151597e1577a2ddce1166ae7fb25983410f9e92532b40a2bfe66e24ff707b3a9

Analysis

max time kernel
3s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe5bdcd71e3663a37f697b460b94dd9c_JaffaCakes118.vbs
Size

4KB
MD5

fe5bdcd71e3663a37f697b460b94dd9c
SHA1

c84335c1f76543b93d6e5784c68c77502b540fd0
SHA256

151597e1577a2ddce1166ae7fb25983410f9e92532b40a2bfe66e24ff707b3a9
SHA512

c311cb29b2569890cd98cce282f4cd5269b3033b5b6268082031024a3b49e28ad242aa964f5efda82a0aae089abfe6d35fef5f934d51a854ea04de7d4bc6780f
SSDEEP

96:OdE/FMIXMyDM9MtFGK4LPsS9kX36H6Gw6Mvf764+lqw5Rv6QhkOYtYvyWiMWW:Om/pDlEKoCX3WOhf76kwz7hkOfvPWW

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2324	WScript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\WinRAR\b.ico	WScript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C1F6F429-7E4F-11EF-84CD-DA2E3A28CA1B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5444	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3956	msedge.exe
3956	msedge.exe
2372	msedge.exe
2372	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
4536	iexplore.exe
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE
4892	IEXPLORE.EXE
4892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4536	2324	WScript.exe	82
PID 2324 wrote to memory of 4536	2324	WScript.exe	82
PID 2324 wrote to memory of 4360	2324	WScript.exe	83
PID 2324 wrote to memory of 4360	2324	WScript.exe	83
PID 2324 wrote to memory of 4592	2324	WScript.exe	84
PID 2324 wrote to memory of 4592	2324	WScript.exe	84
PID 4536 wrote to memory of 1460	4536	iexplore.exe	87
PID 4536 wrote to memory of 1460	4536	iexplore.exe	87
PID 4536 wrote to memory of 1460	4536	iexplore.exe	87
PID 2324 wrote to memory of 2224	2324	WScript.exe	88
PID 2324 wrote to memory of 2224	2324	WScript.exe	88
PID 2324 wrote to memory of 2488	2324	WScript.exe	89
PID 2324 wrote to memory of 2488	2324	WScript.exe	89
PID 2324 wrote to memory of 3756	2324	WScript.exe	90
PID 2324 wrote to memory of 3756	2324	WScript.exe	90
PID 3684 wrote to memory of 4872	3684	explorer.exe	91
PID 3684 wrote to memory of 4872	3684	explorer.exe	91
PID 3248 wrote to memory of 4740	3248	explorer.exe	93
PID 3248 wrote to memory of 4740	3248	explorer.exe	93
PID 2324 wrote to memory of 2460	2324	WScript.exe	94
PID 2324 wrote to memory of 2460	2324	WScript.exe	94
PID 4872 wrote to memory of 4024	4872	msedge.exe	96
PID 4872 wrote to memory of 4024	4872	msedge.exe	96
PID 4740 wrote to memory of 5000	4740	msedge.exe	97
PID 4740 wrote to memory of 5000	4740	msedge.exe	97
PID 4536 wrote to memory of 2328	4536	iexplore.exe	98
PID 4536 wrote to memory of 2328	4536	iexplore.exe	98
PID 4536 wrote to memory of 2328	4536	iexplore.exe	98
PID 4536 wrote to memory of 4892	4536	iexplore.exe	99
PID 4536 wrote to memory of 4892	4536	iexplore.exe	99
PID 4536 wrote to memory of 4892	4536	iexplore.exe	99
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100
PID 4740 wrote to memory of 1248	4740	msedge.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe5bdcd71e3663a37f697b460b94dd9c_JaffaCakes118.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xsp5.info/index/index8.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1460
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:148482 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:279554 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4892
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.xsp5.info/index8.htm
  2⤵
  PID:4360
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.qwxyx.com/?ta
  2⤵
  PID:4592
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  - Modifies Internet Explorer settings
  PID:2224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  - Modifies Internet Explorer settings
  PID:2488
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  - Modifies Internet Explorer settings
  PID:3756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\xf.vbe
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2460
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xf.vbe"
    3⤵
    PID:4624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\dek.vbe
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dek.vbe"
    3⤵
    PID:3488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\hao.vbe
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5152
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hao.vbe"
    3⤵
    PID:5288
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\ie.reg
  2⤵
  - Runs .reg file with regedit
  PID:5444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\page.vbe
  2⤵
  PID:5496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\page.vbe"
    3⤵
    PID:5660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tb.vbe
  2⤵
  PID:5820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tb.vbe"
    3⤵
    PID:5156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\aa.exe
  2⤵
  PID:5512
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.19885.info/?ta
  2⤵
  PID:5448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\gua4397.exe
  2⤵
  PID:1420
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.baidu50.info/?ta
  2⤵
  PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\pi4397.exe
  2⤵
  PID:528
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.voddy.info/dytj.html
  2⤵
  PID:4904
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.19858.info/?ta
  2⤵
  PID:5268
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.19859.info/?ta
  2⤵
  PID:5464
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.baidu40.info/?ta
  2⤵
  PID:3248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.xsp5.info/index8.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xdc,0xe0,0xd4,0x104,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:4024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
    3⤵
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4352 /prefetch:2
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
    3⤵
    PID:4116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
    3⤵
    PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
    3⤵
    PID:184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
    3⤵
    PID:5900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
    3⤵
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3542697910920067510,15391760257371422885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
    3⤵
    PID:5596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.qwxyx.com/?ta
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11002828328640036655,1438658553202082309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11002828328640036655,1438658553202082309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b13f072fc18a8e92f1b58a70f9a73585 A2pSOs41Y0KVE/KDuoyTlQ.0.1.0.0.0
1⤵
PID:5152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.19885.info/?ta
  2⤵
  PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:5148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.baidu50.info/?ta
  2⤵
  PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:3188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.19858.info/?ta
  2⤵
  PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:5200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.voddy.info/dytj.html
  2⤵
  PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:5860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.19859.info/?ta
  2⤵
  PID:2488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff89f9e46f8,0x7ff89f9e4708,0x7ff89f9e4718
    3⤵
    PID:5164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
2KB

MD5
5f97e77f5d70b9025a481dfcc67bd68c

SHA1
bf8eec197e80d98ea757036ead52c29587e89c57

SHA256
0b889c75abbf6bbd18c3e6bf528e4f2bc68a3fbffb8932dbe4ae72ac4ba7e22b

SHA512
6349c027d322ca50056435d163103eff04e4a3a3693a873de0867b578f14923020c7a3c82d2c9215a9df42396c245f3caa9cb2e8f581e20dd6a1c40677de1f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1699052DC75D6767D3D3C66BA4EFA9B8

Filesize
728B

MD5
84d52e62aed500750d965177805cc132

SHA1
ca4f029e4f4a6d44c7bf15c9b787c9281acd9af6

SHA256
2afd090cb3d5430d39bb3a9e0a903722d8ec0d6f4bbf20fc885237c30c6ef4d5

SHA512
14c67f47fa993b3facb7a85f013d86a207bd73afe3abb9490be7943bed171caf2484da4cc1dbd4c384678d064d17cd6c1422959555efa069ec12a2e799b28b8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E09C77E60861BA239366D210C6D973A

Filesize
504B

MD5
2eff34f2d53d8490c1626014ebf276f6

SHA1
02de8e2d928f3cebd003d706afa5fa7251580c80

SHA256
cfcfdf0c57375bb5a5198b4d063f1923551509c294534b9d138ab15c569e3d41

SHA512
46b162eb41a61a93c7685e8374a035e858f6d53b3337b6825667cf65ffea3880706c934f8eed93aeb9554dda8e9295e7389d7bdb597260787bc42411c0f2d749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42FAEE61982D0225045D10FE75366276_5480361ED63A29304444A64491EB01FF

Filesize
1KB

MD5
f2996ea7001746d33f7e805f853ea735

SHA1
c0a2c9ba4eecda5501537d0e2041df2998cce254

SHA256
e42bf059b4d3586c926ebc5b6ff8dcf02a935813df04a2ca3ddc2996382ace6b

SHA512
05b7c09ccdfa6279f36e7a1f120e8ee0a6079a658531f8ed4cd17d97f7476b5e20abd78562fb5bc1c759702fc8237d9325a7aceab0ffa929171a8c37518c53e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
327f0e0caf91d1ee03e4f826400785b3

SHA1
ccede07c4c0bfb12275d8cd1c7f2d81c65853f37

SHA256
55751f98063e8dce17f5c49a5911d085af49d050d97cd90fd8547fd78ba038b0

SHA512
d601d289ad985342fc0cec70081983beb95a6ff2d139f651ee157a2595da2ac4ea61939df64654af196b6460304193c533eb7f0cea6d41974bcc39c62403c456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B088FC4AA7023912DFC2A20EC98C1E96

Filesize
504B

MD5
c65e73b92d0f3e43fb796cb5367be0ef

SHA1
ca40b6ccf5e545dc3f26c2dad2a4bd1969f35359

SHA256
aa77e43d7a34fcc647ccb15c36630d87922e1cccb5499d79fc4359d1dea2bacc

SHA512
bb6afc314f34cfbd16047614a982afd693a721ec269d2efda14cfc98c75350910d37f41712bc9866892b75aef5830f53fb9324b496e3979c81b418be15067de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BBB9C76EEFDD5EB91C5B87187ECF1B5D_03D3EB3D0BF657CF1BD5521341753218

Filesize
1KB

MD5
ed031f6320d5d55dbe62004364d3c513

SHA1
e5d96ae6c175c5772d14a57f3ac32aaef1bcefa9

SHA256
511d94bf4b81382ea63f5ffa811e7fe4237b635720040850c2652bf32ef820b5

SHA512
88ae440a2cff592823af3e3b7ab4524362414bd5571bc4869de45f5f568fd2f6332b558ce07276bc1abf1ffad69f8f6481b1339f800b2d1db22ae6af582eeb2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F7018B9562EFDEBC5ADD7D81C0290A43

Filesize
504B

MD5
e58a8ec52b79cf294fff22937697f025

SHA1
47622bd8602008ea85de488a6155020be380402e

SHA256
b08df76eeca4a2f596b92e8ced324a5debd52a73c480d4dbbb273f48250d7dc2

SHA512
8c646b916842ca788c784b5ea510ee1cb42cbad996dab88762c755651369ba1c9a201a5e53cf1cd345fea6d95f7fb0540ea881513e729b26511cdaf410fe1ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
98086e6387fd5f2aa4f493d0557ad577

SHA1
986f5117c1ca2bbb4cecd3368ccbf3e7cc5d8105

SHA256
b9c3db8536afe2373fac427dc9fe43af5446ec40e43b84ef261f89554d029202

SHA512
872e56f3dcd76e0ea8525f94f4f41e4fbb7aba46700916e000bf895237467a621cd3f2f7d2b6d67197b18b81c3f8bdfe6987610b82764bcd9df547c6515beefe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
0019ba80586265d5de9a4c1dfb07001c

SHA1
177dbd4018911a108f5ad36a0ab9cd68dd080c12

SHA256
636711dc48c7caa9bf3184d36651f49a882f8871be3b49c0d0ea59af8f89a32a

SHA512
e6e6c7e3e3b26d08b0cff6730c62d5efe4fe3f7c11861758396ea120e1480f9539a6ff05a25dcc15f11cc554426bc83bda2c4a9948007479fa2688a4f097f007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
28cca167f63156abdc3bb65e5fc99b06

SHA1
48051015bc7ff02b11b8aa7c544bce3674f7b906

SHA256
5c07e8761719519f1d5e35d6ffa1b155764669d13bf4d72f55dabba1db07522a

SHA512
1e50fc8ceab6f4d48bc490c654e8cf93bce2782ef70dc953737ff679ef71dafdcc1b2679e5b2bd32d170b7e9630982b29ddde6b9b6fa3a49b2f779a3e46b9e72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
9f57c42caa364893c33c6383a42ee9a4

SHA1
e0c0798d6eaeeebd6975439564c28de404c1212b

SHA256
f06751f6ac045d129f9f48c9adc79f90478aa1fc68e9ed24fbdef925dc13c29f

SHA512
996d2c4c15d62a8bce7299bb7626a03a0680214023ed38627db15789d3d4bcb6ee963e3d846aeda3bd563b14e43efdfbf56618131b3ff5e4a7aaf54e6df94f18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1699052DC75D6767D3D3C66BA4EFA9B8

Filesize
504B

MD5
f942bbfaa4186daa0cfa87dad6aeefde

SHA1
4e8005dae7722bcf3865a70179e8b287701c9a1a

SHA256
59794b0684a292ba47de52ff4a294f464acd01a0b300d1b2fbea9a81cce4f70f

SHA512
f52cbb0f79f18b0f7659b133a4095829989829f496c0b805f5fd457772a9db246a4cad3cf6fb9c8355fd30571793965233aec3c00cdc220b3502a9f197daf19e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E09C77E60861BA239366D210C6D973A

Filesize
546B

MD5
afab4e40ecf24cbff353d4163b651021

SHA1
e75ee556937540a7fc5dc7218d557834f6f9e4f9

SHA256
786f7a67f13bc7310ae1371ff597637112cfb76101893a63a952c3c778e7cf75

SHA512
df774f3dca186eb30ce80b2e47aa03adf8a729129dbf4a4b8b04b3dcc51aeead933ace42615f27097e03fff908519082555f04e5263bce65932182a38b8c7135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42FAEE61982D0225045D10FE75366276_5480361ED63A29304444A64491EB01FF

Filesize
382B

MD5
8ef6c2cadd2aeb5dfd1530bb05d64ff9

SHA1
8678b54eed0726fd63990e02d25f6d9b3bec13f8

SHA256
aa48de028a92eadd289e3e2632105450550fca57999f73cb9bb8178a6b2e0f8d

SHA512
0da7185b6f1f278ef618ac8a339b5d344c58099b5b823909ee109c5e0ab149222e84712a768706983e730f50a6a348b6869b581abd6065e17303db0d75a95fd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
a72633f54b0e7b8b3cdc2a7f5bdca8ea

SHA1
cc287f848aebce528416f395f3e18d33fb516265

SHA256
5b79e537c96c5c873541ce55091185f2c26a8ed5ebb1cdcba1dfca8c137f9d3b

SHA512
55f7ff922bbccf959c1db3365c6559170b9c90bba506b3d22fcbbc02375ab7c95186349ca6f5918de36c3d35b822c50ae47e14fb0a63edfd2b65dd9d90274f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a0fcd9347e6390adcaeb30ef7f615fb7

SHA1
92c0dd4f5749abc5563a158efa2e3370aed21dc7

SHA256
d330290dcaef2fc47135016b83030b12231c1e789eb7191d3e3be5644598c29f

SHA512
1713d14b94aef5ac9f39ee5b997bf1db5a72f445d2ce2020f8925b31c51335cad1a30db0d002d94fe527e354940af78e979c2088aaa05f5a0bd4eba6a5451869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B088FC4AA7023912DFC2A20EC98C1E96

Filesize
550B

MD5
640bfe56892a4aac336870270d4ae223

SHA1
9a4ba40a285a18ac4d02263f6139758844507ff0

SHA256
6d88328167adb0b2b2750e6b1d3f1f7faef8e7d444d32614cc1c0f055afa11be

SHA512
12113df5a9f08ac0bf1e1744e3965f439d72fbc52efe4767bbc9e7b2532ab5e90f277e0e83fb5ba4f2913ee25cd7bc5e9caee3d5bc8b0765106d52741c7e3777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
244412405f5e620d1e6c037a4d179646

SHA1
68b737e6727491b78bb1f28bae72d8fad8c5aefb

SHA256
7b6a2312956d5ddf83b5098464abd2fb91854e2787fdcebb3897a9cc6deccd5b

SHA512
331a05a5eff25b1b47584de9474628076fdefb30e09d4c482525e3106ffb06cfb4c780cc66affdfd639372445ae4fc55d5c8d64a304ffb6a5755912dc3909a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BBB9C76EEFDD5EB91C5B87187ECF1B5D_03D3EB3D0BF657CF1BD5521341753218

Filesize
382B

MD5
01c7863907f952d1a653a1a5c9012a7f

SHA1
dbed87a9169433b93fc17c7b359899bed4706c30

SHA256
64fa8102488363612c1d121f1191a302e719fd55ad8bc7e990e98c50739231e2

SHA512
cabe72c9d2b9341c20cde39f48addc0f6be09b97924d3e231fc4a112e068b4fa7559f80eaa81db7f9f0364a3efd9dddbde675314ae73d73446b571be37b1a017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F7018B9562EFDEBC5ADD7D81C0290A43

Filesize
550B

MD5
87b83390cf4d94d3ace012d506cb2546

SHA1
d56293a345f23c9a047117a693332adf1982a1cd

SHA256
3064c9a3ab38486610b3b8c1352df26985edadd2c5e91833b71f965abce3138a

SHA512
27df82861a37f18da2d0416a1473e48d580652592f9b56cd7f1c79308a8f75db333aec11befb0fcea226f2cb56c5fe9fc4844359422363b2156e1244737768b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\542c806b-03ab-4a68-9d32-485739822cc1.tmp

Filesize
697B

MD5
55cb8b80da1082d7d116a7e4a4fe53e1

SHA1
b9b30ad0a475c6b33c8983baae0647082bb47e7f

SHA256
7de102d27b0450ccc2d70d1733e911702791d5a4613bdb05d7a38a2f15e45445

SHA512
987b53d6848cd2efa4c81e381e54031ad98a0294629cc997d5f1da255ec06028fdb0a348b71fa19fb3b1fb30564fc98ec9a22acc1afb2c5e779913617bedd033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
180KB

MD5
91d4b70b159395d5cbd0d18455fb66ee

SHA1
10e68c311bd0cc65ddcee1cce367f0200b727609

SHA256
a23e1b0cb23d4c0b7b0212a89dab9153495da34a9fcb7f73fa3dece41f97277f

SHA512
b9f0d5a51ce6bc705b7d1cf8f16bb07bba2a84bc71dd77ac3b5cac67d723b6c54201ee1ee00fe984d6b2cce9e7722ef7903918cda94b5a60584ff31bf33425d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f000bf717dcb07926b144d76df771a7a

SHA1
ffa62bfe70b6fe6c8e87a3c2a5cffcdfe65e5319

SHA256
2587738f59b1b14128a05f93dd1faeac6a738e80b3d0dac8384fa41c982720f3

SHA512
b6e291363829e55bcee6e8279f49203d3b92ef622c46525ded295fe6bea88f402f3065bb9e069eb686b65cffe9d877f8062e6968cbcb3349bbc546c175ea0a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3337c91d1c575e0a449664397c8d0ac

SHA1
cb7cecf08cfe545a83f9938f6fff5b4f3dbd81cb

SHA256
5129b80946b33ac97524dcd919610a15414e5cf3337c07ab07a7ffcf89761b8f

SHA512
3dfe3f1c4b66cfad302f49013f6f68a3087a6b0f3ba68e967b462475f5c68d0e046999fbda306a56f3ef7704c1a9bcc0503e0575875cacf91d10022f2a37cea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4d9e123c4dfcdf2b00d3c7f802575da

SHA1
d85f7b5a11bd758e1a0887dcc96d22f4838aef69

SHA256
cd9e7de895f9eaa9ba49e49646b42eb76f8bd30c2fd39fcf81ae85902cd4c8ff

SHA512
caeb55b83a46b42afebd459741699ae823a194d4ff3af972fdf80ad3343eab056088f002494069a759c89bb57097a9f5940369df304328cd60e973ab217caf30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55690771ad3e7a85c0389a288d374bb4

SHA1
49df9b73a531500399597e36c33a90f37750f79e

SHA256
56b4e190fa78061c060962b2ad70faa773af17d42f445cb48826d58a0d293de8

SHA512
0bf2e426ce7d995678ecf1c201bf3d0d7153512638a4bb97902dca6e1f5c2b6b834259980fb949f8df892c91176d3e42ff13bcb38deb9c81554eafda9ba0c7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
253ace300fa77688b034e1e59f1e9c74

SHA1
810370e697f5baee20c3d7a367b720eb7f5f931d

SHA256
28de6d892a8a18591a2717c2b1d4a2f8ec86e2c91fabd2cd0f178427ddfce84c

SHA512
4c8a0e85fed040c1b7d0bfdeb81a6b6745d9856478c2faf9a4d09743bddeef7497880b64c3eae605f1220ef54caac44f645c9c5cb716faf4f24d781fc3f4de99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa9cf5af016b67bf1f0d9dfefcecbd2c

SHA1
198c24e52e1d432a2aac6c92a7c2177b89f1a21c

SHA256
559c6b5bad1fc8347264b06e28510b987ad4708aa6f9e34ca6807b13c95322aa

SHA512
7e6783cf1fca7a8541a1a33ffc67bcb5a61ca576ae63e01c15acbd798bc42d39db8370f09634358027c54c328c8a09dad8a83ecf2ad1e7bbadb311a144e19dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75e51b1762b6fc1b694c866cb0f89928

SHA1
16e20841f74ea8ad40403b7ee67998d7573a498f

SHA256
5860adef5f530498812a2930d9c3078ab576aace11d87167071c3c2be4bfcf26

SHA512
f69a3911c7b56807c6d5cd5d5283a63e3f5190dba57b1fae3b082b191726e96253c8a0710cb35d5fcdece54d01bc0c193f428d9fdd137ff4a6bf3e0c96828a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFFCC.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\434d5d250dd864449a7ccb85edfcf70e[1].gif

Filesize
957KB

MD5
41cb4d84074321b20e8dd9613bf30edb

SHA1
5b6907605bd10ef9aad93345ec329265bdc7b980

SHA256
b3834a37702eb2da1772901a497aae48109b1248a44bdda0220de9470afb1010

SHA512
82b891ae1e8705618fd08d63a27db6d585ce0fbb2d92cc7903c03cc334d82fd82f389ed0e226eb4528c6fae3bda5d06142952a0f436f839ca7fc191617594c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\66bb9d90093f3e626b704cd4[1].gif

Filesize
630KB

MD5
14c1ddf1d929d2a5ae0aa2a686353667

SHA1
1e2788553086ad738ef0ab9358c450485eaee790

SHA256
a881c212917b825c84fc8ca5574ca42c352ec2c2bbcea3490dcdb50c5fa39dfb

SHA512
5fc7f75e1a79bf0eb93157e60bab9fb4d656438b5f8bbff9020d66ccd3fd4536a4337688bb8548a75bfc1631cbd02174c78b034653be5733f7c0dd711e212489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\bootstrap.min[1].css

Filesize
142KB

MD5
c81f9a1e6c8ef4f2f119c596fffa7609

SHA1
54fbfbfaf910647ea21600345f7830062ad5ae1a

SHA256
538d049fd82e615676e49d85918f6b6603e8401e047a256e3ff77f67e464d2bd

SHA512
c43c6946079d891a9171d1ba7595c260da25ba2bc31a640aaf203bcb53733ccdba4f68a10169f9e7f904af11fa704474b358385e71ae8a864c3309d9bcdcd13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\de2158eed9b592ffb09a9e559b08fe27[1].gif

Filesize
1.2MB

MD5
eb4ed2afa9d420624b39cf3e0e4d950b

SHA1
bbdba6411737dd36af094c7e0283bd792459aa1f

SHA256
1c5079d1c7ed75abb98aa89db9f83c6464440fe136a6015ef39ebf0fd0974759

SHA512
855055505ceb5a770011d97727659f2e793c806f2f404c6f782a98a152eb180bb7eabf14df6e57adc386faa0bf15e01eefe1091795f0b864fa8e87cece18afbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\home[1].js

Filesize
37KB

MD5
97e311d35a4aa0ba09575a8dc989660b

SHA1
8166b5f8ba52aa57ab23321a8ddc8d0118f1e590

SHA256
1a52c16e5a7fc905630d52185ca457108cb0a65a4567cf6157709c1c5eceb311

SHA512
d3f4e4ef8af316fd4207a6db03e856917d5124263104ba9ebf0db1be151ce65172d26b6338d24553df9fe65b828e2a452a39bde7d1144a875c20bd5e28da9db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\jquery.lazyload.min[1].js

Filesize
3KB

MD5
112c8d1b40b3e62e883c743e9d71e0bf

SHA1
338318e930487b2791a7bcf53ad4601630cc41e2

SHA256
ad79ce7e34d1a788809bb853031133de2ae45f3c19ac4955dae46c7490188c2e

SHA512
8cd0ed15feea814d1e1fff99e36146e1fc37c3b0ccffdcdb80d3dedf07c9942ca55434d3dc880a5b9afdd95cbd2076ba539d2fc8ccf981107222ee1821716d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\by-960-60[1].gif

Filesize
418KB

MD5
77578bfd6d34c5f6c12fa12376a2f09f

SHA1
6438f0ab5769f321a727517856cfc8c8ce58636b

SHA256
67483d54ff053afbf75118c0cb1a4804416c8dc081590aec362d7abd6a5a9561

SHA512
cd09caba9c76c045c2f142aae1ffbf82a8d7f9cf977fb40af4e7daf99e59995556baedc1a04b6eda3d3bcb62c61f0d8a131dcd83a100021a7d7b29302d7a3e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\favicon[2].ico

Filesize
1KB

MD5
7ef1f0a0093460fe46bb691578c07c95

SHA1
2da3ffbbf4737ce4dae9488359de34034d1ebfbd

SHA256
4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

SHA512
68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\hmlcss[1].css

Filesize
80KB

MD5
1888a017a6236ed99128e65cd779a2fc

SHA1
a000a130f5731554f2176b34611b82a49b0f5b4d

SHA256
b886e3846b017e4f3c21460505396d6ff1eca48d5d8ed98ccb11789d0e968e50

SHA512
5df6e7dd061ec94c5208b94abab70a66e1b0384e0a8fb4d0871ce091f72171e4f9b5ff6c41edd6eb8cf4e42c8a26780266d06f02a8c5ca08ca56681bbabc8d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\jquery.min[1].js

Filesize
94KB

MD5
4f252523d4af0b478c810c2547a63e19

SHA1
5a9dcfbef655a2668e78baebeaa8dc6f41d8dabb

SHA256
668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404

SHA512
8c6b0c1fcde829ef5ab02a643959019d4ac30d3a7cc25f9a7640760fefff26d9713b84ab2e825d85b3b2b08150265a10143f82e05975accb10645efa26357479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\30adcbef76094b369350decfe5cc7cd98c109dd6[3].gif

Filesize
219KB

MD5
469eabf4b519913e036028da519c1178

SHA1
30668b027f05e9e1ec7743803e62be540078c141

SHA256
008ab7121ec2c8eafe8f27db796d545415b6980fba2e71fac538fac79f03dba4

SHA512
fc582fd26d28b14671cea88bbdab1235a076b1f47f3893418e27614ce9d253a1e66770945e937510ef0b223936b69c89e18d2875e3d8f049b1b7dd05de019638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\Y591MOLG.htm

Filesize
47KB

MD5
e9f4828cac5a6d9559bc7f659d30be34

SHA1
8aca74cc3408f5cb9bca939c36545d684f401f8d

SHA256
ee586e492d27db1606c74952b8c871e186a3383847967a4e00b1180b55dbb144

SHA512
05ce747ae4cb94835c31300187ec0f3cab0c3cf8b11bfc16608d6826ef15426bf3bc818618fe0223bf54dca4ff6f1e967f16e7e0a4dca9a63323fe7360fe95a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\dbb44aed2e738bd468e27713e78b87d6267ff9d6[1].gif

Filesize
258KB

MD5
83c9e74bd519ff9c4d0bd6bdeb5fc483

SHA1
54a4bb9f2ca79dd6a4911be6d92029745ea7bfcd

SHA256
ab5da4ea915ead2a077084d7467e7bb81573bfe06eac37df3077bedc3e7b4a03

SHA512
6ed6872b5ebc6b28b01bb46acec7fae951f2961e1735ab16488e9fcb8b22c171145bd84fcc68ae6c25d2d09ebef7caf534fef4c93f2bce63e124d9ea6b54e56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\tj[1].js

Filesize
2KB

MD5
9e40083449cb269c2064b6136aadc1e9

SHA1
2653c53d9ac1f66bef92a7cbd971a8e6b5526d05

SHA256
52cf4fb38695bd232961cab1064f45febfd8ced1fd0053a62c2c0e50b27fab15

SHA512
d46b0d453505307ad84dac1504a8250b0800ac4953e1f68fc2789a3bb2bdb80dd7245c7a03c35be88e2d0020dc40faeaa635f8001a321b22c7746684a7762eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\tu1[1].gif

Filesize
482KB

MD5
18592e6e7da82e88f88d141547ea0277

SHA1
c4f384149210edbb6fa6b9f7b70768940ff52710

SHA256
e5f7f1ce6760703a56bfd0ab437c97903b01a46a66f262b1de01d1690eea7c61

SHA512
f077390bb71a03640ae2782d9456aeddd65b99cce09092ff115144202232ffedd89f4ab8871167eeb1b905f9d71870a1766326d2c85ccb3792c8509690c9c16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YHMF37VK\common[1].css

Filesize
8KB

MD5
b8f128caace343c3d01d85e417964c17

SHA1
9590404a3abd1df05900379ce368aab02bf6c0f1

SHA256
3096e534f3024835b6ad7c246cb8578a27836f053c4233c359e019a87a31c6c7

SHA512
0d9d2c5debc82c18d918326ee6ed3d8e84b0ceab96a2f758f4d24e214cd048e9ac811d0288c85228856b889d42cdb119de67c0cf61a5d6820e5794ac6dff68b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YHMF37VK\common[1].js

Filesize
1KB

MD5
feecda98e222199d049f73f72bc14d99

SHA1
a9bcb80e6c77aa1b2a4eca27963dc2cc1b506c31

SHA256
15e76729dfcaebba495df42c5e1f4989df40b2d3aeef78f2db7d9f1635e79a6b

SHA512
ad88453b5709bbcdf88dbcc83107ad5322437d87b88c04ad45b97acb0964a871902c5d21ab62eb6385f7420443b0a124342addec8eda157e933156df25bccc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa.exe

Filesize
80B

MD5
0a847e1e3703fdbc75bd438a85e48fd1

SHA1
e723761a27de1834d8ff5895fc743b2800a8fec4

SHA256
3ccd9af8d966bcc1792348a2812aea0ef93c8d08616875eccc47513fe7bdf677

SHA512
5a37b03188b00a5f895a4caf23caa2156903708fd4ba321d00d91a9e8fe35c64f0d00c5a255e87d7908e7734caa463385b4007e05d29a3967af4526a02beec1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dek.vbe

Filesize
81B

MD5
3433c22573314b8ad57349c02d64c42f

SHA1
55e7a171f6ab20749a29e8e2b60ab7411961fc23

SHA256
12254bcf112e9c8772e52beabf628fea7cf448a442d2e1cae161d112432c6492

SHA512
8bb9227244aa3ea53acf7667cd353906625a28097f806568a50593f361756021999908070e27b1695c68b4280cd7629c60bc961a9b9c17c3b568ed3945403ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hao.vbe

Filesize
81B

MD5
241c0cea5542088372034c34fb84bd16

SHA1
ff73c9afb6201d9469e554a1f933c433e43b1b20

SHA256
0b2251fe826e156cfae2a01a1030f4651cc0a368f69881f9abe0b6fbaf9ca17d

SHA512
472abee97ab32c87edd3ddf325de8506889d59dde6085cc582f298613f10f001014d996eff3074e925fdcce6d3da72e9b922e9f1246da4ac8edbbd5b1c00d720

Download Submit
C:\Users\Admin\AppData\Local\Temp\ie.reg

Filesize
80B

MD5
039642b8872db5ec4a3bdc1b76329d57

SHA1
214580bf816c1736d9523c1faaec0ec84492af53

SHA256
646754f7f58d08539f107d597e0beae2f4926316dd7cf14e0e3d28db0b4cc735

SHA512
9c769a448649e34e323d2e83886daae9be82fe9f84cdc0bdb079bd8df115689fcbfa76c0ab16b47fef8731664b30c1fb49f80d756ac0131757262145782b54ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\page.vbe

Filesize
82B

MD5
00adc145f52140136a7ec399a9045b9e

SHA1
c194965afb90df88c1e23b69c2158805f4fa060e

SHA256
228b5adf8344d7c6f6cda71ac64f75b854457621434f45e00f1951f21b7fe188

SHA512
7b58db3c9468c814fe0662754639448124c1a064c49bd591b46ba16c6978f597cf94cdb03b768dadff951f48e42fd24f1ce4282f336ac2c12aeca9bfd69c08d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb.vbe

Filesize
80B

MD5
29e25a764ecd9b4057281cca10de2631

SHA1
c26e40d7f7e3f5854bce1cad1d9899fa04e657af

SHA256
92fc1a64c287bb3a123a45dfd377612b5474bb7a2767838a8d529c4df697628c

SHA512
71939cfe07314d232f6bf64b915789404679ab9c056f9c152f55173fd4ae63d8cf744bac899b47bf9521ee7070a236b0307128453e525b349c2a7b033675d0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf.vbe

Filesize
80B

MD5
1235ba573f53468d4148d1325edf1e67

SHA1
5497fd3dc717beb463355bf26112e3ad2cf64537

SHA256
a547318cdcacb6132fb4ee33b9a72774f10fe4d7788cdd9c37282caa80624736

SHA512
02154a98e7f440509eed2baa9e5152c3e4817b045f72c74dd1368a20042a89c394be4b0f200340b2f75dea6f67da74e87b68137a4777b699d3ea87f5b7c15283

Download Submit