nhwq3TuAOKqn/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11281275673769926236,5818159571128068050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf67c86bch8727h4698h829eh881e48c731f9
1⤵
PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,15551179329643166841,13324903781028191770,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,15551179329643166841,13324903781028191770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,15551179329643166841,13324903781028191770,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:8
  2⤵
  PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
1⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1ff045a7h8c3dh4d72h8afch0eda7a958ade
1⤵
PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1360928392571560766,1834754971653400688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1360928392571560766,1834754971653400688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1360928392571560766,1834754971653400688,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:2676

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1384
- C:\Users\Admin\AppData\Local\Temp\C43CF87E-7309-4205-A048-0E3F3C255AFF\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\C43CF87E-7309-4205-A048-0E3F3C255AFF\dismhost.exe {DC18C3CA-501B-495E-B968-8C7575D5B794}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\651D5E2F-AE82-43FC-9AD9-91DD8023B359\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\651D5E2F-AE82-43FC-9AD9-91DD8023B359\dismhost.exe {1D3524CC-6039-4E88-A1A5-E17053F3C668}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault867e9fb7he90eh4ff2h9d95h13f7534b9e46
1⤵
PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,14398473417528676850,11963156966014562941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,14398473417528676850,11963156966014562941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,14398473417528676850,11963156966014562941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
  2⤵
  PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3736 /prefetch:2
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6884 /prefetch:2
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,14036162437669938730,15909393729890127664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=7408 /prefetch:2
  2⤵
  PID:2336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3016

C:\Users\Admin\Downloads\cru-1.5.2\CRU.exe
"C:\Users\Admin\Downloads\cru-1.5.2\CRU.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3688

C:\Users\Admin\Downloads\cru-1.5.2\restart.exe
"C:\Users\Admin\Downloads\cru-1.5.2\restart.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4136
- C:\Users\Admin\Downloads\cru-1.5.2\restart64.exe
  restart64.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd6a9c1b7hbbcch47b7hb05ah7875567018bb
1⤵
PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe667e46f8,0x7ffe667e4708,0x7ffe667e4718
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17849364776658621056,10608573728878510233,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17849364776658621056,10608573728878510233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:5192

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
1⤵
- Checks computer location settings
PID:4532
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe" 132130 "DISPLAY\DEFAULT_MONITOR\4&27B1E55B&0&UID0"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe" 132062 "PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe" 132062 "PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08"
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
1⤵
- Checks computer location settings
PID:5276
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe" 328762 "ROOT\BASICDISPLAY\0000"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2452
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:windowsupdate
    3⤵
    PID:1788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6100

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c8c8f5cb-fa51-459a-9e03-674e1004d56b.dmp

Filesize
11.0MB

MD5
675f2c050159f347608bb836f4f1f589

SHA1
27ac6cd80f2d04dd10bb3f2cec1df16831847df1

SHA256
276098493d6434a1fd10090a6676fc3b257b3e0ebb5cabdd44cd1d8443617eab

SHA512
057edae3b590db65addff364ba3ce2544c868ec6b4d251d1907f050681935efc4a5a008165fe584508dac9b7c3b0ca181e08d5ca3dd1f5a9e34e98cf570b9796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e93b635e4a90cd7f35ecc583d630a87

SHA1
377557f42040c5911ea2af188b51ec6f15628899

SHA256
0cc51ef2b5c655f07ebf1a1da26928d3453fb5a446ee5c6881024238357c4b21

SHA512
17b8b1ad65258981990fe94a8a06d155720ad8469ecd6d7afa5fd8f483003a481d0990b8d1409e6a060ad5b96480dfbb38fc30a60944984b771b4f9caa525e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbacc918c3f6a279222ef1327e1e45c1

SHA1
d379ebd1ff0d6acabb49c1f027a3b1e2dab2175d

SHA256
d680c52a925154944b9d3b5bdadb5e1ba8badbc8e66796da08d7572a4583335c

SHA512
c76fde9686bb4cf15c5fdb714ce261b13e40a23ab05673971ae414ee6effd6d593ca914e46953fff40a82dac43456093d8f7e36bb56efeacb5c7027d8bb5ee22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210e3ae561207407073ecf0375a9db14

SHA1
f3be07ed404f819371d29d2f805d70785f46b715

SHA256
dfcf09c8d96463f52b28fe325d6486419342c439cb9ce4040c7a8e91f990748e

SHA512
20253187407234ce734a7c3a4f12f29b8b665405c9fa590373160ce9db8c59f6b5a84c0e849daf08910eee4f3bdbeea08474aafa44b56fb7be130b153f0e984f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e5568dce7ffcef7db46ad312f35479d

SHA1
63f07727ae28e20d8d031fe1662af016f3ab2ca0

SHA256
07af2edead75ae663e05d140ee4e0192c4c6b35088ff9180c6ae4e5baa4575c1

SHA512
8365e21d606ac19579941c40e7cc3556279caea6198a75b7a751bdec32901d4962159b6464f4312de51d2dd31b392793a94647c8e0a08b6d257a80ba68514afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
80bcd9f21c726898e07f3651918d793d

SHA1
d5d520e6c4d19b199b67134adce67e9a9743d497

SHA256
20741032c83de45b1f6f4f4a605024dfb8d02442eb936a1b73f1e68810159643

SHA512
5b0c9735ba924ccf62f72e70de1a534877dc7a7aeae4a86979bca3d674ae920144e6b0287094c908e5e6129706dd7a0243adc185dcf600d90cdf6328b1641bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6be50c8f-9e53-4e07-a418-e30bde23e283.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
99KB

MD5
7efa4fc1d0b8efdf2424084dab6be9fd

SHA1
0e36be925ca81476b3db7e6edd4c82b71ba61ffc

SHA256
8d35b577e71b152c8175fbabfef8abfc9f357f789be8656eb8a08e3cd28899f6

SHA512
d861258392c314e3c46f535cf16315683cbb15582c870682598e4f32730269af930248fb856df0c1cc3b6cb08dd323639c788dbc8d3a0c285044e82d6782c189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
20KB

MD5
93eeea702a80c096950e60b99b74b8a4

SHA1
cc5facf47047c7aac51bdfa9db1339891957e8c7

SHA256
98fa60f3d0aa0668eb3bd9f56657d4d016913f2194b0e2077810f4c906a77854

SHA512
c4ceb5227cada0067261eb6adcda1a0cebe46e1184884a03bc8061f0d947fa8f3751ac3709080934e79ef2b0b76aa417f5e0df40ce8cbaa9c1b4153c3b83734f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
33KB

MD5
1aca735014a6bb648f468ee476680d5b

SHA1
6d28e3ae6e42784769199948211e3aa0806fa62c

SHA256
e563f60814c73c0f4261067bd14c15f2c7f72ed2906670ed4076ebe0d6e9244a

SHA512
808aa9af5a3164f31466af4bac25c8a8c3f19910579cf176033359500c8e26f0a96cdc68ccf8808b65937dc87c121238c1c1b0be296d4306d5d197a1e4c38e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0a88aee02893cea8d99622b6b072cfdc

SHA1
45262707dd516eb81005067d5b9a878ae110991d

SHA256
c83e4938fee12606129f50b74eddf27dad4d9359dee73893c33194fd7d6f8687

SHA512
ebd0ef789fb5351ce02add5bdeeb6e87735c5fe98b69fc52c3270b93eac2bd3859a66749d5203c28acea8d9e8fec4875459cd0840d5a8cdd137c1533cc7d0a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
0ede42536bc45adb4e4b0232798f9a2e

SHA1
caf2f6836a7c960e60ace5a4f79dda206d5a7291

SHA256
fb0065d5d25645af3d679adeb7943710c8fb40d346602395537e9c449759e129

SHA512
e50b3e9c956c0ace58526c0eab79f8d0acc7d806ee0fb3e9ae12b4ca4af7afdf1c4d377acac71cdd7f17ecf69e0c5d8b38d4b743d51a7d8c1d2f4f92be7b1fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a4ee31870271729c93134caf7531b02d

SHA1
309fdb9a21e160e8e41169b342fced2c8a7078ed

SHA256
a288ef7adfa3ad2d772b2522520e5aebd69123658dd16519b1cf995f0027c7a4

SHA512
61e2cc261c9f21a5a3e54c3d1850bb9700b25a02a398d4c802e62528cb56b28a2bc26b75f574ce3cb38e1a3869460ad2df62848fce3206f415ffffb928e19cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
87fef809925bd2b4ae4d37b0d3633c3f

SHA1
adb096c6a64fe20a4077122a15650a463fafc55d

SHA256
c51fb9b9429a13541357b84d083acc02c1d34eadb6033281fbdce1cb17578824

SHA512
4cf619b466dc6aaaab602666c0a55dfbfccb811e8011429a40dce2889c0e2b4ef2d6e7461b1018888f7cc9803ea9e40cec483f2fa9c14ed1f6e77e6111996ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
aee98af3e47b744eac392ad1a31fc562

SHA1
156f2a3db577d1d202eeecaa47ea60562e4d3f2a

SHA256
6bdc8ef925331932ac886271055c0acf9c3e8438ab87f9e16edb038fc099ffbd

SHA512
72afbe40be4e5b63475263e5fb1006951b68675fc69982549c0759a7b40119fe66adea19195c65448bf5bedb890ad0987632fd3ea55f7764ceabba1215fc2b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
95B

MD5
e747f00bc750c8b5438d17c626546063

SHA1
42fdc138eb2e3f5b19b21426a0cf9aa08fc2578b

SHA256
eb8ea32b91057259f2cb40d6f8fc63367a39685486fa045bd0d4cd57b4613b06

SHA512
40ac77e5937d6a79f104bd309e7e6e5593bf3c03f02efdbda375df04a7cd26afa3a7f677e7184919e25673a53663bcf36364b5e277d499d97046837fccbdf4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
e50da3211b0a7e30451dbf2411a76454

SHA1
28f76597eaaf711c2b0d35770b217e1068553784

SHA256
29a9eabff0b89516ea163ddf764810af66b950692535909a0686ebd48a51c3da

SHA512
8cd940bb1783e2076406ab37dadf81b82be8e62c35e2c3fdcfe2a40a5070792d9c3c00f3bc0835453d3abe5b0e48ecd55c486494ffbd71cf27c1291a0b6f22d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1a31d9f9ddd6a8420db2656dad7490db

SHA1
9d98fc8b0e060c765a24622827e91b0241c30816

SHA256
3bcf6f3152b367407da0925a6fe8aa5555f7d06ea4c7bd3fe415bc5206a19de7

SHA512
0ced94c799b7c2746d89771ba84e8c87bfb791be9a2d653adf040be176e3757a794c03545d24979e0c4e7e27d9798be7c577a41aefea57ffd6dde8735d1564c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
a8d7279cc9a0036e84c59006a845b06e

SHA1
13187d4ffdeaf010063b8fd4f4d70cc0cd1d85e0

SHA256
065998fef757bc254eafff54ed42c4b72f6be2196eb0c2d6a9f2c493c2ee9a09

SHA512
7ca9f907f77d13079b70e5dd866a84a449b518739615cfc296efc5eb1a5b6a0b4837202664674c1363a3a76f95e403a30d21320ffc1695c1bbfe94d6fb0bbdd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2221084f6477ba493581999fb67af6fc

SHA1
0f1cf90918dfd55051adce534ab7904fb3107528

SHA256
0006574ee8471242f3fdc41366eaf689bdcf3b77a011e7aa9631651c7f59f386

SHA512
e9760d01fadc68ca81062ba0b057f43250cb5e8c994dbb9dd95116c49b0a931a6f299c386780cdf62d1163f4ee2271f657c091a5400202f88b5a0bf5852ae384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
366a69e1585aa04b505c3b139238d3c9

SHA1
6af6b81c0e894dd5d2807e8f4511bd0e95320e92

SHA256
1ba6b91c6953b7f23a1687e43a571b7341fb682c5510c6af9b4bed868af7194b

SHA512
cb78655c648d51e617d3e849b2dfcb2a684ac416af143e2a6315d354d4c39a532bfdd77ed646087a93a4fc22e5a92475c82bb53fe451f42093dc73702591496b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
15917d069aa782ab053b8d7062995cb6

SHA1
6107e684372d52188bacc6c484f1df902d495f1f

SHA256
48cf57ad4617e4ec648a33ccc8c050812aeaa90e539e6872ace53dddeee12dcb

SHA512
ea5cc5b4905d5e4d18f9487c8fb52a3241ac687bdc670f1c899b97b9bbea241defae802e42f9ab0fb91a65a51a7944b8c1f7ea0107f46370ddfbc92c357ddba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c4d74d39185e79f4c9c5ad351bb9155

SHA1
05e8b63575e25c680f48400143c363a8b5239621

SHA256
5f65718b3ba7ece03add281fe71cf99f87dc494484f592a4a19956dbfde0f0d8

SHA512
82832cb536d3ee6cb598e7f5f18b27963325cdd1aa8e2fb4ad6cedbd99b5caae0985a8fae7d0f558381cdc0dbfb4f01115c50ac9966bbb93ecc0aa63ae2aa672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c3bb3e0eea78aa09fcbf19fcc9c8585b

SHA1
6abc03686add45fc5e1dfcb66d1b3d77707e49d6

SHA256
1f6cd7b9f4622d93aa5cababd3d3c79d222ea861cf4b66f9b232a7a377e9f39d

SHA512
dc6be4a917042bc03f4cf5ae9607cdff6261481e3b67efa0daa9f2ed11f4ecd51f5a27d23d0f749f9cf4fa77a69010d186f82e7b3d777cc0d9ea53cb57f52c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e75c45860f6383955871965e6330fd59

SHA1
3b2d07d4be8eccdce32614f7376dea3c7f4cc92c

SHA256
c11f680d36a086096b75754a58b46ed2d42b931a75ff3eff193dc160fd4c04b2

SHA512
f10398a0828cb16276909bf6345bad25eb487e26c3a33fe770fb849ebcdc7ede5259a185c2808d79f7ca19f11d534cc3c680b558272e379e2354bcf47d273b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e43dc1068b99f5a73ab37f2b6b02d209

SHA1
845e881fad45c0ce31afb2001366202e26a055b3

SHA256
6302cb4a70e881bed17c85307bb5dba8c950b64b48a45fd915d05ef5a70171c4

SHA512
0316affd75e9ec12e131eb7732be3475888745fbe272603c3bf238c7ff44a717cdf9a3f76c80396fabf6a7a461cb9b313dadbfd4d0e46b91ee2289d113441ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c3b7a4e97b1e3da1dfdd14344e536df

SHA1
5d4bd87a8cd005122b19126e53e3c27251a805a7

SHA256
d5f370dbe94558c7d6b9515a2b1508c132e7578e016c4c79a3eeae69179d1fb3

SHA512
b63fa0bc54f4eddde0637fb12c0ab405c1b77235e5bf0ade89f4d2164a315190bad6973c5e59145c89dcfba30355181a1afd034e2c1dce993d21749073da83b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d27da935305930b0ffc8b84867b3ce09

SHA1
1bc20bccb5242403f39811cb18a67411bf2e4efc

SHA256
4b1bc305966f85bbe0b6127899ca0a846ed8dc136656090c1be7284e19778391

SHA512
de5a8a8a2f7b9fa72b22546123013f846fbc43bf54bfba5583b484fe648077bf35d7f6052896ac5255f1ae55a159e6e5b3e25d7a04abd6708057ca30a536f399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98ae505581802b17c1e8233a03b5b1fb

SHA1
d1d77a734378540f84b7529752186862466cb00e

SHA256
2c85c155dcc4eb0d876b7975ac78b3d93cc18c13043adc0480bd1a256796a99c

SHA512
75f472bacff48dc0996483ab8b1346c6b16d514d6f35a46caf036dba3850e203ef0c4b5bef8314bf5fd225d34b2f36d78b263e9a9abdfc749e2b48e52ba6b4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9db9203ef5b708308bb79f9d60ab3ccc

SHA1
4a4479d0696c4226116356d9817ba7adbf838c8f

SHA256
e1a96b61119bdc735d2fce789207ab2052a5c96ffe5a2874ab44730e07e2fe58

SHA512
c1855e45f9e4f8676b74ccc6d44934cc94027fc256d34101aa8c7e0f8d890873f3c5a185e59fcc08dc83923674f8faffd53927218959ecf7163f3195f6a93e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9e683be458278c9e14ecb919dff27748

SHA1
4d2159ea14d4ebd64de75f4856617ded30395f06

SHA256
d0ee128bdaa7ac531c5f7b567b192cf1c9a0bf2f50f721225d42ff7d55e190a4

SHA512
b2fd0a64cca0ba462e03789da6665aa76f93919cda6ec50e792808b0faf9a8b6442965793fbbc8a179a3838a04324667b85dcda7c7cc0fbea452a25fbaaac66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9de0eeaa86696d7e8d89079a1d37b0ee

SHA1
e6017b85b8cda15ae202a1179831ff47680723c4

SHA256
b8ac893fe72c3f9d0818525e83c741b2f8fce5911bad16d3b929b9c46574c248

SHA512
67395c999456196002c364d8238a85647467642e8568941d8ccdee930e8528a1c9e133d3c6cc6239010f5aefc4a0848602a00ce13bd668bcb1cdeee84bd22176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3491f9f4683a5df83ee4170d00548eaa

SHA1
c744831590e7744794a507cc1aa980432090e996

SHA256
889d2b83e84e6283c2fd38763278f8180a873d8a8f90abd5abc5967718f55855

SHA512
ca3a7553ef5bfb896b2b9f715b178b46392ba99c1d78b6d5b6beaf062637ca21d9326c8306b1758ed6ce8137a01c93f3a8b89f2a863837090b3d3a4916c7f6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
f53728453aa96ce09e967ef543dd5127

SHA1
7007ef9de488a200f24d4b469381aab844fc83dc

SHA256
d990c7d5ab211fd6f1a658c7194fb2685a64f19510c94e3c563ee54a26d311e7

SHA512
825c228a58861b033b8bd66a915999b71c051c2e2a591c059a42c48779bfecf9901917e74c8b676024549628a86390ee7b1ad1ca4d83bee926007ae1f6c53119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
2df95c6ce2291f62506ff8e2be4dd6ea

SHA1
fdf655dc63ab66e867cdf37de7eb29d9dd4c2192

SHA256
cb253efea8100be8d56286e1250ed860f9cf3153d9f191d60c04c4a495d0d333

SHA512
ec885f6c2be7709a58b7485737a2a8035d967a4e38114d96f4255200c71ec13a347b71d74109901a2847c67091e36235c73c41f059a17d8ef7570aafb4d01bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
f8a39dd71f0c953987b7953c53b0151f

SHA1
c7c3440a0d5b5661ce1beb6dcbfce3047de6f862

SHA256
f9d8b0e5dd8b94618cc9d18c2021a744c8fcbd071474993fedf5046792142214

SHA512
952d0fe1774e40bb946d55ce5443c350fff08a3504570f871e1ca87cd266bc9c10f1573ee6644aec7ef0908b7ab62bd2be7bbb97740e19975906f139b3927878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
81155e99b0cd3d5b9fc94428a955aba8

SHA1
732e96617a42ae5310de92064ac26a711c22cb72

SHA256
76091481c37a29c21d0fb0638824b8de7c23d6f0ad49c8a9d27627bdd3a321ae

SHA512
aaa0b27e551683867e035fe02f593b79900462e1496c33b5db8250976a5f5d45ea343e7827339b13d6c2d7813634eacaa3d1664181fd2e187fb40b5e55b1a66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
25c64dd3533acb1a12722df7cd4f32dc

SHA1
e50072312f8517d5008dd5e92e4a69b66d664eb9

SHA256
f9632fb6f1dfb1cda2652c487aa91705680207b60e39fdb361191fedd66a0da3

SHA512
464a71e4b0239fd43b5c6eb279461c66ac7887f580dea7291974d251273717c55c6cd36ab0e30f495bd800fad3731217fa5ad4bf397e4ebfe9a17751cdf8b0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed9385db3ec8d5febb0268d7b31e5c45

SHA1
eed4228cdca7c8b23b0dffaa3097ab75a01f4869

SHA256
f9e3aeb827747485d6333273e3abcec047a85810fd48f52ae3f76fb8b6cdfb66

SHA512
852103c49b678fa9079c325497c0e28b737d1f511bf999d78fdb38c1b8fac5c49858e3e4275ad8e13ef6c539586948e95bbdaf5a023407e4059ec9872091d0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
280eb1bba9d94a1fed1b30bdc975f8e6

SHA1
cce31d4c7b58f45736e93f49d353f59b9ae09f41

SHA256
9732fc3a84d6b87501d748755a048c508bff60dfa76136582ccd8ba14320cdd6

SHA512
0a6d53e0b76208857cf1b1657be1c7aee4a01bc46c9a234d79e3a74d48cde937da8e455e526503549551dadea2d1e18872df45d3d324cfe0cf41db1d41f7d911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
aec269b3fc712b8ab674499ac0ac2f33

SHA1
b5614ed0eabc52a460429c73e733c9ee53645442

SHA256
41d70bd410ba0de153e66bbc396668bbebb2446b911d6ae6da99f608e6ae2334

SHA512
bff67a42cf2e6c1251954143b29e07fe3727ea1f88fb0a0b4417ef370b11946c83d7a90eedb5c93eca40a84606868bc3770d151d716fe8dfebe53851f6d6d9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

Filesize
17KB

MD5
d22cb8682c6c279a568ed39bdc634f0f

SHA1
677360e899085b1fe7af0098575842261a6d854a

SHA256
78b575d52c9342adcc7b89ee8545e0577169b0d520a9924c7d53bc3587b240e0

SHA512
2ad0f705556abae3edb620d4370c1e72c749935d6ec079a10272ba2cbfe42d06a67f6fa1c3d80755aef9419391f701e98d479e946708e26980497f438b154ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

Filesize
17KB

MD5
f5515436a4be224bf48a15473ac65134

SHA1
71982f82655ebac55d6d639405dcbbb0cdaad921

SHA256
f35a6f327fb99b2cabce3d11777e045943f1dc03d58251f9801cb29faa1225e2

SHA512
e2c6af63fa2a20711745de0cbd671751acc87267a1e8534e8bef1ed81cff941f12c463167625b02e467e0766605b2c7365594cc497f3b3744cc1ee032d8ed963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
16KB

MD5
a33b3a3fdf5161be5bd861804961f557

SHA1
68a57897f1686a3e62ce9808165e18f31661d077

SHA256
ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560

SHA512
c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

Filesize
25KB

MD5
5bd00f5103ae7cfe8b3ffc53e19aba5a

SHA1
86a2c393f3fb55a45e8b352df59935e6dabd8408

SHA256
3ff9bca3baca0698e2ac5df01a5fd26d80ab2bf0e9c067f73ad934ebc0fd7d97

SHA512
c5ef76a734365feb32aa4fdf5bde4de5cb550ca1b71eb728ff2f587c2656918408169464546723287a2247d911785780b523cf9aa6c962e11c88e67fbfce4961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

Filesize
20KB

MD5
bbdfb15d0c7c1709070d53c80cb1edd2

SHA1
1e19f62836749f77422cfd660b0796c4709f3009

SHA256
4671fc707dee1f7eaad46865c5bc7db9a213e02fc1f0b2fcf995193f8174ee67

SHA512
f8adc4324a6df93ba1cb440a5f2cbf629d6124e33484287434c43f5816aff439693567c8ff27128f16322b66e99c66aea932ba431dff5fef2e138704fff6dcb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000a

Filesize
18KB

MD5
611e57d7bb38c215abef3c0ecd3aaa11

SHA1
7615308d4be5cd99917a8682430a758b1048027b

SHA256
24defbaa2c67b495f3be4b55ef1339cbf249b38cb4a980e069846af2691a01cb

SHA512
1f69fad2df40172b0e0f1d8bbd4351903f14d6253d8141165d77fc2aabd7b5dd32df58f470f109259f9e7ffea8444a5f7d6b8944ddc45f67c27009169ff7db68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000c

Filesize
16KB

MD5
297235c429cf33077aeb5d58cb8e43ab

SHA1
6dceec335ed41690c9bcaa74222036d93121242f

SHA256
1bca092cce2accb6b8fae794656dea16defd589ace2f066d11a9399bd7479bba

SHA512
4c7d33a2c52b426ae33522d536d1917404f44a721c1a5af62b39fe2dbf283f2f9cd59bba1ba8cf40fabd1206ef465f11bf5c2a7778754b7282f82213698dd1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000e

Filesize
16KB

MD5
916657b1904462de4fd9ddda8acf9d97

SHA1
ee32edf403ae7732a39154d925f20b96f28f24ab

SHA256
6220d4d16f2dc838ae215035cb67b832fda74852f0b4e52195a2a29cde0f9977

SHA512
a4c1d241ecd7b64edec45f27963e35ea809f9f75d8ba9c0a7b5558f890fb7ee0305a8a827697fed58ff993804b3ece3e5e5a80b6b24ed3a38cd195f26c031a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000010

Filesize
17KB

MD5
f0d08439cd47e39ffcf4db8e4ec35688

SHA1
2475257b6eb81c4e2b3c50097f485c7d5db6cf5d

SHA256
661793d32c8907806879a1ec589738d80015e9d41faa5eba109e7d2534c6fe3a

SHA512
616a1a805d914e49b140980e588cdcfdd645f4a3630ecf52ca3c73706bef6cbc0fa6c35d9f24444b73db1b97a3294e35e47014ba7aaf2f0171ee85d3b59ba655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000011

Filesize
19KB

MD5
224859ff4912ea771c591c6c0d6b8c76

SHA1
bca46136f55b29816ec41e0a72f6925a865c2c2e

SHA256
ad78e3585c8ca04d3cdaf44c8eae4b16325c72c08385445d9015052732aca099

SHA512
d74648fc75b852c78292392214c7b3471fd3cd0d320adea1f7ff50dca716b44137f39f4e6ff0cc42267661f5380535adf06d1ad592b0cce6c05d8a9b463cde9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000012

Filesize
31KB

MD5
2f1ec27c2803176aa1f7cb1dfe10ad06

SHA1
5b93f0a2a9322f1b34f1a63b356e3acdc836c99d

SHA256
f8bd05774df8f324683471354366e3160cacce57fb7b8aecf061722ec75f6532

SHA512
f8139ae2e0375bf05bc94c8631dd980bae5be9714ea78730d9e7f0c3c2438ea4d2fae17601c04649bef2c95a684062cea826efe0e08336ea2a8a35aa420c39ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000014

Filesize
16KB

MD5
2e68f7fb40b89156b6eb280408ba0b33

SHA1
d1ef510d03ad27a029514fa76142920e2a92fefa

SHA256
e49ef4f9f70f75d92e37922874c2b3a7fe2ee4e7dc7421c6e1070b19819f2c95

SHA512
85506ffc415b63bbd047e0eb6c048057f5ff727e6c5c6d854b0364f762a4471d5f8d70084826b2df04970f989438da8e58c2d5dc1b1b82f829d256440dd92b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000016

Filesize
17KB

MD5
517bfad588ec7851568b098f07f91b91

SHA1
8c1568e6549e0d544e9e6f4bf8aa0d33141171ac

SHA256
0a592ef27e1181262cd2edbe7ba33463105425d0517f52884a162144c63edb1f

SHA512
981e768c6900964635571a0ad2f12b10687ed215d7ad608f61a58ac294f59224e1f74c58e2c3779fe79a2f146cbe6d2f61560ec054b3de84c1dcf11636be932f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d619303ed6e13b534440940a9c71379d

SHA1
9f3a42bff7c45c49de7af80476c78de3fa1639a8

SHA256
a16f6e64ed8ba58d0d5e5cadc63e803ee1dc8fe658205a133403946b32d45237

SHA512
be2c12366d6869e5a5454a4d7fc94aea27a76af0126bf19d79bff3175fd2900f48be683dc8a46afd002cbef0662c2e3c764006249e7482798dd28806ddcb1af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a03c63ccab657dadf6ba0a5b7e2944b

SHA1
7ffed9ce8f3d028b9705a8b421e6404c897a103e

SHA256
d756d48bc94cf3a7eafa456c8752231cd31ad9cbfa1a8925218273d7f8b8d695

SHA512
8d0ffe7094ee38f8d197b14c8f1b7d9832d6259b38c1b8892198b32c4ad16ff9b36ccebee06c1ecc62dffb2a2b9784c12aedef08e076a997d99f4c2322bf9656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ee6b99e9294121024e3213e8526d00fb

SHA1
59edcd725f6f60ff6afe131e0f253777f57821e9

SHA256
353bf83050163fc9682c407081b2ae7bb2995e6767353909e32388986cbfaead

SHA512
a3f5d5777003e355ae9a7e4ecb786a19f29804d3531e2a31773ea12fd48207a2ec9b320d447cea8cd90e29c4229711f90dbd0e5d9e8ad088fe9a23df3d5301cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
35da8d261664fb8813116a92bb6fa811

SHA1
9b65f97a04827aee005c168a88e18da1efda48b5

SHA256
f8230b0ba314965e423d7814a119a3696c14087a1d95c48b2afa75874032cba7

SHA512
8a062b2d4855f04440b77f4768df56abf8c2560c0238b08a3bf80ddd636e65b4288e594bdd68c8fbbd717188e6bb9e443313554bcbcadfc0877c8ed9249bb4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
eb14bc4230683cabb780aebe612234de

SHA1
9ac39b02f0f0daa9f09eb41eb38fa7321164ec96

SHA256
f271a5036c4c500486d94a8a5d07bce77dc540d02501b88351b3915381c29551

SHA512
ef71c388ac6334791caadf4e7868377ed600af41834ff08f1380b69586f7cf83ff8633c3336b4fb5f42bffb9571d642ea2aac57e4841db1d07a8665f082a733e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Windows Anytime Upgrade\Upgrade_dism.log

Filesize
13KB

MD5
3ae84487ef5c53be038574f3b1a2e10a

SHA1
3d1d252587b5d2e2b71c5824de30de18b00d3bea

SHA256
b73d77bd3e2f1af8ad11ddd969d5628487bfa527e2ed74c4c2b6ab5e000cdedd

SHA512
d6c0acb805284451d8aa7a20ed12ebbf7acd3b8f0929154a18fd41b174e83ae5c89959feb92d51c05dfba6fd90f6270ded1111e4e0a1fdf332dda2bbadb3ae3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\651D5E2F-AE82-43FC-9AD9-91DD8023B359\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\Desktop\ApproveCompress.dib

Filesize
180KB

MD5
d4684f2caf43a8fbf34a3856c3d9868d

SHA1
794905310d6ff4e809dcee690be744f4f4175e7e

SHA256
5af1504fa9d2f08de3d9c80897e0743538f04c3400a4ed8d24a417d72786c048

SHA512
1239461069ba81ccce60b804f99b9dc28fa8cbf6254e468fb682fd1453671dad67734b12ae820d3b933a3e064166efcdc03548114b1c3a9deb5c39211b4b0fe0

Download Submit
C:\Users\Admin\Desktop\CloseUnpublish.hta

Filesize
522KB

MD5
ae605c22a4c615e9f1bc16d400e4f820

SHA1
6a251db595460d7877988cbaa56d5e4c62ed0a9d

SHA256
05073f65c06e47b6b03cecea822a007b5876394e256a7e25eee4e268fbbb26cd

SHA512
26bfbe3796f862b611132a09c95580f9e06870320e9e9e38069365fb956b1717b5b46bf08e8851ab460ac41fa4326969e751786accb3333e3be84c030ee9fd71

Download Submit
C:\Users\Admin\Desktop\ConvertFromClear.xlsx

Filesize
9KB

MD5
5cf3009a1cb335bc780cbee669960142

SHA1
e245784f2eb98c06770cc5d42e9fc56fe6c4dc17

SHA256
6c61f6fbed70df03d33176365ee231c96402c7fcb6c81324aba50e1427ed21d7

SHA512
7a277aa752a650d38f73eea9e4121d33020b6f7604c57405bed5885c42016a680ad81e3515d08258d40af0681d6072a0992755aecf851d1181c98fdc235f42bd

Download Submit
C:\Users\Admin\Desktop\ConvertToJoin.m3u

Filesize
331KB

MD5
0436d32b1414d3e3f0220a0192d5ec5e

SHA1
f604e139d9b7e2488004ca2d1858d7621ca1d03e

SHA256
19bf80323976b9dc2b7ca4395f79e196ef1727696dab433c3d149fdb41bf6075

SHA512
4f4b68d634a0089cd7ccfca361f80d8d3d1781b1383210fb8a3c34166edaba8b13a916ae02eec163e1a8fcfe0a0dc0e49110528bbb56c5b6cc0b9142e68024f8

Download Submit
C:\Users\Admin\Desktop\DisconnectConvertFrom.M2TS

Filesize
191KB

MD5
637e143b3824bac3102e73153e948a6e

SHA1
747d74d3b6f0bf6a64669559122801a2ec81d5dd

SHA256
d4b34147ad2d00bb4b94c3266889591a3b2b7a0b0d8d28f0795bf1b17e86c466

SHA512
5ff91d20d74d2f51615e71f80f4596ddf4b7e7976a89531b72308fd0a03358f1a1040269d942aabf4ee0b116ab2a6bed9dfcfe378fa01ab206a1748ab183e82a

Download Submit
C:\Users\Admin\Desktop\ExitReceive.php

Filesize
238KB

MD5
a5a04bf34e07d2ff599e4acb586747ea

SHA1
85b4bcc7ad04f951ab9daf3bdef31e73861c564e

SHA256
1fcf1bead06ac59d152c7f1e70826cf54565f6de790f81b00f4f0c9eb67c1908

SHA512
6a9bc1e75b822eebc01427be7fcf3e334da4c589f7d89849d8ff5595e4a54aa2ec47145b061809461dc3e02b95e78e562cdfbc56c65c9814a6b56cbfff6941ca

Download Submit
C:\Users\Admin\Desktop\GrantUndo.temp

Filesize
145KB

MD5
027a2e04cc6a6523598af86e78c9278c

SHA1
08d5caa0c4315fcd7806d56b6b9423c60da8f671

SHA256
ca234bda2e4daee248df2a11e965fdaab9b35ec3aa0de3fe39020a4f48e32b0c

SHA512
45c1c4c5cf8a08c62186e97daabecb477076c8bee103f4055af204d081639894269cc84b04111e68be50523c82d85caae61ee93636c0035f3468c8bee0f721a0

Download Submit
C:\Users\Admin\Desktop\GroupUnblock.wdp

Filesize
296KB

MD5
e5067e998adbe765315b397483802f83

SHA1
7e329d158900e4ca31fdd8d1f0d87df472291db6

SHA256
f63e1b5f354a0c1e7f6e6cbd8f6342c386768bb6829aa59e02d561a6941c10e0

SHA512
959696556fbdcb273d564555b9822c8107298c5d189cfb23b4558c2d753db5468d9dac7ff2d785e2f8d2415008fa80804ad3c44a8fe748b5bc655016fb248399

Download Submit
C:\Users\Admin\Desktop\OpenMerge.wm

Filesize
226KB

MD5
26c91f302a246a67208090cc03c5d24a

SHA1
a012e77e11fff43288f503ddc03d4969cd45d8e1

SHA256
0e78c8945c52556b0cf70deea19941da193220b9b0569471ea1ba837ffb8d147

SHA512
f18fc87a78cdf1c65f811bc3b144dd3482f11ab7462cba89c586a472d1ab59bb67e748ddc9358751cf94c7fc33306e27c14cff79c21079dc9c602a0c1ee9889d

Download Submit
C:\Users\Admin\Desktop\OpenRegister.ttc

Filesize
354KB

MD5
141b4d09f8e4901d785a36cc80b27db7

SHA1
4602e2f684e70e9b1b801449e5c04fb59fa9ca0f

SHA256
614c055292f5033259479c6d1793254e27ca5dc09f1e6a8fe850e8715a7a9a91

SHA512
a49a08fa69312cf6e36348613da37c55d9dc4de48bb85ec7ca657757cd9552cab9ad5975bcaf0b0e136913e0ac5de5b5ebef1a54b96ccda62777594313ed6d4c

Download Submit
C:\Users\Admin\Desktop\OutUpdate.ttc

Filesize
249KB

MD5
37193d795c06d111d93f11fba8bf2a30

SHA1
8a1fa5fe57d3293709a6e1b918354db66b836d57

SHA256
0e4d0c73e7ed446dab542f1166a79d9aa1f452b8a5989edb7290d2163b0f39df

SHA512
d977fde1e6837b0d1832c7ca02b54cb82f40cf17d57386b4e6637683025ac20ff135371e4248038e32bb0ea60dd438b29e94478f89308b24cf6ecdfd11ec08d3

Download Submit
C:\Users\Admin\Desktop\PingMeasure.docx

Filesize
18KB

MD5
c72eaacea515d44b79f29d38db9caccc

SHA1
77235bb36baf2977ab8f00acded5b344c21563fb

SHA256
f3ba50ba0fc49088ea24ba3054bdd2b105999174406fad058fd0e6690623ac0a

SHA512
4da5332589021d80bd71532351500f36447e8447c0cef2ac951f6c2fa78fd319dbd6bcf29dcb4a839749008c93a7cb24b6ee853d723a3c70871fb28c9d545596

Download Submit
C:\Users\Admin\Desktop\RedoDismount.mhtml

Filesize
377KB

MD5
29292791fd04f93a33744aa1440cf6fe

SHA1
792cf24ee9ade37d9783838def753106a0c70b02

SHA256
6ca51afbcd861eda8eb3626995b5f2431d41c48a1d02b6694d42865690b0493b

SHA512
f1a21b19fd65614a0d2cf47673a30a0f353209ea6d013770334b404a04346b197327c483038b040ec87fd31dff5115a30991548ae6fdb0947c1919e9c6a822fa

Download Submit
C:\Users\Admin\Desktop\RemoveInitialize.docx

Filesize
14KB

MD5
0484a47b597fd5a8c6a4d2fd8eb4abb1

SHA1
f4c732ad80e7682b8d6e6dca7040dd103375abef

SHA256
b979d5e8e1b1bbbbede3e2e4d6c22811493ecbfeaeffb2d4d76c3f8f2f98f838

SHA512
23ac9d0875ba6f638246906011a0a8984d0618a41dd43bf223148685abe55c70a3552204f4dcfef480b17f3998859614710e432888dc53bffbf48003740b0394

Download Submit
C:\Users\Admin\Desktop\ResizeDisconnect.midi

Filesize
307KB

MD5
85fe6379cbe5972b8e5ee6e8a0c0850a

SHA1
bad9da4725f51829c377371a992b68bb0d3a8149

SHA256
794e52b4f6d854b3e7d7e40971dbf28e6b268e0e1a7fdaf03b6cac2f895a5256

SHA512
d75da7df89ee61ee5fe3d24a1f826c15b4cae227528033896cda44a57b8dbe126a9c7fba7506acf0b7f6b0cffc6cf04d4304b0aeb67ed97592f175897f8bcc1c

Download Submit
C:\Users\Admin\Desktop\RevokeEnable.ini

Filesize
156KB

MD5
eea5502d5bc49f6a6b1e980cd89db341

SHA1
3f3e2b910945cb689aee01e2f2f6eb1e50769666

SHA256
a48af95967e42e7b6804aea53fe7fa513ae89966aec5fc90139953bc5d2c381b

SHA512
27fd4b3404b30834855376d3252f0433f7bb0f0e003bf87690eb8743292665a16e328436a7d141bdd00e6e9b44dfc00ead48ad0cb13d77f05cbb8b1d45f6f1e6

Download Submit
C:\Users\Admin\Desktop\RevokeExit.TTS

Filesize
284KB

MD5
5f9f628ad6fbb45b7ca3a83772215373

SHA1
45208076869f745ecfe22a655f6cc8e649afd97d

SHA256
bc1583a3a9ed0581b30c3c7d155c5f36a710cc49f17ef381976f30fdacc7ce91

SHA512
66a50c22d0aea072db4166e1306b5a108d74788ca1aa42ea94c093b3fd35e78cc7d1a93333e6d7031d9167daa5511671a9324bd009e2ad94751e8fb8a5d95de7

Download Submit
C:\Users\Admin\Desktop\SelectInitialize.aifc

Filesize
272KB

MD5
1556d4006193ca965aa1a26f41e2bd4a

SHA1
ca5a199bb8ee1a251df6376d814eaa0a45730608

SHA256
78209e4c9fb9dbc5486926d934d8eab9973b422c09a5da357609fa8a5678368c

SHA512
20a31c8f8e45eff9268d99151da1111c3023575e4f96967828e3b53b6baa6d96117c0902669aa0a9da6913b005262cde29403ff3d2b320019f25638dbd9a7bc6

Download Submit
C:\Users\Admin\Desktop\StopApprove.html

Filesize
133KB

MD5
6a6274a110d0b7f394fa0ed5dc7fbf71

SHA1
1180d1215f83f266419d5d17c3f30b507ed6a757

SHA256
d0e7b2ae7abbabaf0296e8ba60b2f927c80fd83bf1eabeddae3c8ea789055b60

SHA512
c58484599adba420e48f645366ba12b88387343e6057a1d2216475b7bcae979bd156e573016eea7da5bd0b5af2e10b109ce1630af69db0051dfdf107c525c045

Download Submit
C:\Users\Admin\Desktop\StopStart.jpe

Filesize
319KB

MD5
056baa6df1b7439d73e19de4f1a0f4ee

SHA1
e32e2d7467ee137f3c7f7e1643822e2d0f628815

SHA256
4be0cced0df1330cecba30297c4cabdb59c2de9418e14f1f4843502779e00bbe

SHA512
699d7ea361a0000bf8937f388479f66affca273f143dad163e4df2e139c9d7d38802332e861e2a25f373aea335d834f208c3ce64c7b629dc5ce67018bde1522e

Download Submit
C:\Users\Admin\Desktop\SubmitConvert.asx

Filesize
261KB

MD5
6d7c3d539ad7adf069d29580789267a1

SHA1
248505e6aed3bb6752b36bc5556875a17e0628b7

SHA256
b4296caaffe48c137ecb4d2e4df91c56f9091c890f743ce2e1832a2ba4cfd8f2

SHA512
c46309c2069874dea49a56dcdadb9fa95827c174b5d216b56e965e5f908506268b9f04a720ec213bed2da2ad1bf0250da11e8f2ece3ce191804fb3e32ef75fc9

Download Submit
C:\Users\Admin\Desktop\SwitchMove.vstx

Filesize
214KB

MD5
cd59544e806e86100174b51d47cfab4e

SHA1
e960ad9b3b451fcec124c0ccd3f6feed04515235

SHA256
4bb38719071119f55d449a5250c62a5da7e6e4bbed73bc16552618e47c484957

SHA512
a6d1e800c9aca8725d9e6573ed1a2cfe550547b6598378abe236024f374b3f912c79c8a0a395a207bc2c786a05a25d62cce6de9ccf592da6140f245f10b13968

Download Submit
C:\Users\Admin\Desktop\SwitchSet.mht

Filesize
365KB

MD5
3c2582f78972ce9e77327e5b27e8567f

SHA1
33b2e3969a7368d9bd5b9cdf78a6a733c49b1804

SHA256
4b62f6990cfaf6491aba28999ecd1ac6fa331245306e5c5c8dfce3fd51be980f

SHA512
c5e2a869cad5e8f7b75b9ee59a7f62facb63f6f0f226270a618ac03f78a29deec40281a578a9675b1bb75d948839188b38ec083ccb27a22c42298a017e044b55

Download Submit
C:\Users\Admin\Desktop\TestDeny.vsx

Filesize
342KB

MD5
e2e6e1394adffa4362d1e79ed6a13949

SHA1
f5601e58c2dd3d46ca2076b7027b70187870197c

SHA256
d8babb0a78b68141f4c1bb92dc9655a010388cd261caf60768ec6c381669bf7e

SHA512
c960630189630ad0bfef5cdb381902d45a56f0858358692016265d892ff3395d80cd61eb06b10dc9e3d9a292784366b61c9c1d5a923d365f4fe066f15e45cc5e

Download Submit
C:\Users\Admin\Desktop\UnprotectSend.ico

Filesize
168KB

MD5
46acba74b341229b4a88df15ae5eb4e2

SHA1
53b46be84c7e66f2be5ca48a697d668ff5018f93

SHA256
71e500b168b4b6cb984eb1f6e47a965a2e48d2c71dfcd2f4bfed7cc661e6ad63

SHA512
63d079c0d7d4d54b16990c60adde29efa4f783b31e269430b5861658866cfda08d27b020fbef2f0e1764c7a512cff3443b2908d9a762e4717c5444ff11b4e5bd

Download Submit
C:\Users\Admin\Desktop\UnpublishPop.pcx

Filesize
203KB

MD5
1ea01f9603d88ee609ac81684edbf3dc

SHA1
86e1ddf5d8eeb7c640449c77d423d894e1f3fd0b

SHA256
16170c3015bd8900c1a3815ac5f13ea4dbbb903877d7ed0958f68d24a9a4a9cb

SHA512
559a22e9b5ebd132ecd48cb75112278c502eef7a85c8e3e2f5dc357717d293128f0e3c30d774e08f98c6d5d9b13b826b5778b28f60b8609c1944fc29e3bc469c

Download Submit
C:\Users\Admin\Desktop\WaitCompare.docx

Filesize
19KB

MD5
0d7a90cf76fb25800447733c0b676339

SHA1
c9fdd9372591bfcd830d7dffbe21c78bada43121

SHA256
9f6feab3bc4f363770b42700fda039c69074533d3588959e92943411cc9832ea

SHA512
77ce86f51d981ac6a0fec9b94c2f46ad181024fb8eb9401c3a2bafa8adc6e4fb580e942056928b90896f8e916d9b84eb3487e4a588114ae28f5b4ad22c2ca5d3

Download Submit
C:\Users\Admin\Downloads\cru-1.5.2.zip

Filesize
532KB

MD5
a182fffc7bf5b00ef3539d34a178012e

SHA1
90eba91fe581675b0cf54084f5bf1598dd542d8a

SHA256
c92e4255a897d6d97295724e5934a5315238a63bb8e0b8b320c5f9b21eb0f531

SHA512
2d43503c08ca86c15c7a5caff7edfeec3bceeeb37fd72b2a5695472ad8f0662b8620b8bcb3331c4a21c109e1540b886bb39583f8bd5ab63d20389a6bf718a195

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
bfa30a80ae3141122acac4a58483e8c6

SHA1
7043575369095f3d2abb9ab051a435626ac5609d

SHA256
e0c9dce10c726de96f2d25b7f2c41264e503965528ec6872d68d962b63ee3001

SHA512
8ac730e2c527415d30f05e89f8a02d8d32e90c79056ac8a361f474cc7f27586201f07c5ad92e2356b28a4958f0879a98ab71b3b443d323f746655b09eea3e5ab

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
358436dcb8e0c0d528a82b2bc765924f

SHA1
7043bfbfd3aff1380961f58933081fdb1f036e60

SHA256
1a37ed9dc20fa399fa219a04afb595e8c02949d985bb3aae3fd7ab34b18667c5

SHA512
8e0dd18e4d3a099b4b6ce993d6bddf6850562bf51637edff58a25cc6816e2ec0849a86ecd437e30a614d54654abdd443993d2157d50dff17ac1e75b85efa4797

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
28f39512b93b1c448f2e7e16215fd24f

SHA1
24550f71264ffaa0c8a10698d226acaee6bf1600

SHA256
79c478212828f49f1402ca28bd29a0b1ec54764d2f2eb30427988a49afa14735

SHA512
ab93c9b6f79a5fa9f48543930e3a2a7087e059d9c1497658af32947f676cc7abae6294e5012a66b9e7be21e778f54157b1cbc26c75dcc063ec99e50e289f41ee

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
e8d87f20a337db80fdda21e6873d5cda

SHA1
a361d7a78a9f14a18ea78c539679be3ec22af35d

SHA256
29d080cdb6c51463f94d1d4792c940efed6637eaae63d50d478af20ead184925

SHA512
fd1a2b8e4b417aaa5259291cad94a21d2e6acce9febda8f625ca8be9a1adf59ceb02d7b0ce907c5b9f35e4614e2ea3547af04ba9f6c7d41f40d5464f6ce26750

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
e1a5a1d570c435792d0064439de52d88

SHA1
0aa19637961209678f665af604cd628687cfa01d

SHA256
968e30775fb6e744f94a85c4ae203f33bdad5ed4b0628c3987311c9af6b52c0e

SHA512
05d8771f51c8e5e686b8a7b5c2c4ad233f08aa2261f067e524aff14e1666bcb0e33364ba3e08319102830451962fbf883e7294e065d357bbb7da1517a0fbefb0

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
142KB

MD5
1bd26a75846ce780d72b93caffac89f6

SHA1
ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

SHA256
55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

SHA512
4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
147KB

MD5
6d4b430c2abf0ec4ca1909e6e2f097db

SHA1
97c330923a6380fe8ea8e440ce2c568594d3fff7

SHA256
44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

SHA512
cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6adbb878124fcd6561655718f12bff5f

SHA1
1711619dda04178fb47eea6658da6ad52f6cf660

SHA256
0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

SHA512
88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
c0a264734479700068f6e00ef4fd4aa7

SHA1
4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

SHA256
71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

SHA512
85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
125KB

MD5
eef14d868d4e0c2354c345abc4902445

SHA1
173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

SHA256
9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

SHA512
c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
710KB

MD5
82d7f8765db25b313ecf436572dbe840

SHA1
da9ed48d5386a1133f878b3e00988cbf4cdebab8

SHA256
3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

SHA512
59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
680KB

MD5
407f4fed9a4510646f33a2869a184de8

SHA1
e2e622f36b28057bbfbaee754ab6abac2de04778

SHA256
64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615

SHA512
1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
754KB

MD5
4e62108a0d4a00aa39624f4f941d2595

SHA1
7fbff1d3ac293c715a303ac37da0ceb12591028b

SHA256
3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263

SHA512
c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
758KB

MD5
b87c7ea0e738fc61eb32a94fbd6c6775

SHA1
0e730aa70900f623205b93cb1d6e11be4c0d51b5

SHA256
6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0

SHA512
4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
747KB

MD5
77a299c7d27f4e4372cd6c1de0781586

SHA1
bb6bf16619da6d0acc30797cd10978bde64892fd

SHA256
6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf

SHA512
21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
462KB

MD5
a8bc9760fe491ad0305212839f5caaaf

SHA1
e5aa69598284bc55ef94adcf3745053650179f42

SHA256
6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b

SHA512
4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit
memory/1384-344-0x00000277712F0000-0x0000027771300000-memory.dmp

Filesize
64KB

Download
memory/1384-345-0x00000277712F0000-0x0000027771300000-memory.dmp

Filesize
64KB

Download
memory/1384-346-0x00000277712F0000-0x0000027771300000-memory.dmp

Filesize
64KB

Download
memory/1384-634-0x0000027771320000-0x0000027771330000-memory.dmp

Filesize
64KB

Download
memory/1384-635-0x0000027771320000-0x0000027771330000-memory.dmp

Filesize
64KB

Download
memory/1384-636-0x0000027771320000-0x0000027771330000-memory.dmp

Filesize
64KB

Download
memory/3688-1442-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3688-1356-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads