Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-10-2024 16:22

General

  • Target

    https://wdfiles.ru/29J7Q

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Stops running service(s) 4 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wdfiles.ru/29J7Q
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9289e3cb8,0x7ff9289e3cc8,0x7ff9289e3cd8
      2⤵
        PID:2036
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
        2⤵
          PID:1580
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3284
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
          2⤵
            PID:3324
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
            2⤵
              PID:2176
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              2⤵
                PID:1680
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
                2⤵
                  PID:2308
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
                  2⤵
                    PID:1688
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                    2⤵
                      PID:3764
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                      2⤵
                        PID:1624
                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1636
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2972
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
                        2⤵
                          PID:1592
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
                          2⤵
                            PID:4116
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
                            2⤵
                              PID:4180
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
                              2⤵
                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4084
                            • C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe
                              "C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe"
                              2⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:832
                              • C:\ProgramData\dllhost.exe
                                "C:\ProgramData\dllhost.exe"
                                3⤵
                                • Drops startup file
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4620
                                • C:\Windows\SysWOW64\attrib.exe
                                  attrib +h "C:\ProgramData\dllhost.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Views/modifies file attributes
                                  PID:3016
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2032
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:952
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc query windefend
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:244
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc query windefend
                                    5⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:2936
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc stop windefend
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1200
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc stop windefend
                                    5⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:4524
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc delete windefend
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4760
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc delete windefend
                                    5⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:5036
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /delete /tn CleanSweepCheck /f
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1956
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\ProgramData\dllhost.exe
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1832
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3880
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                    5⤵
                                    • UAC bypass
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry key
                                    PID:3696
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c taskkill /f /im Wireshark.exe
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4132
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im Wireshark.exe
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4100
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2952
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1612
                              • C:\ProgramData\dllhost.exe
                                C:\ProgramData\dllhost.exe
                                1⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3540
                              • C:\ProgramData\dllhost.exe
                                C:\ProgramData\dllhost.exe
                                1⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3960

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dllhost.exe.log

                                Filesize

                                319B

                                MD5

                                71093f2f2d8fd9daf6bc4bb6a72a5b23

                                SHA1

                                7f614257050d90b24ca0f7862724f3d7a9df93fd

                                SHA256

                                5da30152f390d2e7e0a801e08502781427e0b499f1d40ae2a1ecf181ef35de8a

                                SHA512

                                39e729c10af152d3fa3e382e3976be09074370369805a76b9c0f3dc063c2ce5184e93c1043a81ab82573f768ec0fb6c480ca6848190752b9d2b002c3e319ffa4

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                aad1d98ca9748cc4c31aa3b5abfe0fed

                                SHA1

                                32e8d4d9447b13bc00ec3eb15a88c55c29489495

                                SHA256

                                2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

                                SHA512

                                150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                cb557349d7af9d6754aed39b4ace5bee

                                SHA1

                                04de2ac30defbb36508a41872ddb475effe2d793

                                SHA256

                                cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

                                SHA512

                                f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1de2e563-14ff-4fff-8572-3a1b48d2d84f.tmp

                                Filesize

                                1KB

                                MD5

                                994279f58425885ca420972bb7be4c27

                                SHA1

                                6c062d68b875a4445e1039cd734b0e0246913caa

                                SHA256

                                e63501185f42d1d46be16d95418ef8cda0afc221a960ace0cbb4386292ad1089

                                SHA512

                                d932a9d40b989acd529afd47b3a25eaae8f533cd7d2c93f982b7ee10ec13a99f355d7daf3f21a103f96945cad1b6a5c647800eab56bc86e2091cfad972b8e702

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

                                Filesize

                                369KB

                                MD5

                                65c0f9249f64c65cda3e5ea32126fc1f

                                SHA1

                                d567a001160109f58a4ec43db2abd9971e01afa7

                                SHA256

                                7522fa6d0f83eac9662ae47af048f02ddfaab925738cec1280b0c5c7788d2d0a

                                SHA512

                                08347609ba2b8ba7a69a147fe7c426baebed93f2a9db3137a9d9ebbc0bf87a775808e55d7c7b7e0b852e8f0065f0204b71fbbadf3cdffc84b1cbea21723e0308

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                960B

                                MD5

                                ef8dcd422b9b3a4372a584c212722348

                                SHA1

                                7af4e4199804460c5f6c3e7cc1387d7f390c1626

                                SHA256

                                f99b6411a34c9eb61a5c5fc854597fa21db56458ca30c1615ada178aa5358f13

                                SHA512

                                558384629df830ad29350e69c50d5c61cc922a1070873dde96d50f2cf227ea1ac53182d5b8bc9f4e36a91e685ad155f12a6a0ff6fe20d5766987c556fe4a2683

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                33a72b334f9cbc6986f7cdee72b68031

                                SHA1

                                678281a0240af9814894ae90e83fc007813b9ffd

                                SHA256

                                829e7ab9dd7640a3261bcb6f42b887b3aadf27624568668a0f28ab1dacc2592f

                                SHA512

                                e9d6ade424eadcc6fb3cf7bf2585e59207e1f2a328db0e22840476dea8814fc28fdc1faf9e77635837527d51fcfbe88a168a52e46e62105464a0e66f8895e9ff

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                2114eabe4ce19496353d7613076f8d86

                                SHA1

                                fb5fb141b8d77bfeadbf0aa61dffecd70b4ad542

                                SHA256

                                7b1e167ddba319fa26d5d97f4fe0109f5dacffdc32d40324c5bbcfe06199dc26

                                SHA512

                                71ced311a955b813f4d13a912af9b66bf85036337a9d16657c41aa66fdb1cf4505a2e11989ba467a33d84a9f384fd92a3fc239bbd465f48e7b49dcb99cb61e64

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                7bf4df8a0d7d99ea4a39c1296c9d7535

                                SHA1

                                84b52fd0ba564ea943ee2523c52bf00c55c6adca

                                SHA256

                                03ecfc58477be6d9e45b09f88aa1c8bb965e27d611f3cebb2dfd695d5a5dcecd

                                SHA512

                                db6bf3d6b636b2dd8e8bbd9d0f933725d7e6d0267649a32a0a5d1a3b95d497085409d14848bdc86c0b3e94637a1a23946bcaa2ba478ebebce43c2a55504a4539

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                7KB

                                MD5

                                3865c96d92a228486775d29d986d3b97

                                SHA1

                                5d8966fc7bd94deeff5716b432feafd6ae2ee64c

                                SHA256

                                e1230ef9a3753b2e1fb755903893c7a7ce019e5d315f44fb2fd652ac01a54914

                                SHA512

                                5ec35a204affc9fceef11b6df02adabc5a26e253ee8fc6032e272df0bb63237bc9b4077b133524607e4702de59693b8dc9593ce2879f380880ef7b3a775789b2

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                c9a67c924a7961168ff47a2818097342

                                SHA1

                                4708f73f3a088c314fb62f38328add33e1b135ff

                                SHA256

                                b70826744d5a408a08fb8888c2825af0e170bc307e5fb050484fd432821fb7c0

                                SHA512

                                bb29c53142d08e547d1839cc24c9d7e9c2d9f7627b0d8d9a8288103f5144e4adb66bad4910af64077bbc8fb990efb855c168e365dd224ff58530cc3818fa8df8

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5826dc.TMP

                                Filesize

                                1KB

                                MD5

                                7fca89f583adf48ac9df6650f1f3cbac

                                SHA1

                                6d2da8b4bfc6a4eae7ace75337df9cbd8c568b47

                                SHA256

                                0ba3aaf5c4ceb7e8baa3c13eb02d6a4034a4182fb2ec524333ecc0e0c1691fc5

                                SHA512

                                ce34f010dac17ff7d5727350ab418113d5318f5ce05f5932c0dcde5cc36e14849742624c34501aa50c373f6b1cb2f74b6bad5720b1a86eaec4af501732240f30

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                67c325960aaf0e164242eb1fa5fd642a

                                SHA1

                                b14628336759c67d038ab1c2cb82398e449640f1

                                SHA256

                                0d6c921c7d2807c512bd6178e519ad04d21e7dc61f1d38d6310d673c56548360

                                SHA512

                                9939969d17bda5a7981531f604fb3681c6d2480516140aa3c76e3de7e0803e2c0b1f558755c760056f5455f7188a3354ae9344aa250a39a5c530fb4a4bcd4854

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                0844a6ff4166289f8d5261d8cd3341ad

                                SHA1

                                a53b7a461d836e0aaec275da3ff301a82c682ed3

                                SHA256

                                0b7e4a5753231912e0258794e63806b803decdaa3cd7b311fff2e3af111c6bcd

                                SHA512

                                03fc8671cd0f622f9c2e3edeabf936ade6742647b8b0bff92b01a9a5b8a3d289e94d2d3c27046764dcc9e71c662d9f1d8b16678284d626a0d40f8076d1e5340f

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rvtomds.ao0.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe:Zone.Identifier

                                Filesize

                                26B

                                MD5

                                fbccf14d504b7b2dbcb5a5bda75bd93b

                                SHA1

                                d59fc84cdd5217c6cf74785703655f78da6b582b

                                SHA256

                                eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                SHA512

                                aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                              • memory/952-356-0x0000000006250000-0x00000000062B6000-memory.dmp

                                Filesize

                                408KB

                              • memory/952-381-0x00000000081D0000-0x000000000884A000-memory.dmp

                                Filesize

                                6.5MB

                              • memory/952-357-0x0000000006330000-0x0000000006396000-memory.dmp

                                Filesize

                                408KB

                              • memory/952-354-0x0000000005AC0000-0x00000000060EA000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/952-366-0x0000000006470000-0x00000000067C7000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/952-367-0x0000000006850000-0x000000000686E000-memory.dmp

                                Filesize

                                120KB

                              • memory/952-368-0x0000000006870000-0x00000000068BC000-memory.dmp

                                Filesize

                                304KB

                              • memory/952-369-0x0000000007830000-0x0000000007864000-memory.dmp

                                Filesize

                                208KB

                              • memory/952-370-0x000000006EE80000-0x000000006EECC000-memory.dmp

                                Filesize

                                304KB

                              • memory/952-379-0x0000000006E20000-0x0000000006E3E000-memory.dmp

                                Filesize

                                120KB

                              • memory/952-380-0x0000000007870000-0x0000000007914000-memory.dmp

                                Filesize

                                656KB

                              • memory/952-355-0x00000000060F0000-0x0000000006112000-memory.dmp

                                Filesize

                                136KB

                              • memory/952-382-0x0000000007B80000-0x0000000007B9A000-memory.dmp

                                Filesize

                                104KB

                              • memory/952-383-0x0000000007C00000-0x0000000007C0A000-memory.dmp

                                Filesize

                                40KB

                              • memory/952-384-0x0000000007E10000-0x0000000007EA6000-memory.dmp

                                Filesize

                                600KB

                              • memory/952-385-0x0000000007D90000-0x0000000007DA1000-memory.dmp

                                Filesize

                                68KB

                              • memory/952-386-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

                                Filesize

                                56KB

                              • memory/952-387-0x0000000007DD0000-0x0000000007DE5000-memory.dmp

                                Filesize

                                84KB

                              • memory/952-388-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

                                Filesize

                                104KB

                              • memory/952-389-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

                                Filesize

                                32KB

                              • memory/952-353-0x0000000003040000-0x0000000003076000-memory.dmp

                                Filesize

                                216KB