8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009

Resubmissions

10-08-2024 06:53

240810-hnsmsatfrf 6

10-08-2024 06:49

10-08-2024 06:46

10-08-2024 06:41

10-08-2024 06:38

10-08-2024 06:35

Analysis

max time kernel
112s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Module.dll
Size

1.3MB
MD5

157fd035b2a344a94166d7db3756df0e
SHA1

f221d28c1deb80b4e8d9201226435aefce6b0f75
SHA256

8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009
SHA512

fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d
SSDEEP

24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk

Score

8^/10

defense_evasion discovery evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

000.exe

pid process

3188 000.exe

pid	process
3188	000.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\T:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

44 raw.githubusercontent.com
47 raw.githubusercontent.com
73 raw.githubusercontent.com

flow	ioc
44	raw.githubusercontent.com
47	raw.githubusercontent.com
73	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper 000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper	000.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

000.execmd.exetaskkill.exetaskkill.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1528 taskkill.exe
1192 taskkill.exe

pid	process
1528	taskkill.exe
1192	taskkill.exe

Modifies registry class 5 IoCs

Processes:

000.exemsedge.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{4D7E40CA-0546-4D3B-A66E-02785905A35B}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{E66647BE-0259-4234-864B-240CDAD53775}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 245346.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 209789.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 537999.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1560	msedge.exe
1560	msedge.exe
1948	msedge.exe
1948	msedge.exe
3972	msedge.exe
3972	msedge.exe
2924	msedge.exe
2924	msedge.exe
1224	identity_helper.exe
1224	identity_helper.exe
4068	msedge.exe
4068	msedge.exe
4524	msedge.exe
4524	msedge.exe
4624	msedge.exe
4624	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
3000	msedge.exe
3000	msedge.exe
4356	msedge.exe
4356	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

taskkill.exe000.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeShutdownPrivilege	3188	000.exe
Token: SeCreatePagefilePrivilege	3188	000.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3300	WMIC.exe
Token: SeSecurityPrivilege	3300	WMIC.exe
Token: SeTakeOwnershipPrivilege	3300	WMIC.exe
Token: SeLoadDriverPrivilege	3300	WMIC.exe
Token: SeSystemProfilePrivilege	3300	WMIC.exe
Token: SeSystemtimePrivilege	3300	WMIC.exe
Token: SeProfSingleProcessPrivilege	3300	WMIC.exe
Token: SeIncBasePriorityPrivilege	3300	WMIC.exe
Token: SeCreatePagefilePrivilege	3300	WMIC.exe
Token: SeBackupPrivilege	3300	WMIC.exe
Token: SeRestorePrivilege	3300	WMIC.exe
Token: SeShutdownPrivilege	3300	WMIC.exe
Token: SeDebugPrivilege	3300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3300	WMIC.exe
Token: SeRemoteShutdownPrivilege	3300	WMIC.exe
Token: SeUndockPrivilege	3300	WMIC.exe
Token: SeManageVolumePrivilege	3300	WMIC.exe
Token: 33	3300	WMIC.exe
Token: 34	3300	WMIC.exe
Token: 35	3300	WMIC.exe
Token: 36	3300	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

000.exe

pid process

3188 000.exe
3188 000.exe

pid	process
3188	000.exe
3188	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1948 wrote to memory of 2304	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 2304	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1932	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1560	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1560	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1640	1948	msedge.exe	msedge.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Module.dll,#1
1⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffcefa93cb8,0x7ffcefa93cc8,0x7ffcefa93cd8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,14665355803946241293,14086186201840140467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcefa93cb8,0x7ffcefa93cc8,0x7ffcefa93cd8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,11167261789311443578,3935606802112202406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1888

C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8df0335bf01cf60d16ad8213fca04f97

SHA1
a6fe5986753188bb951df57eb7b5592c0ef42c98

SHA256
242db22167115fb3e9ea02d5029555d2bbdf560163c3f4c754b262f1054672da

SHA512
87901faf23a5cb00798bd2a3c9dd14ac14d0246307d669910e8ab3a213c6a225a3af5ffd1b40215a5439b5ff77906871219ef4c52ebae6bf27b0a021b2142413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e10aaa599f9ef2394900c27f536ca7a5

SHA1
e2f184b1367bdaf043e4834551814d8266e1d682

SHA256
f580f3f88a78ae9235493d95f357d83f95054919aaab43d70496062a484e2c9f

SHA512
0a2b246ef1e34753a0e94c1f1cb1af078cbb22bd7ffebd0b6fe04b571f5b59c9763a5850f59a6a0366fc7dc1321e3432ebfd4d3daa97ae57c6d8e7398962b843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
754f12ffcf2e3ba274e8ae7d93e6ef48

SHA1
879a3017d5b7206a9d2410c859e41650a40f2c94

SHA256
457439964f09de08a165df847f832ea8f2df011b2ac728116d9bdd9383bb07c3

SHA512
7f09ad12ff55543ec819ad4d4bfe8be19ac3ededfcd62eba48375df21ca8972f4c7a0af7467da8bc190786413778b707c088f4241a3ac1fb82dc817552ddd3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b3332e5d24990f579c35fb9cf0670ed8

SHA1
3c22a55068cfd1c360a6a4c6c37b4b9644b0a6ae

SHA256
a75d995d1b56a6f823f430ecb5d104614bfa51148a609d74c0a2a7ba3b108c47

SHA512
c3e04f56630f4ffd5cfbec78b4c8dd6d99b437264b06978a20666ecd753ee8bbc9cf58e2165079a79b9b0b3d0783af3dedd1b26be11e7967034a15bd7a9f5c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
5e63769e3a69fec46cd440815220b3c1

SHA1
c3637335cc91a2f04bf64f8ed36d9a06d5e8d0f0

SHA256
c3976e5c2e02cd9c4c85686dacf61ad75691d018cd57ab6859a87b9c379ee860

SHA512
11d97dbf4fe761cfed8acddd134694d207e2af8d559667c5c16cf6db4c52d3c330cbb6f3c498957d0dc857c32c2621355e3bdd0e8bf668afa1430ea0a6e79d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
d82c70e5e9db76133aa18e32d806c304

SHA1
aaa868b64c9a8b77119568c387191c0aab7a39a2

SHA256
f03145113a63986f2c094b51a602f17a2c497ba8b42ff850a4c2dd2a153c8e79

SHA512
19c7464936be8358b4362d30233fa97f6cfd5da261b07e97b059e6d5b40027c98db96673f7dd2e4c60e73a25b6ccbd0072ffe8680546ac06671194a09acc97da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
83587dbd4d11a7a3aff18b33f73d8ce3

SHA1
bf74785606aee4391e26b245ff1571a78f41b915

SHA256
04389ef2a484ae5d69102ee32d0e39cb3ea0ae002b190fc2833211379774b422

SHA512
bfefc7d277e386d063874958090d8f59477f9e08dd3168d1c1a01ee94f827a7d4637b15cd6f6c2d4c4bf13d96b000f32df603de54a7ca2750e8911c25a3192d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
653975007dada1a0a8e8ef123c1f7d0f

SHA1
177a769820f77f756877a744daef3d98736fc75d

SHA256
4a2fdfdd3ad9e1d9944ed533d92887d589d4b46b446dc39128aa86c0e7ea2c47

SHA512
11964e3f1e3c4c8eb6f09bf4a1fcfe4cd62772e4562bfc05302383436c1d5e9a40a93310d7ce4836417cf7000c47ab7f72a5834e874314d328f64119a82da6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
75ca8d8d868b4a648de9df0226b02350

SHA1
8bd833e6200cb36bc4254caa6a2a157c3c0bc322

SHA256
583be1639f37e2855fb526db1c44bfd487a062bbe8bbe3ea2629c19416d9d9b1

SHA512
21fcaea058c1cccfbff3176841bcf171420d2885b58a27f7e0000b55a7833e49167616295e0710cb37e0ca78083936996068387902f556d19e47a0c111543d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
0bea89a73b302a459847f1bc070156ac

SHA1
71cdd68832bb10556a5ab4cb2b7563ea3825258a

SHA256
6e79e0b34c28be94ad8947e80c0cc9580b66fb24cf6dbfa6cbd13e708063b3e4

SHA512
eb3abd1a10019aab4bb73cba8086a3ade3263f1f89db0a4f167fab17c61e71144a62233bf1610f96aa529be6ac32cf82c0cf9a6e7d16940eb79c30480f5b4988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
75f9650444c47db47917d64b075086fd

SHA1
fe1699e03d0914b815d6d885ad3ec63e9c8cbc05

SHA256
e8c1d8004d015b85d89d6574a762203d74b0adae525abff769ac239e39503c3b

SHA512
3f74ed18fdf220d7e61e95a4918c68feecf66f552d752ff009163b0f2ef728c5f0b657a7ab79d6bbaf8c0bfef39398975b76711b11e12eaf7f8026f643b122b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
66f404fe8ab25ac5545e1de28bfca99f

SHA1
0140535759887a32821f2421441ac0ec286c7a8b

SHA256
fdd43c3b9d3aa4138fbc304fc7f22401060cc54f5b67b06fe5bd9f7c1c08b319

SHA512
3eff4733ef71d4f8af5806613bb7af0f5e4e116e70e1c042f8e7f6fd33414484e4122e8cbcaf14b51026e7f540e051fefb0d84e9856b4f02ac43917104ed6163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
97e6dd8cf0ef776cc3a9a7debac27598

SHA1
c5de6aed831efe578df208894e86bc43f85b620d

SHA256
200f8703ab797f73783c3bd6a25e991f44b23aa938dc804f3868926de07c8f8f

SHA512
177e28bb6ba854a195c6f71cde721803583e0c9324fac6084f49ea050db76fba376ade38827c1602a8c599350c68be044373cb872e6e7e41ceee9949c6c97f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
28KB

MD5
7ebdfb32f060baeb6cf758aa378ae9c4

SHA1
429aca06290659001cbe9840b5e6fda5f1804349

SHA256
7058a8da4e987571a5452f0deab4ffb91bb900793b052a4374a8fb2550584181

SHA512
acc82201e6d1dd7030826ec9d7983daf41f90ddf06b4b637ea98569edff7ca1c3911c907adcd3594545b025b4914ac2b47cbeaea536531899df95ae31dc884d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
e69c58aca6bda58aaa3686f01416c8d6

SHA1
45c5733891a8e35c609e205d714ec2065c56e9dc

SHA256
5a498576b062dccd2f73b1a9d71c5705f0bcf1edc600af11b64d0ca4d9c58674

SHA512
1a9b83edfc34d2fb8b25e1290c4d1e75518979f4d2e734c1b908f7e358bebd1be04ae98d15a35ca9dd78833e26516b688ea2bbb622ef7b0ab3bd846390f86709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
82db65c7ca38ae0750286f992b17067d

SHA1
9ef964b43f26bf1d46062caeb2649571235378fe

SHA256
4cdd2835dd3e29a015090bc238e5a96d39ed68f75d7303effb8c4c968ec4d7dd

SHA512
1614050c7114528a298ba0a37b86bc18ccaa2954a40cb01c056a060e4bad08e9ccc1636c025ae535a38f6452eafbed8faafa813b0ca31388b170e5110cb078db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
28807660dd354bd61f623c8aaff5d059

SHA1
113c030a9b025aa8b5a5fa20f07eac6216849fa3

SHA256
67652ced282bc9047556c22033d38cd5ffc1b8f7282c4957bf7490a8bd64fb7c

SHA512
f3ba2b288c03f4505612a9e6aec9d7dc493a49198fba2e525ae01afd73a8fc77b5ba2751cd6aa53605c461fbdeb6895ed1477683e895e84f6f2e7db8489f12cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31bfa38d2c1500f4d9b1cad2b76ab650

SHA1
673d646eb7b91254a3ee181255e0648b48887a9f

SHA256
4c5d410a6ef2e11099b6ed8c873ea132a526b288cb5eae81bb45604d3a78f338

SHA512
909b295027da70e203d210327f34cf18ec229684defad5818575ea6b2823b463a01f209b8ffbcc28916d9bfe9b529e79c295432f173129d609ab7aa99881d566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03e9be16030ccf0be8167c07176b8189

SHA1
4ce74eb9d43664ff206582ddf9a373d857fd6ea6

SHA256
069f30aa688bef5919bac22689447d7e72d1a768bc6b3cde78e021cd401433ce

SHA512
dc9398b6d94a0ee796ea877269fd4fc2d6b086e47286c41e43fe8c114917e9d3e7bc9b142ec55746c07bb9e459ab651e7b7b97abb00640f48c7fd35d56aec54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a5c79b8983002e1b66298db23d31b476

SHA1
70473779fffe6f8e93575670821e57c8292af8b2

SHA256
4df83019918ff7b4e1996ba4dea39471e7a8a23a705beff4a01484b92873ec6f

SHA512
9bc9f598a992aa1290bc64aaf474fbb7e53545499d4e6c33c80a1e6bfbf52c8ee26fbbe8e4e78750e6dc48c225df15a2bef554158548e19a30a68b8bb68a6068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f2f149839e64959f428e7ecf34902c4

SHA1
9c5bc47f0d442192a290943556338f5cf341be01

SHA256
9c7b7438c9dd8d2ca2218c5992a0a2d4b870ba963878b860ea35ab7756724eaa

SHA512
1812a6753c90a3c8a5e3ecb134f3e7e5cca6840e2965929aa03824ad991e2813cfba550135294d881af49ec208e013257b13db0b2cf7c25d35fc224de103bda6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
04a378886b437f5ac981c3c48bc7c766

SHA1
64087f4f1bac29884e1281d8f514dcfb325197f4

SHA256
8e32c37794be7b4eb6073cec46dc89e6a3e3f31ebccf6c883daf551081726b5f

SHA512
049d7cb8e4b4e4c192fc88e352c2ed2088428d048d71973509e96a8a587638c0787e45be8ed2e115bf75bcbce7ac0b2643f2335871162510a6bcb351d0c0b8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3f506ab8dd535a35050c1a385973263a

SHA1
dac5bdf7ee067aa169188d9202bb924a97b742f5

SHA256
d3c03fdf435ac8c4d2d06f33abc050e6f6b5ba394a4c35dd89392d012660a8d3

SHA512
7326a3f8dd1c801ae91db28f801fdb6d7532481eae18a79820bb73512e8c1738d60cf2f23e882dba97928c299545a28b9568b30e7d833bf672058c8dabaa1e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2863b298fa4f0232653a764135bcc2d1

SHA1
f3a7c7f0adc8519f75e13111bd7253b7141d5464

SHA256
35080d6f0be7d51a2a8346d6e511237c5df5917d0fef2da5ab2c194d036d5452

SHA512
ed8b39e7602c6553be75f718efc61cfcbf82e128b1fa242673bbb2fed6c35c4e9bc7ff452fb04bee0bc8ee410f385fc3d4c429ee136ea8f49478ddef3916f8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
56095c88bf676032237972b3ee063bab

SHA1
c0a4ced0835fd56d3dd337538999747d115c2d9e

SHA256
8e6c443739153e1f1ffb76866002f5c738aa47ac927383e89fd5fd8125302e3c

SHA512
774815a7b191f4585d1249252bde51ae28a646e3134874d35f78ea41824bbe7199cbf5613919a9a9499d4cd804cf5058911b43ac981570053c39c33160dd31ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
05ed52eafef5f19d1c1e984df50fd1aa

SHA1
222d57e1cfec64b44d19b05e9fc189c1810bb677

SHA256
f77c0ae0f0ed9aa3ad24ede48963a6b514723b505d8dcf14ae540520e23ccc11

SHA512
67e4397c575ba623267a437df55411015b2d382baffdd8ab8ffed02d3befdfdc2988f6af38e12aa8a5b854e3fcc66eee7e676989eafb5ea36e54343bce15063b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
43fba56bfc4474898c8a35f4f00122d9

SHA1
ed4461d8e9e4f9fab14f6dcb309bf1164d8529a6

SHA256
10dc6694a817d64b9fe9fc0bcba681afd4ffa90c8e9f877ebe8735c3ff680fe3

SHA512
fc7ee52c0d0cb2ceec6bb540fa76c50f01291d81a3a378e2035ab49a0ecd2fabe259e06d4bdfefbffae8de1955213f3ac4c717290b7a3ed21060b36bf4fd911e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
316685cdf5bdc5c9de789942e8270b21

SHA1
8d5d548bdf17e2ee1feca735157575a8fd6a5ef3

SHA256
00c19a0dc7b12785d02e79a7f9b38a296f47af8a100c00f07901e82f7243fa32

SHA512
3d0a1cb12a6b631b3ed3894d5e2d6473cc0fc0a909272d09727d15cad1e12a98feba4e7036eac5f5b678aec4b2bf2f9dd094d2c091cab0e54cb26f9defa73a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367745539011404

Filesize
19KB

MD5
4726d1799ba94d77555b99109cd23946

SHA1
66abc2712b7b4e2a51dea837ec3f446b2c9d5b8e

SHA256
52c945449c99d833c2689f514a217b521bb0c82c3625689bc6963d9f0546ea4f

SHA512
943e92cad79a9dd54c8820c0e50138313d250bf3b648d1ff78ae5391da5ee62f30853f5f081389f1d05f316e2b1090c823e3dc5882f19241be42e84225d1f764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
d5db6fa72dc96fb2dd7ffbd674410d37

SHA1
53c879c997d7c108dcd3198afa79e6b6595dcd4b

SHA256
4e94ce572eea0d5868bd9a76a02336116c09746b4b6e9c96c065e58c02647e8e

SHA512
9e6e43d8ae870c4e5e6153d80a66af238b1b62a146d62ec3ea8cc361d6c5466f2bfd893eafd85af05379bfd3bfc9e479ce0ac09b588a83959ba1f8cb09f64cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
1abcb384874b72ac260a354bf0a370d0

SHA1
44f28412a8b37d6d7f5357991a1a8c737b906d94

SHA256
5a3e343ade48aabe88b0d426e0b02003004e1b37375f21552b8a433ad47971b0

SHA512
8fc3da1142d3f47c34f7f5bede63c0a53b8445164254c582eabf147e1a06fe5c29d1741cb88c1c5511210b8ad9843e5d0c8cc17ee21babc20cdf6bab4b06397f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2e7979ffc574281765ac86160ddc550d

SHA1
0bca5c8a15ed5608a2d0a88a99f8bb59253b8d49

SHA256
3eeae43f4f1d707c1ba7fe3980705a17ebe290959c24a1697affb04a880cc03f

SHA512
5268582fffeb8a8896446131ded21b38081171148ce2751f94b0f61932e40fab0a9d32a5f4bf0f4c82c76a571f9899103b8f9f0e8985aaaaaa77d8b04a11907a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fed05a0004b2bddeb50da5ab6495af9e

SHA1
3e5858831a5e98d6935666c8d6d6dd6d7a2cfecd

SHA256
f40bedf27522b668965671dfcbd0b79d3e8b6ccd01519958d8f3fbf48b123bbc

SHA512
6f628872333781f2f8ed3aef2d7d0c10f02bafdd72ef108a8f91dc0a116261f428559bbeb6158f2ad8a738973419f59bb9eb659d709a608f167e2d0aabd5724b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
094ad74e11568ce95a9d3a09b613d605

SHA1
14041e626feb6ffe755b7f698b7fcd71fc9f8e20

SHA256
d6536c3892f590cd81f1a2ac02b45c917d7a4571a252392c156a745edc97ac6a

SHA512
bb0cd53d63c2edfb396ea1182cdddb11ae765e76459ae41f311f3a84b11a335eaa0f6eb6e46bc0771f629f2b38cdd3aea165a09882d03fb8d348aced5dbad417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
95eb59ea510e0e03e008cb9b3378f183

SHA1
7c05b591c14e4a45d45f9204f13704bb87418c87

SHA256
1e24e314d8078c5cb5be63737e5d72e3b53becd6a73d4ba10490511c6060aa2c

SHA512
654b053bb1db98520941a6a3555055aeac828602513a752918e00dfb058d947cfc6f5578cacaffc5d82b8d120fd57e7c92604d7cde5f91c77b252f2fe6c55471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b2c8aa02fe9009dde88424d68ec01baa

SHA1
5374cae04793b08f7fa4647a07173a7a30eaf32b

SHA256
86a1cb0674ad4889fcd6e9037539a15b2502c070804ba3e5066f27964dd5f97b

SHA512
dbfc69a4b439fa1119bc9976b10f7049dd72f6cf6d43e928561b38ca1d10263ef4506020adc36bf1a535bda23236d3b595cba66726831cfeddcd20c10107bfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5849b6.TMP

Filesize
1KB

MD5
31e7a1ca0763fec5042d13f2c0bb4476

SHA1
f0c45c3c4544a58f4f2c8ce0a4a1c5bbbf13cec1

SHA256
a238fc5221c673e9bf7f1f8a1275ae52bfa3373f9890fd799f458123d7150904

SHA512
b73f0437de9cf694a2f21422a1fec6785403c4721860c55ac2765ecd72158d34ea016d28fb18443d6560f21e922b28399d88679297726e4ed4ae73842f831bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
a8df7d987007d7d096541f7c8920bf08

SHA1
c4c8de270137e7b2bbcc85594bb8329f695528fa

SHA256
86b77ea755ebce6ca610c2ed93164a159248b2cf389fee45ba9c75ca29d5bad7

SHA512
8da5ed660865b446e10303f479feac751316b6cd584010d66faff1f40f5f6689291608358a31dac517428d31f34352d47d10b631dac230502e54c831f9581985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
fc182f7eb95413a8a6ffd1157876c39c

SHA1
c427eaef5fb1ef65b69bc9617670ed9ab87b621b

SHA256
3306949d7a97f51f12c51fca974562997ff8aaff9c551a6eadee273db907be6e

SHA512
c74869b59e354e435969262a59c0620c4813a8e890032401f1204ed4d71a9ed880e572c9370f17ea851b7de06d514dbd46094c034ba0f3e5196037953876ff08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
3e7239aa2e655513a222e53faab21aa2

SHA1
22f85a3ab6dfb3114e28a477bcb36b99aa76367d

SHA256
ba288c688cc9766a38597b09e1cf7a233a9eddd64fcecfe617d11713f62861e4

SHA512
1ca2cd2229c9c3d767e2f2a739f2ef5c12dd895b7177b6c45993e4fb21442cc18e9d411c24d3906db5830552d8dd6951239b06f181eb3eaf9ef0cb0f5f1ae0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
3.9MB

MD5
305d128b7a839ebace6a9286d4a993d9

SHA1
439745271385773c4720b741bcc914cc343298a7

SHA256
6019d780fc878f3761c3b819a98c9b06f9a35fecaa6e72d5f4bc728a0d8786fa

SHA512
c30c1cfec84b732775611947f73a24f8f8cd8c5392f8986fa61bebd3147119024c7c9c6ce9644feb6ae0dbefb9f5f8ff3128d6ffbc14d90f41ff2d99f4388d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
7KB

MD5
cbdcc3dbabb7eb404e73b83dc5345548

SHA1
41d386af31f6f040e1a580c1cdfe2dd4333e4450

SHA256
637d98fca69752edaa378f47f578adf8082bdd7ca36c7c394ca58882eec6f813

SHA512
0e6dd7da7b7be3ecbb90dae08e5df0fc0ee6765b5b5eef430dd32a0bad683c5c205cb04b16ac304e7cf6b096b45d2ea79a8aa043b9d8fe1e42c57367329c4fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
6fa93500861f2fbfcb5ad6b78d2e4c63

SHA1
9812a951ce84dae6eed6e1f3ca5e152b5896bb03

SHA256
8e8f8f9638daabb777b9879bfddb44811d4302cfdc6eb7ecf51910363b5af7cb

SHA512
6eba4e734a702f3d01b97041e41def22b02cd91cf97ba4f642804b0863da552519cdf442e613633820bcbfba9635452c67e83d7252c2c77622de38d4cd7d0799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
5e4d75891b40c22697062218b1b87909

SHA1
d357d7ac8ea2fda8c51ed4afa7cf9132cd185c5d

SHA256
96ba90626c057eeedf26106fe5e72b58314d1824e923da9b83bcaa45a673fcd7

SHA512
6357cfd41c282b08840c514bebd1ffcc600412381483d0dc8e8687d627b82761678039f1d1d1467965e7231301a130e6939cc99d3aba3ac0e38475bc128d408c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
378df9138afcc231dde9b61c75a30369

SHA1
075d9432c0ab57be416fc0671e869f49d76df9e4

SHA256
49063ef5204399c7f6a95bb0976dbacb9c6c32db645e8f6571dfc60520cdfb39

SHA512
5320c6c547fb4baebf723ea09e8879c824001285f405b06d698f44fda4437b8f74dcee49d5fa8ccb60b2c24c8e58454914209d0170486e7b822c5613c2a84296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
953995b7998747c5a53fa4f2e5d7fb96

SHA1
c72ce3d949b42169d6f52f25308f1fb1eaefd8da

SHA256
7c406adc19289acbfd946fac4458bd4e40c7000139d76d51454735e02c0d53c0

SHA512
991b22d489c1cb60fff0b1fde1cef79ba89ab79295a9428fa9d8ec8c171c4550da452f83f27fc3cee4a5bf4cdc768d3e01bcdd64d2d82bfe18d7e18507fb7424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e721b51082d85370b5f2d96b378fe57

SHA1
d2ac9137e93854b8f458cf442a9c7b3c17ad7067

SHA256
54f96c3d6fb7c15d627cdb20b7ff41ab34eebd2e8eeef47b8cc26f801ab04c1d

SHA512
2c86ec6b47bb8a636c810a4670e616554b8b1cc2612fb290bba52ded343111613de675f12204dc4da730f80ea1c5a5f4cc310f0cc6bb7bc539a22e2d5390ec0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47693db53428807da2ed1ce135332021

SHA1
ce9bd224cb4a682c96b47650eb9a7ac111a1c57e

SHA256
ba2cc6e3a5c2154fa00586d468665e6ea9229b6a37bc47e4a71eb0e94367d351

SHA512
d70715bfb321abe34e2d4adfe6fd10b8f0c509bbc7883c5520d4165471eb2f6294c3b4ba9093399442d1bdc54193ed62faba1020676e2f1726099b675e70e152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4630afc1e5558072d5a648f535e6dc65

SHA1
ad5aec07a6a6e06c241b23d1b8ad24da69ac42b3

SHA256
239f46aae7f4ef14d0160640fbe0199324c45f09c46540c06879daaf82dfafab

SHA512
56780bd1d208be374f201656529c3044377dfefde381568f459d318fd25dac19740b14a4873bf66275618a02ac05cbdb9fd985ed262bddfdc8654b2ce21da371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b9f73b577648530140f7ada5ade66f26

SHA1
3dc87bb32874cb2e684739c58c5a16735e5cd5f5

SHA256
a62d8efedaad1e31ad1399baa27b3de3f009e584847456d14a5dc54f8e5f47ab

SHA512
ba2832ca869eeacb1e5d039fc5000d921d74b6261311362c8968b12d2cb6ac976a7104d9dc377fa3c33c7d19d7474c0257e30269ee0f54f0d8a3efb3d1b91997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
9976aaf9359988973abb5cc4b6571909

SHA1
e5b3465914a2023dd9c20357b24e1a979b36771a

SHA256
810d5700f9e521558e4230487d7e76d5c54341a42de98ef0bd479614111aeb3b

SHA512
6a644f349501b2180a33e6e96bbce34b6db3819b80f523ec40cf16cf58ab221d40b48fff4cdd110eb5c4e31263a83a04e7fbe556b219ed78ae627b7336b3af6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
49378ebca9eee3209637225717702414

SHA1
0fb8c4568992c1ed04a912c406cd8301016a6b7c

SHA256
275ad09b940cf730e7a28519d8dfbb3642eee40b62f26de14eb9916b7f57d1c0

SHA512
60f5e270d56856e164b04f53bcad8e227401b034c09268f1ea07affb45f2f71e0f23018efeeb61fdfd8ad97a5d2e78449162ddceae9821ef1b56006e377d784a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\MadMan (1).exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 245346.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 537999.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
\??\pipe\LOCAL\crashpad_1948_UHMBHNMKPXZGRGDH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3188-1152-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1146-0x000000000B880000-0x000000000B88E000-memory.dmp

Filesize
56KB

Download
memory/3188-1151-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1145-0x000000000B8B0000-0x000000000B8E8000-memory.dmp

Filesize
224KB

Download
memory/3188-1153-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1154-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1155-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/3188-1157-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1158-0x000000000BA10000-0x000000000BA20000-memory.dmp

Filesize
64KB

Download
memory/3188-1156-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/3188-1159-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/3188-1128-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/3188-1127-0x00000000006C0000-0x0000000000D6E000-memory.dmp

Filesize
6.7MB

Download