hxxps://www[.]gulfupp[.]com/do[.]php?id=73715

Resubmissions

19-08-2024 12:56

240819-p6tfcsycpm 10

19-08-2024 12:54

240819-p46mxaveld 8

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.gulfupp.com/do.php?id=73715

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
6036	winrar-x64-701.exe
6040	winrar-x64-701.exe
1292	winrar-x64-701.exe
5152	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{2231C962-5458-4641-98FF-90AF6080D9BE}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 431556.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882136.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
2052	msedge.exe
2052	msedge.exe
4392	identity_helper.exe
4392	identity_helper.exe
5320	msedge.exe
5320	msedge.exe
5828	msedge.exe
5828	msedge.exe
5916	msedge.exe
5916	msedge.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	taskmgr.exe
Token: SeSystemProfilePrivilege	1220	taskmgr.exe
Token: SeCreateGlobalPrivilege	1220	taskmgr.exe
Token: 33	1220	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1220	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5552	OpenWith.exe
5596	OpenWith.exe
5876	OpenWith.exe
5876	OpenWith.exe
5876	OpenWith.exe
6036	winrar-x64-701.exe
6040	winrar-x64-701.exe
6040	winrar-x64-701.exe
6040	winrar-x64-701.exe
6036	winrar-x64-701.exe
6036	winrar-x64-701.exe
1292	winrar-x64-701.exe
5152	winrar-x64-701.exe
1292	winrar-x64-701.exe
1292	winrar-x64-701.exe
5152	winrar-x64-701.exe
5152	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4176	2052	msedge.exe	84
PID 2052 wrote to memory of 4176	2052	msedge.exe	84
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 1004	2052	msedge.exe	85
PID 2052 wrote to memory of 4596	2052	msedge.exe	86
PID 2052 wrote to memory of 4596	2052	msedge.exe	86
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87
PID 2052 wrote to memory of 1228	2052	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.gulfupp.com/do.php?id=73715
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc66846f8,0x7ffdc6684708,0x7ffdc6684718
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5916
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6036
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7300 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4122304433454970654,3714016834363582833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
  2⤵
  PID:4040
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1220

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9d3045bb5e614f0eb7d6d9afff781688 /t 5336 /p 6040
1⤵
PID:1464

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\894010ec18c6486b8b69ac265efc4fbb /t 6116 /p 6036
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
70KB

MD5
0f6e110e02a790b2f0635d0815c12e5c

SHA1
2411810c083a7fda31c5e6dd6f1f9cf1b971e46c

SHA256
2f7018f3c214ace280e4bd37aabe0690bd9d8d0532f38e32a29d1f9de1320605

SHA512
2f2fb7c4ddfb6abb5dcde466269f625eea58a2c69d25830e6bb24126e7679ec7c83fdb0d8ff2a7de4dd4b994513f5e80813dbf1f5d6a9a474c3a60d8bee74f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
1.2MB

MD5
0aba6b0a3dd73fe8b58e3523c5d7605b

SHA1
9127c57b25121436eaf317fea198b69b386f83c7

SHA256
8341f5eb55983e9877b0fc72b77a5df0f87deda1bc7ad6fa5756e9f00d6b8cac

SHA512
6a266e9dad3015e0c39d6de2e5e04e2cc1af3636f0e856a5dc36f076c794b555d2a580373836a401f8d0d8e510f465eb0241d6e3f15605d55eb212f4283278eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d2647e5ddbfad3c7bd530658ccc717a7

SHA1
1976c9d05fa5cbb07f3e91c208c692bed7b3d17e

SHA256
05457902a4072f1a98717f790eed5835925bafaeec8c12861b451510f61a8020

SHA512
13d586a4d67545a4251ed5c29c83ab48451d4e2a7f9bac80490bda3e8899adc05c8cd3b8da78ee4b9e71da5c78228094d36e9deae06597f7b224fe1d4f073972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
fc46b635903455b09ebd017394a273d6

SHA1
9e3d280be4f48a7916de666ba4a82736026f5a1d

SHA256
56dad0c760a3c5c317c10065cc2fe6c1bd52bcc307ccfcc2152770a8f02ad3fd

SHA512
dd876852a290c60a5defbd087d2f2e57e739468d944c22ac0f2e87fc1ef3707671f410795ce1ba0daf2583330295c5715188418a0e1d1207b0ef725a28fbcd5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
76c9b3131f4174581682951855641558

SHA1
b92fed465c26a62b4003450be38f08f8ad713731

SHA256
f06e64ff17720232202de0ebb7b53eedc98e34b78a0fd348bdb530bb90a78c43

SHA512
150cf5adb565e83ed7f33a769d2db57da8a0afdeadfdbff9c47474df94aa5ab6b7beed99df73e1c9fab5ce5a49409cf2dc532d6ab5b7a383a55f7e22a9c9f2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54278560224a13faa8b7bb66f7981657

SHA1
92ffbb73a0b03a274421da2a0da11cbcec5030bd

SHA256
3ba475e8adde19766339a323d9c71648c9f54cf468a6663879222734746cd93b

SHA512
78dce32cd9fccfd0bc1f92e849011b5bc4c8356daa3fde89301a2cb136ad6c131340a1f0d007cf90a21c969199a06f7f3f172671c1b05fae97a126be5086b23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
03466db854d5e7aff040a5b6132b043c

SHA1
dc87770c6cc03e29434a47331180a81c757e5437

SHA256
f56eedad2eb5c185a98df501c95b0b6f282cf0254e70b23918f4fbc7f7863603

SHA512
02b60a876065d934578b9a4ae9abfb76cee3d24facaae3fd890e952cbf59294ab4b17d63a490bfadfc573166701feada912b504459060ac67c515e4e90be7365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
828971f1b322479f87327fec35ea8e41

SHA1
34a49995350602efe41d743274be99ea524502e9

SHA256
5fa573e84d44a366a25432a0be2e7c7cacd77e71ab269c801ecd8891850813e9

SHA512
4ba555c55dd6e3a84e5bcca20aaa2ee2e2d8387aa9e8cfe079e2f0e2567cb30df019cffb3ceb05555c1bd6f81a7bef2d59a8852249c41779ffa1c0d1eefc3bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d6d05b0a1c1e406504b6d4cf752e48c9

SHA1
a99993f8c24a677f08d3452a33dfb519bcd353b5

SHA256
a6190de0e87aab8f732fa80c39119865e3d77fd173857c38a8d4de5e4ed2feaf

SHA512
411cf2df4e4f81b1f197323e7c98ad2c6b09bb2028c1b249ec1d6f235e70693c5a79f92ebc852bcccec91084e1d31415d7eb372d8d9112280c363e4ff2cffef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8049a6757212bcd54b8067ef7df0601e

SHA1
d482afaf83b4b54083204f758f1f91869474cb5b

SHA256
09443bdd3a2a12231dbe5c16650e5cb61b132a091745a98ac41ef4ecc475411b

SHA512
7b77e0859b5d2276cf36f69c058dae2fe88720b316b0a212aa0d437d68eb705c7046de054413a2b4e368f4d62e7e40e58c64700142b2c0baf6c913cd6b9e5dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
baf6e35637dcacf9aea7884d7e008a3e

SHA1
5ed003d738c189fd99e9ecca6acaf9e328a2c924

SHA256
e5c7ac0b10cdbab814f829e0e883cdf9bdbe7cb1106f5be4cdeafd2535d4d236

SHA512
ce42fe443f977a428e8d610c63e67c652c6d0dba6028b574f56b4f332743e517cebef4bbfe951889146f96c87b02b5a88fcf5c0d174fd4f64577a4b2f872e593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583f27.TMP

Filesize
1KB

MD5
d7ccca52a014573f65227381a7e1b438

SHA1
2765344006fe8715c48e646776a4acb818846557

SHA256
4a34baab658deb1cd633c28b5849ee4143b84bacbbb1a63879ea632cbbc9a5d5

SHA512
7981fda4a45a72133760fe89af5d401e49f286de3eef74ee9e1cf3f0132ef38a70b5ea7ceff700b5ce36c09531d01659957b7d8c5484bf0f35f13f4aa70c8e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a2e28a2d-16f9-4342-b324-b86811d246cd.tmp

Filesize
9KB

MD5
9486ee99a45f3dad5fdef9628b979ea3

SHA1
2c83bdecf4012cae92d10b7e8f39d3144227f624

SHA256
2caeb1eadd124b3ba4aa758367ac954a81ce23c707653a4b0e5f98771eaa05ce

SHA512
1df6616170190001a720c42356af6bf81d4443934f08c3d7c58595b2fe4ba114ba07bb4d68bf4eccb564bbf13f132dfe6099dc2f522411d55f850c19a0184695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c1d3a25530dd5654acd0bcbb73a4759

SHA1
9e11ec0dd6479cee6ab73845cae19b43bf21a046

SHA256
b4c9762aeeb46ad5d7dc94dd1cdf4654080145273debc4607bfd2812ac3f0858

SHA512
0eb220d3b2eb7208ea1d768f714ccda64be37d273d76ad5ebe244857ed98b8a8fb30c14891ab862b6acd6f60619b9b42e55ff68b46d64640171f166b0c72095b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b0f201c89de2fa7efb01a36c2f6157f9

SHA1
dbff26ce6016afa1856c748d0796a0e3522c8518

SHA256
ac8c7acff6eab75217ffb0d35d8fcd51f00742381f5cd84d905d73d7ad489ee5

SHA512
c8ce7c10efde404568f62d9d8c3c34a361c47f555a596df75ddfd914d47ce68d1e03a6385c7d7d6882c4e2c779632cf2aa599bba9b1fce828d9a181804530420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a37d5c064cc314d5fda2ea31de0d4da2

SHA1
34eefbd9e8acff9445249cd8c20b8fc97fd6f7d6

SHA256
f5f0d0c44127ec72a9999f5b5f0033e2d0064b1fdebc42e56bfb90eff8c2ebe1

SHA512
477b1391b22c36680b1c91e6ce61230454e57b245f46a407739a5cea93e0968c7a956c25c6143a28e7b57d6e4a685dd34f823c4dbf52f7702da0c211d9ba7cf5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 431556.crdownload

Filesize
2.8MB

MD5
bc34279f29ef0e6a2ff71072127d76d7

SHA1
fd84ef523831b618b18b489b4c72fde59ec2eefc

SHA256
a121bcdd9e39e2772d8d0ffb3ac7bdb7b9df060378c75ccc4d50557362d03d21

SHA512
e3b80b3b1046533fef77d5e3b78b184b27b2156e2e824192e81750abc30443b597103d69d19236f79b6524274826e45fb3c3079dbe9bb5e39a72892b00aed580

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\الهاك.rar

Filesize
4.7MB

MD5
68d5ac479a6b22302b8e5800d53c6a11

SHA1
0978dfed3f040d7d64a2cde1a2ab5c6ec7fd0682

SHA256
4c736e4dc6b0609a75b332a8cc5d1b92f2972c36c79135b60b052e5bca93fa3c

SHA512
9436e0980e8ce71b5ddd8d9db5c7ac410274039e372c3e76094f0d8323c703e8b507db7407d8493d90c0337e17b872eb40dc5ff10d5b479373bc3db7f5bf39ff

Download Submit
memory/1220-744-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-755-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-754-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-753-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-752-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-751-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-750-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-749-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-745-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download
memory/1220-743-0x0000029D7DA20000-0x0000029D7DA21000-memory.dmp

Filesize
4KB

Download