hxxps://www[.]mediafire[.]com/folder/6c7wv1nrlclsg/Vas3

Analysis

max time kernel
197s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/6c7wv1nrlclsg/Vas3

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3068	winrar-x64-701.exe
5412	winrar-x64-701 (1).exe
1044	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4f7e970612e5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{7F16E5AB-FFEB-4A11-B683-F248A703EE39}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5E0A1F3F-62D8-11EF-9A03-D60584CC4361} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{61C7FAF8-F6C4-4A91-87BE-7227CB054CDB}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 639882.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 221628.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5968	vlc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
3324	msedge.exe
3324	msedge.exe
5680	identity_helper.exe
5680	identity_helper.exe
6020	msedge.exe
6020	msedge.exe
2472	msedge.exe
2472	msedge.exe
2544	msedge.exe
2544	msedge.exe
5376	msedge.exe
5376	msedge.exe
6008	msedge.exe
6008	msedge.exe
6008	msedge.exe
6008	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5968	vlc.exe
3168	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe
5968	vlc.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
3068	winrar-x64-701.exe
3068	winrar-x64-701.exe
3068	winrar-x64-701.exe
5412	winrar-x64-701 (1).exe
5412	winrar-x64-701 (1).exe
5412	winrar-x64-701 (1).exe
3972	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5968	vlc.exe
1044	winrar-x64-701.exe
1044	winrar-x64-701.exe
1044	winrar-x64-701.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
5536	iexplore.exe
5536	iexplore.exe
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3304	3324	msedge.exe	84
PID 3324 wrote to memory of 3304	3324	msedge.exe	84
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 2128	3324	msedge.exe	85
PID 3324 wrote to memory of 1520	3324	msedge.exe	86
PID 3324 wrote to memory of 1520	3324	msedge.exe	86
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87
PID 3324 wrote to memory of 2756	3324	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/6c7wv1nrlclsg/Vas3
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8c646f8,0x7ffca8c64708,0x7ffca8c64718
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7648 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376
- C:\Users\Admin\Downloads\winrar-x64-701 (1).exe
  "C:\Users\Admin\Downloads\winrar-x64-701 (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,4822610996949334287,3556915521716433206,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7896 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6008
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\[email protected]"
  2⤵
  PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5428
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\[email protected]"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1168

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5500fdc0c394440c8444ec3e36e86fe5 /t 4484 /p 1044
1⤵
PID:2320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3168
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\[email protected]
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5536 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\[email protected]"
    3⤵
    PID:2320

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ConfirmJoin.m3u"
1⤵
PID:2192

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ConfirmJoin.m3u"
1⤵
PID:5800

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\WatchUninstall.rmi"
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2606d0258d616668159f1c4f9e2d17e1

SHA1
2f8c309d8960890d1c07bf269cb9b403eb66a993

SHA256
d0cb0df8baca0ac199d1939b8e6fbe0f5c7189132c96a5311c68e77cfc143e62

SHA512
ebe834432a9f01d4c7bde78139bfa428aaa97440f169ac4e0d6f190090b8db6e278acdf8805eeb7f57235ef700c1e802806f3f4381b2f26023ef9032225022aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5ab91d57054a01b964d0c7d96770d5cd

SHA1
d7dc7d47cc3da4b499edced604a96ff613f0838f

SHA256
8bbe09d0ab8b47ef37d6fe37e7e4217dcacb61fc9a9ab70dbf656a424878e43f

SHA512
bf6ea3036ae2d99032a697838772d02979a5c6cc620ff8672896ed1f035a5ef37e26edc7686b79bce468116b3b5b0ab22f6fc9408d0dc059a63324a6cf5d0c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
57e168e00d0d70a7e4b76ff0aad96486

SHA1
ea8d410f8ed285b282a16707cb7242b25109f241

SHA256
22109d3767e55b822e4c054271a88376d0d8511ff2b438b3b11db270b1c008f5

SHA512
80ae58b33be112c0aa1886994c31948444719925d80d9cdb559488f7d6ae2c5aa7ea214b882b715573cf116a119b6e36af28abe7bfa174b3b54abe7a0ece7cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
733231257081d87fca73a7da3ac71f6b

SHA1
2119aaa4df92b4d6c2b9aadcfd4d1bfbdb806983

SHA256
52d286a9bec943ecfa9803a529b610d3102a722e7644fec552c946ce34423793

SHA512
a37b5ce4fe3be466c4368e8b4855cd9779a60a3a9fbe7ea5357a5788836301963240cffb1fb75255186763993205863784ddcb3db7bc8347434770ca78ad06cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
9c23c5bac7bf95aa112c71d09c538d07

SHA1
404a367f4acedef902ef4437cb43ad19d691346a

SHA256
a75c33a4a09772dcfe5528fe8653d32e589e42b4c2d21d893b40da98f57c7b0e

SHA512
537a1446885e5f281b278b666babef67cc8e881c403d1800992d0218f7e611e000ee7afdec366030309f301728abac968dc0e0ab0c2b5f207e1ac1638908c4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a73c916792415fe22291f5656eaf3c35

SHA1
46533283dffb7ca243ddae3cb2aa903f07fe7d56

SHA256
765f3389f1fc592a0178c9721e9776621afe21ba58139e81844cd4ed8efb7a5d

SHA512
802a392b3f875a2da2688c1c3e34a9d5d62268c2d52b22b78728b01374369dbed1ca43e48be6ebedc7ae9903a02a209387220585f4b57fcb7cc503a39f459f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
df790591d9e5518d9325237101be36e1

SHA1
e91d0b5be856897475f90a814e328d7bf6109f9a

SHA256
1c3b07fb8eb3b5263b74d834291e8f20d1392d2a3dbf4c2b2d319ab0bb093d7f

SHA512
cdee93202eb167b00a688eb6e780e92518640794e0472b5d0e8ea42284c99167f2264109759dbb99d920470c77f666917869c1e8a6b4bd1762eb403904ef5f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
bab621ec88633f52f30736317efd72c9

SHA1
cbad0c7a19adad69e5812952ccf6d73ea7c4b6ef

SHA256
1071596ecd6b4ac492e2bb875f3b74520b87a677140828dc14dbb6a5fa2809ec

SHA512
33defe03f39e1ef0bcfa18ba1ef481366ee153a7913e1456f337ae522faa0553cbe8100b1c21b91285a6bafe3152f994b50f643915ee53f6c11029409e4b9af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
775d2e7ef9a413257f5929ba97358019

SHA1
67d6432e46243ef58f1d0e5d64bf3394d0cc0152

SHA256
eeee6320d1044de81254eed7331a7e86d32cf1c6f05e801d07d2ef0ab4a69b30

SHA512
37521d77cfe57656e2caabfe19a3a088dd6ba52fa946944f1ccdb027d81457976c0bc32f81af5129364561ee912d1fb74e379b0960c857a87b6aa9ce2cccb53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6c6bcccdee27c7a3b6c2664056d9160e

SHA1
23fce934d0578647f69db732bafbaa9fd63463cf

SHA256
0c75bfcda48110202e5b517a5805b8c501256d74f8d213ee5a11bf168e7df1ea

SHA512
6fe4af515df6efc37e17acf50ed4c85ea9cf31783d4242c1f4f48296403e5f92fd760fa52f133be98b515c68109ef36a13c86156da84c9c386c33a932a4cffb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ed08cf3def74689d22fc61625511a20f

SHA1
a1a35eb229208a1b323f702499a9a84fc86c516f

SHA256
eb092dce6de0f6cca8023e2edade32743abf708ec8a21976929b1d47d1224319

SHA512
60390fb891e8febfb9ce89bca17d35db23731d480408febc28ebb8649f9e46cc5165545853a189315f0b2d89e7f15ee7ac6ebff713f4562074b43934b29a153a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1cdfe5047b58d994520d98f06ef87732

SHA1
4e12749e43fe9832df773e634c11ba36cb73de23

SHA256
000fa3fb5d20ac0d1075723b92678739a1b95ebd61c46f2136906f72000bf95d

SHA512
e276224ba06f202f533d90a470ab3404449ef5d913d0a5035d9886c077bce5ce565e3c73e69e4d51f5ef8a0e11178f998a291a9555ef23bdbb28c69988d47803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
06b23caf626e6243caf99bccd92467a6

SHA1
946571b74fb210613f4dbe8dcc712b6e5e5600e8

SHA256
1ef285caed94419e39846d485ab83b05ac3090ee4770e1a12a325a50c9808347

SHA512
1cd58ddf9ff449c279a49fec0392237325079eca27d3e3e8cdb0f8dce0ecaaa5bd341404bb4827f220fb16cbdf258494e004b955fd2014e1ec27680216a89efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fcf96c0b31d7eb731fa581cf4f1fe972

SHA1
8731be3b94c77c0b277f8444942a899d86ee2a2a

SHA256
e764edba97cd9976ccae1b5c19d1ec9fcc9d76ac3778621477ce21801eb7af8a

SHA512
0d849716074bbb74f02158ab8f9f6fb676533525523ca39c18118f3aa238399b2d3c5d8ac292b1b859b676fa36a62e9df4895c001cedff334e46b783524b46fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe46.TMP

Filesize
1KB

MD5
d6fa350155d1cabba12e01e2b98c2090

SHA1
f5beee924e4a16a90ce73bb91289470c2efaa9e4

SHA256
1fedff2962d3244f04bf65f4d4aa174a0a3ad0ff34dda9122bc0a101425c0f75

SHA512
8daf53f96e9b35b034d56591397cf586bec61a7f3e4750c4e5377a9e19c15dc6fe969eb9e9536c9cb476a08b26c466f21d58dc6504872b790ef1e51c8208de5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3f07852a667a71628fc304e34f3d210f

SHA1
7042c27046f3cb8bc4a508c4531123789bd8902d

SHA256
161b15c183f21fe0df963ee36692dbbd722039d347e3dec634ff2e53719fc1e8

SHA512
a361ba21a1bf4c09cf0dd85a4c8f11c2fe7d9659eb8ddb8675879308383e1602f93c318f6ba947fa17ae651a14742e7ae538753f330a4122dc7f6718ba506c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4af1dbfafb448a5ccdf80c8351527a1c

SHA1
a8949d5cba04e058050c23dfa239d71e2c8ec140

SHA256
5f969baadac5999a43897a5e036ae5dc384affe8616867cae7c7d12f8f249c96

SHA512
88159c38c2a01dfc43255d0eb472086424786a4954ef0f59cabec649ed7550662d2c2577006ae3a217e00479f7d77dd872839a7c99ef0a6a748b161316b39375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf901b9b49cc6fa70f3840e3a4f61688

SHA1
40631c29abd13a20e4e2a7139ea995daa376645f

SHA256
21b234171866ffc3b94f2829606ac09a363617328a2500d898dd915a48b91d3c

SHA512
f6624476007b54d667525241b8d4b929385de0b7c9efb50a35f58097f78d66a8880d576dc0288837424724910f2d3898d955862fe1e46bd1a48fb40dad53336f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ed05876d57e9a2a780482347a6215d52

SHA1
389ba6e6d9d39fbb08bc878936871f09256613c6

SHA256
47f44c18d3841bb4c16a40d8ca6e9218175186a797d62c3887c915a422db348f

SHA512
e804a7b6b5f991755e0a44c825b282ea1a21e73cf74e9a09b16bc3d4a193d3bec56b9cdbe4dee09f8bf6f012e89e9de318d61ccc98e9db89a86b1a3d94b76e0d

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.eZ5968

Filesize
82B

MD5
60a0e1b419cac60a88567811c3056179

SHA1
1d8670ae635b81f59004ad2339bea549f5597604

SHA256
6fcc5592ec662d698bd0370b6ddfe8d88049c62a243d4786170d26d3c9fc7db0

SHA512
712ab7dda22474f039294a88e67a443d7204c25a0cdbd0b2e99532726dcca1c3df5b62568067c2c81f32a09338fd3435e5136010dcb1f270bb39deb822b54e5f

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
56bf68fd143512b2656bd26004a391f5

SHA1
3c2357cc2de6b418883af3cb6700fa73f6022316

SHA256
bf41c8fec7dea139137af098e1d57d4a69e47b0fbc6175ed2458c7ed58f8b869

SHA512
57b13f216c37bb6c46e06bfc3ca82a1fe47e9701ecd776babd7b5af5c496e1c9aeced7b4ee477da17c43cfe0b493911c26c9c694c191bd8cb7e2a08a41c3ff21

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 221628.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 639882.crdownload

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
10.9MB

MD5
24a28802c07ee57605f25ef8d3101476

SHA1
d83c34ffd2db67fbf0d64e83a2577fee0a304395

SHA256
c21a57d79a567471c664d7fd13731423c832f82fe4b7cbd460c26c3549c5e45e

SHA512
af8dd67480f56a8ae30a0cadd40c5945704e939f276a2b468d223dd47baf5dffae0517c8871dd81cbf23f751685b4a34c0d5f13a8a2f104f6566287b90938d60

Download Submit
memory/4776-768-0x00007FFCA8680000-0x00007FFCA86B4000-memory.dmp

Filesize
208KB

Download
memory/4776-769-0x00007FFC97E40000-0x00007FFC980F6000-memory.dmp

Filesize
2.7MB

Download
memory/4776-770-0x00007FFCA9C70000-0x00007FFCA9C88000-memory.dmp

Filesize
96KB

Download
memory/4776-771-0x00007FFCA9300000-0x00007FFCA9317000-memory.dmp

Filesize
92KB

Download
memory/4776-772-0x00007FFCA9200000-0x00007FFCA9211000-memory.dmp

Filesize
68KB

Download
memory/4776-767-0x00007FF645F10000-0x00007FF646008000-memory.dmp

Filesize
992KB

Download
memory/5968-741-0x00007FF645F10000-0x00007FF646008000-memory.dmp

Filesize
992KB

Download
memory/5968-744-0x00007FFCA9C70000-0x00007FFCA9C88000-memory.dmp

Filesize
96KB

Download
memory/5968-759-0x00007FFC925E0000-0x00007FFC925F1000-memory.dmp

Filesize
68KB

Download
memory/5968-758-0x00007FFC98730000-0x00007FFC98741000-memory.dmp

Filesize
68KB

Download
memory/5968-757-0x00007FFC98750000-0x00007FFC98761000-memory.dmp

Filesize
68KB

Download
memory/5968-756-0x00007FFC98770000-0x00007FFC98781000-memory.dmp

Filesize
68KB

Download
memory/5968-755-0x00007FFC98790000-0x00007FFC987A8000-memory.dmp

Filesize
96KB

Download
memory/5968-754-0x00007FFCA8630000-0x00007FFCA8651000-memory.dmp

Filesize
132KB

Download
memory/5968-753-0x00007FFC98BD0000-0x00007FFC98C11000-memory.dmp

Filesize
260KB

Download
memory/5968-752-0x00007FFC8FF60000-0x00007FFC91010000-memory.dmp

Filesize
16.7MB

Download
memory/5968-743-0x00007FFC97E40000-0x00007FFC980F6000-memory.dmp

Filesize
2.7MB

Download
memory/5968-746-0x00007FFCA9200000-0x00007FFCA9211000-memory.dmp

Filesize
68KB

Download
memory/5968-747-0x00007FFCA9020000-0x00007FFCA9037000-memory.dmp

Filesize
92KB

Download
memory/5968-751-0x00007FFC939F0000-0x00007FFC93BFB000-memory.dmp

Filesize
2.0MB

Download
memory/5968-748-0x00007FFCA8EE0000-0x00007FFCA8EF1000-memory.dmp

Filesize
68KB

Download
memory/5968-749-0x00007FFCA8EC0000-0x00007FFCA8EDD000-memory.dmp

Filesize
116KB

Download
memory/5968-750-0x00007FFCA8660000-0x00007FFCA8671000-memory.dmp

Filesize
68KB

Download
memory/5968-745-0x00007FFCA9300000-0x00007FFCA9317000-memory.dmp

Filesize
92KB

Download
memory/5968-795-0x00007FFC8FF60000-0x00007FFC91010000-memory.dmp

Filesize
16.7MB

Download
memory/5968-825-0x00007FFC8FF60000-0x00007FFC91010000-memory.dmp

Filesize
16.7MB

Download
memory/5968-742-0x00007FFCA8680000-0x00007FFCA86B4000-memory.dmp

Filesize
208KB

Download