hxxps://github[.]com/momolafrappe/Valorant-External

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/momolafrappe/Valorant-External

Score

6^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	camo.githubusercontent.com
28	camo.githubusercontent.com
29	camo.githubusercontent.com

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4680	powershell.exe
4456	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2516	timeout.exe
1620	timeout.exe
1220	timeout.exe
4744	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2028	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
4088	msedge.exe
4088	msedge.exe
1968	identity_helper.exe
1968	identity_helper.exe
2376	msedge.exe
2376	msedge.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1836	4088	msedge.exe	84
PID 4088 wrote to memory of 1836	4088	msedge.exe	84
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 5040	4088	msedge.exe	85
PID 4088 wrote to memory of 3988	4088	msedge.exe	86
PID 4088 wrote to memory of 3988	4088	msedge.exe	86
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87
PID 4088 wrote to memory of 4796	4088	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/momolafrappe/Valorant-External
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc5346f8,0x7ff9cc534708,0x7ff9cc534718
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13044885010154525090,17111023637501142002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1356 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4704

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat" "
1⤵
PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat"' am_admin
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat" am_admin
    3⤵
    PID:724
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2304
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:2516
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:4456
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3408
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5116
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:976
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4172
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:5068
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2376
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat"
1⤵
PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat"' am_admin
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Batlez.Folder\Batlez Folder\Batlez Tweaks\Batlez Tweaks.bat" am_admin
    3⤵
    PID:3392
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1584
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:1220
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3240
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1792
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3432
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3384
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2132
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3468
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4352
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
37KB

MD5
33bdc9d333dc6b1e3dad3b166ea3a567

SHA1
30a38602e99bdc5c6a795f2ad5d54fec0458ddb3

SHA256
24cf7e133c705d3350bfe954c4e325b2de97fd4889de600f90cf06c8c3d02a4d

SHA512
5a7095db8e8733f71656871ef8109255049bfbff78c6beb030fb0c0a167a289dc29671f28a879b5e1ffd84418b29b15a59f5a264de6da8da08b02062fa3f1e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
3ae7a1fc24a2fc360d0911d5074311c9

SHA1
b94f593d8789e38908e86e75bf5d4795fa14f4d7

SHA256
3e687d87510e90e494e83e1f064cc388577ff85bbf9798044ccb2c274b0ee18c

SHA512
c82aef8ad194a149f55549e7ac903bb18601ad765e63aae0550feabf6699bcaef604be165639979e65bc9bd1fc680d67a76ece63b4338148bb2ea6a5a731bbb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
a330dcd681ce3bab9d64645b28ee933b

SHA1
dc5a304235f72dbd1cc22d4a68102aa40f99253b

SHA256
95a5918c4a1f830250bf554c9a1b848a4daad16c32153becc6db8c0497a9fe33

SHA512
d3b8a74ee23d179bed590dd5585d267a642108b3cb4e02008414db2c3a18c6f89585bb78e02e9c2f7d48f214e904d73065ab029f18375a586e70be17f7a973bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
58KB

MD5
72e01a3e925a9e73978264becaad2566

SHA1
05db1a9687ca985d4186351f7a52cb2fb129a7b2

SHA256
03e30f83f79d9b602d28dbda8e37818db4e9c61ba24290f64c1b5d23102caec2

SHA512
5001a598728dbb1d0ce53a7a34fc06a425be225603a9e20cf376f0a4d587d5d04b79bb414f47703cae1977daff4d6f0de1bb873a823d457db3bed06cfd93b58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
17KB

MD5
3190f31cce176613f19d0fc8cfb61788

SHA1
15267d7f52d62cfc01328d7bb366965bdc0b3e47

SHA256
cc3438c2808585856cb1067668a4f028ab3dfc2456153cbe93160065bc9889dc

SHA512
6021a1aa40749d70d0f10843276bb3acefb919010764c1fde6d5a81519c2a2016464b238ca43c4ff55f8a7aa386145f5802f9f15711a9dec832117b0c0e580c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
16KB

MD5
9df56abe7d416c8a096f63ccb2bb357c

SHA1
340a9b8c408c1018d1e953bd944a1f33be5c108c

SHA256
2ee56d023f55d5e2d53f627f2f334b744554e832886e7f203844ed7e893f870a

SHA512
365077ab4bac6e31588ae2495186ac592f024a146c4a675314fd53085b6f86ea79195b34bae15f60e275b5c73632d04d152722a94b776bd1935a454c30dae8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
142KB

MD5
50b68edf200c0a0b37a528ba89564630

SHA1
fd73311625fb39fd96e46b48bb90aeb89ed57bff

SHA256
3e23d560e49a0e10df26a9a7408f1161826c325f34c072a94a28f6c140d0889b

SHA512
6396f331f3b2dac451b08c6f25e9cf27a996fdd4d27cf51f0dce5ab54ea62e1d123832bdc3ab9d06cbbcb28eba671f2ff63cc79aba2f9e458dae8c1ab2a4e32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
22KB

MD5
07eaf1d273beb8d7d511f6c878c04685

SHA1
8ef832af6db74539cae46ae56e8901c536064ce9

SHA256
1d05cdb46b28941a0e9bc666cb1f5d54af9ee6d37fc7be813f540d76273f60a8

SHA512
9d0f83f3a4c2d73bb5714351611979ee0bab1ed978daef8e53f1241c7f437d0a0ded2ab4e0f3d671bc9d7e5d882a1600ac5aadd2d30ff07e8390927d2bd27e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
63KB

MD5
ffdf02dd5beab8f2e636cc092acbe0ec

SHA1
96779501f72002bb7ad62103dac593dcfbd9272a

SHA256
91033c6b14df7d8b80385bdd7e766f58207666dbe3bbc3285e7339c1c4e8c3c2

SHA512
f39b757a780ad989a60ca59799e2955520433001ac743d2f988e921ad60a8b472273a841c0c2d9a96a2f9213078417cea09e09159e17e4a4fca6cb1652f7cd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cca1240c037aa95fe81a67c9356725b3

SHA1
f71ad49965493d5cbbba13e6d3330cb6fd030a21

SHA256
3b43f10cd65a6401338c34a78d84f22384c8385b1876cd23cb1ba1d90a725c65

SHA512
158ca3a305b075b4b2263c9d2ababa184ff31b58a99d2545a20b84f6272d2ed38352ec10a430d7c81ac953b753580b29f40cd657a66aa24489bb293f2cdbfaf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
941B

MD5
8e5c67be5098ba91dba67294e9df8da8

SHA1
38c337775f9762bbeb213e7b2fd1d1ab3a14ece5

SHA256
8b42a282a68aa392be677a37bef50db6b5cb1e666c1aa2873fa2f452c0984ece

SHA512
2e6921a5487031fdb7ec47a06069ab71af201ebd08557e728602b1d7d03c5eba47df327c048b736351cf0d989e3eb6dec58f334bf5586d673ea441234777adaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b0be58c59773d19ef91354d4a2d2db00

SHA1
27e22f523b7739242b2cfca3cb1a6d50a298f690

SHA256
1ec855395d48dc142998deb81b4c6bdf34503b195f87dd79de8cde11ef6ee662

SHA512
584f39a9ea8d45c4f2fbc5399ca7d3247a2a5d98248fe2d5adac2079491e25279f7deebc3fc75c1d9be22213718ebd35e203541a5481c56a1305dc00353d7629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a24b119372caf85f821cf75a6a63b6b6

SHA1
1a506dbc9e4e5e1b7cc56042d14039f052fdf2b5

SHA256
2684035a2dfb481c1f42ffa441f498a68cc739125e3cb26b1d344d96c308d3d3

SHA512
5e990f2b669ac75168a90541cff6b572e344c34e5d835fd7d2e738b1bc84d28d5edce8349b578c9d864ea23ce63f7d79ab8a1aff6fa57ac5f41bc1465f1f15aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9454a9376aa72ec8b09f6ee0c36094f8

SHA1
150c23e96342674e5975c8428921f88ad6941298

SHA256
1a19ea83077cc0159492967539e352ffa267361f40f1b808cff78015e028f6e6

SHA512
01db042842f36b7479aa0199eef8f9046353d27dc38f1179d2a1477f092307abf37c9514dc446df66312178373b4136feb11970724ccbd41047f6c4abd9206c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbedf5266e002938755174a42ce9aad8

SHA1
12a4f3fef5a94868fbce9b5373cff0b670b530f5

SHA256
4714e9602d2d2af2f3ec02d8368229c37b3c633f8c40f501c48f7cc7f59cd88c

SHA512
8f194048c8019404cab5eb4bdad426ac58560212c13aac43d65cfa5cbfe203c1552a7e3bfcda65e39fb5122c2aa5378f20795279999f9a5c0fb30ad0a1c0b460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9646bfc8d1bf7c327f865fda1b76ddb2

SHA1
fc275be6b16af5ab1dec622c94c79f370713f1e1

SHA256
0cd6e300bc46e8c61c41cd0156c978e515aa0d160c0cbcf8021dbefc68ab652f

SHA512
f0eb09430334577fa70ca5687b977d61fb0a19a01979f39ddf3666c1829b8c35c940e60ec6cadfe0bb1abc71390ee0a9c8f10a7a01d2524c01dd16524dcd857d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62727676bd70433ef5e6ff621ed42292

SHA1
36ba12166e3aab5d3fc9621d1b6eef706e6962a3

SHA256
5293c3c563897e05d8326c08ef4c44fe44a6ff501ff70a05a2768aedb7d1ef38

SHA512
8c8c78a595f2ae3c754e0c40d819d6821a4ea09cf8feceb1de9978cb96c7ccad468660699b58cca3c998e9566a1204817b9fa029a21c4c82ea298114abb0831c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a5278e8f3d6fedbd7535ae46c6b2e11e

SHA1
9fe3bf24a3e2df4a418cff969a2e213b66f0a071

SHA256
370c240bafe87a8ac6063602f24b80cd34eae585dd01267ec32c5bcccc73048d

SHA512
8f3872e04e3bf2f9df03f0e03be97715d58bb33dba0d49aa67981dc501512f47492b94ca770fb92cce6b8b42c902336c954ebea6703e51962116250155eab1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0340b06ba62c58551172d958bc9350ef

SHA1
2808ac19dcf010f53e0a28b37a267c254d6f0a0a

SHA256
fe063247e5140976fde4f8e0596cd5aa2d130afa04c7929194a0ac597378ff3c

SHA512
4ba055f71d53c52b3da2590d9aec5a7dd97368c5c288a738793e8f6ddbd4ae15e54ff18110a5919e428dbf7dabaf754a5eae5d9097ac3886167aba1862aa4ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea509a12105a549495b398ebf2678a55

SHA1
8cf417b7cd94a5ced6874c501d342a1ccade24e4

SHA256
8db4d3273acdeff13d24cf8c3d765611f75b6c6b910d0efea404ce068c1df851

SHA512
4001e8efe495e83496ca1934e9ae769a4b41d08c3add1bfdd6a39857073aebba84e76c11e54db6a18af8148d418440c3976262ef4a705774baf15a3d43a88a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d515d5bb7503b6ede684c218b37fbc24

SHA1
8b1717030302d511f3e5804a2beb7ddeb0c40f69

SHA256
9abee2534bd8f06a67e642051e584debfb505f00b68e1992ba80758ef7a24a7f

SHA512
e88b52a062a80d2d829a0e87d59e603070e1c13870d782de6939a895c50181611f5c1f601b6a68c08e012a66ffbded09dd2652c5332368babd834683b39dd0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6f68dc1ba48fdd228d7b79a558786736

SHA1
1cab4162b8cb73702871d8e105a5e37a6f1c55d5

SHA256
fa51bd596ee3e0cc9f1794779617b9b4c91e51506d8d08c400a5b6b18c799bcc

SHA512
ad1ee342f9a6d3a0e10d49f40ab3d1c8b4ae81def719469391c8cd4e1301df2a156b77edf2eaa8ae9318ca94d09e218671265fc02dca5134d4378d0e2db03787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582d35.TMP

Filesize
1KB

MD5
0f6d438b77f2f1a51ee275d7563496b2

SHA1
a699142cd6c62fb3a800abfbda6273e6b4484556

SHA256
c49c116ea9a863ba0caf93b65139d66fc80b9a9174ad2b872cbfb93504e1367e

SHA512
fc789f2d0e7c0f35543add9414da717a1039789d960aaf0842d305dbcf2c011b00a75560ab773310b50eb842a9ca3dca166fb2bc1cae35ec2bd5ab98b64d288f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87c977282cad3e0fc6016de5bbf6a3c8

SHA1
6ce7efc0a0e6947628518d2ef81f7be61f7231bb

SHA256
3e9c2bfc3980e8090e9435ed1ab6f92513b6acfdf427189f9fd4946ccb7f9a89

SHA512
5e19170b3a0ba2e67348bbeb556eafb64dbb543c7dc062c46edb6983b38844da947529a936d2498b5ba9572f6adec69173e67453818e93a2a95f1e1d3206475e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82f7f89d1fd1cbfaffbfb38fd2d585cf

SHA1
c7bb7c20cf9da62be4a67e1345c529005bc35e77

SHA256
42a3dd793b6f9990c02fa864a7a0a56859a4527e7957ea169fc8136afec1eec4

SHA512
d7df818f0dd77fa8c82714e56e62213cfe0e7a92bc6312abb156025c3a7e3ca6ca0dd7ff9c99f1e2d248c16393df4154540bb4e2ee0234f8c78c9a9512976cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
62f97039af17aba0103a65852d2f78fa

SHA1
327729ea0d132b740742d69802fd390fadd7e68f

SHA256
c2e14ebe8b0b8f657ba84c5aa543b7f3f1113c6a4757aad3267698c5c4876ad5

SHA512
5f5ae5096fae61e12955f0305856800fe00d5bc12620905cf5cf9912b55c9118e8f8b4458fcf4cb6f846cda4928ebe2e3ea3b30576814eeb8d96bbe6599c256a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34A7E8~1.TMP

Filesize
377KB

MD5
f9150fd42451cf4ae4d3d86f113f2b02

SHA1
1f299821f535ae5485c1f8bcd06ac4fbdca04780

SHA256
a50ac166938123e4bd746d3000e9eb3b9a5718c57ef124af804a945ef7706f62

SHA512
66d23cf069dad8f4d5095d76cc8bb62db0af9cd622b5ee12847cb19755de5447398594e08a900fb328e4e5eb79a61662c984690c154b00c5a7e87db4da586950

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F00D4~1.TMP

Filesize
844KB

MD5
3063ffe910795473ec2907d23cd4f598

SHA1
e175213de023a8e725d24388f0ee0f269e8a0839

SHA256
d560ee341f048d4ba0522de0903a9f4569e93d98ac1c700cbf567518824272cf

SHA512
573721428365e2fde0d5c9a4e10447ba02ac73076429e8852d379febb489c1043566c2e5539a111d82070322af539ce6747b9bd0d9df141b07ac5d25cd9e08fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2715E~1.TMP

Filesize
492KB

MD5
13b1036a3a74b69337265061b28a92b0

SHA1
1f4fd78101ae8221bb9e24d1e48aa869e67e42a1

SHA256
300c123c48e3c3a1d1ceb1524ad6f0add0fbb4c4222d0cabf6781b43862e208d

SHA512
5daf54dbb2b75de74dcd25c947a6e861c18d92f4389b98419e6951dba7dd1870eef05088fc8b78c33c2c2baf6e92c354ba7cd9be661e1bbf95762bd382e55a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\C87BCD~1.TMP

Filesize
224KB

MD5
09bd0f4196902acac51ec4fab447da46

SHA1
5d15beebfb17323b8d973546cf9c4cbb4f0cb0c9

SHA256
a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e

SHA512
aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC5502~1.TMP

Filesize
981KB

MD5
48451d909b21410c200bfadf9a7b3149

SHA1
8fa2e0b1c60c0adc4e04b7eb5e018c421ea71ce9

SHA256
6922f5f3de6b4110e19cb15d00243fb575f350bbe86a36d61769612696a086ba

SHA512
82eb623e1fa22612b4d2b062f7192051f13abb808007f28761c6a7931b57eca38f376a4479be93edd15d413e20ad39cb59156141762543ffa47f168cbeefbe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEFCB1~1.TMP

Filesize
719KB

MD5
86ad0d9cbe1daf256c2708963d2e3f2a

SHA1
2ae722b8330c1a6b79efc92191cb405f26401b7e

SHA256
522decde9a9315e82ab1aff809fa972df0d6769aa4c6ddaf2666f25a89c3b283

SHA512
400947870f5034db756d95d5a68401e3dc5c18e7a08ded8a35ce6862f23bc6869f36a459b39eef59dd0753a038b2b4b5daa17506c3aa6d2616cfa2bd102c7dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_auxsyg4e.zdg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Batlez.Folder.zip

Filesize
28KB

MD5
3b4dd749c7730571d17b0f79a1f55c05

SHA1
6bf95925d05557201dbaa175918007497181cba3

SHA256
4ecfc193c5b2787c4384b8bbd17963b640d1c5381db41d304209db52eeb5f95f

SHA512
2a1ff0efd9e655d94e99d38afb1a130190c3f9615b3eee5421adb7c4d70c566f4387a7e85eeda1a2db4c14033c2632bc0301cec97048ebe93162c4c7eebce784

Download Submit
memory/4680-1068-0x000002496A4A0000-0x000002496A4C2000-memory.dmp

Filesize
136KB

Download