vidar | hxxps://www[.]mediafire[.]com/folder/3is42kz6mwjhj/Files

Analysis

max time kernel
398s
max time network
460s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/3is42kz6mwjhj/Files

Score

10^/10

vidar xmrig 467d1313a0fbcd97b65a6f1d261c288f discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

467d1313a0fbcd97b65a6f1d261c288f

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 9 IoCs

stealer

resource	yara_rule
behavioral1/memory/3324-441-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-449-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/2276-471-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-475-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/2276-477-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-478-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-530-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-559-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral1/memory/3324-621-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/976-644-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-645-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-650-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-651-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-649-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-648-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-652-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/976-653-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe
5184	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
414	pastebin.com
415	pastebin.com
377	bitbucket.org
378	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4892	powercfg.exe
5744	powercfg.exe
5772	powercfg.exe
4080	powercfg.exe
5788	powercfg.exe
4624	powercfg.exe
4736	powercfg.exe
5444	powercfg.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/976-644-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-645-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-650-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-651-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-649-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-648-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-643-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-641-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-639-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-642-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-640-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-652-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/976-653-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3524	sc.exe
2952	sc.exe
2116	sc.exe
2448	sc.exe
668	sc.exe
4656	sc.exe
5400	sc.exe
1708	sc.exe
3748	sc.exe
1612	sc.exe
2724	sc.exe
3652	sc.exe
2396	sc.exe
5628	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	S0FTWARE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	S0FTWARE.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2636	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.dat\ = "dat_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ヨ㒱翽	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.dat	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\좗ǥ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ヨ㒱翽\ = "dat_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\딆驐⸀蠀⪰㒩翽	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\\ = "dat_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\좗ǥ\ = "dat_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\딆驐⸀蠀⪰㒩翽\ = "dat_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dat_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
1636	msedge.exe
1636	msedge.exe
3440	identity_helper.exe
3440	identity_helper.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3288	msedge.exe
3288	msedge.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
3324	S0FTWARE.exe
2276	S0FTWARE.exe
2276	S0FTWARE.exe
2276	S0FTWARE.exe
2276	S0FTWARE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4576	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
5788	OpenWith.exe
5788	OpenWith.exe
5788	OpenWith.exe
5788	OpenWith.exe
5788	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 3168	1636	msedge.exe	84
PID 1636 wrote to memory of 3168	1636	msedge.exe	84
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 4440	1636	msedge.exe	85
PID 1636 wrote to memory of 460	1636	msedge.exe	86
PID 1636 wrote to memory of 460	1636	msedge.exe	86
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87
PID 1636 wrote to memory of 3320	1636	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/3is42kz6mwjhj/Files
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd450c46f8,0x7ffd450c4708,0x7ffd450c4718
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6688 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,15175856458282079841,6799965521883173186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4576
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\Shared\lssyscat.dat
  2⤵
  PID:3044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5788
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\geo.dat
  2⤵
  PID:2724

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\S0FTWARE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3324
- C:\ProgramData\FBKJKEHIJE.exe
  "C:\ProgramData\FBKJKEHIJE.exe"
  2⤵
  PID:4548
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4144
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2448
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5744
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5788
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3652
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:2724
- C:\ProgramData\CBKFIECBGD.exe
  "C:\ProgramData\CBKFIECBGD.exe"
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKKEBKJJDGHC" & exit
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:2636

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE_(password_1234)\S0FTWARE.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1708

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:3576
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1312
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1540
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3524
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2396
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5444
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4892
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5424
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CBKFIECBGD.exe

Filesize
5.6MB

MD5
cd7727ab8db0c0968981a19fab763e32

SHA1
66242a286175e43f2d1299bd2594b30ac3d7cf00

SHA256
c658854ae75c8f001ab83644793d6c692f50aeddc29d2c593d6c02c5361add51

SHA512
b6d1d2d21e5210cabd741385aa52eb328afe79d948f232c12ff8a876a8652fb1667c28d2c73fe0ab2011c69f0d946de0e56ce890ceb81150b30b64d168a80b3a

Download Submit
C:\ProgramData\FBKJKEHIJE.exe

Filesize
5.8MB

MD5
c441be4f7fd0f07fdcf94657c624c3da

SHA1
bedd1f5d2feb959599b370590f62f02cbb3d2d3f

SHA256
47c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684

SHA512
c753bfa2b84ea5dfc47dbe25b807af6dd7d79e53a780ef693052f0c5c774767ef5b277671b07c539132af11a56546de3dd18790ce3fb3c4f66ca63c6c17fd8ad

Download Submit
C:\ProgramData\HDAFBAEBKJKF\HIIIJD

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
a58df3afef045ea1a982cb0159c6e9de

SHA1
445ef8e42a0b1518e9bce922ce89e9b0ca9ac4d7

SHA256
f0de707b4cecd7701b3afe2ad6117294bad8bb3a0f71a30588714b4e68aad275

SHA512
428019b0c8809ec5ee0e6976446c966e36bba21d0db35e59c48249dbc49ebbdb6acb5ebbacf0b1ac904d5532ffbf572d8f9e1d36894f014517a9881b0d445980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
bdb6995375ff78555828dadc6f06fec3

SHA1
af529f015929963489501f80507d144021d9bd3e

SHA256
2246f06c23e3e3532b5bc5cb7eec7878440d70e7dc7e9ccf3cc385790c15ce63

SHA512
3cac0f9f9591630232d4ffcee60ead933195132a6b5240fa0c540f375588fa7e8e854932cb6e910be8aa269eea3e2f59cff281d27672aceef72cec90e23ef7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6ba2d4e5-73cb-4181-8b34-afaf7a5d0172.tmp

Filesize
11KB

MD5
88a97ebad6feb558c180a0e745838a4f

SHA1
8e927c33df7b90a5faad468da6d653e97c25c3e6

SHA256
a220406efee0902a28063b966f94eec6d4814842e800bc37f1c536d7a2a1edea

SHA512
02c98ce5db745754a1dce124d24ad6312ce428cc5d4d50632521846230b67cd1236bd960fe91afd1c7e5b4c09bb084d767064d007f15a9ecc0bbb27a7eaf89a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
e12711169cff4f6eac38d829b38d15ab

SHA1
a436a4a8d7ead83c0d3175841a0b9db72f25ff28

SHA256
b3324d17160ad5a003e6dd350def96973f5774a0d36debf8d7c96e214c9fea1e

SHA512
c6d5a35ba1943e83e9b89ac403ae2b742257d9b4b7a556fc6c902e0cbb11e645336acd8fd09747a9895845eae759f7166807f39fd34e7c239ab42394e0965947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
148KB

MD5
486e02715cd78b7e23ce81707ff5f727

SHA1
6021315be28194df852630f9775b71f5040abb41

SHA256
3aaa5da94e60c28a8f82b05b21b84fb872ba1c4d5d9cc23ac7f8fe9c90ec900f

SHA512
8a22d35b08da58728b16a9899b3dd2ebcf8a2da15ae4d3e8643377b396121e993c6384bf436f5bb6cee7f607c8013430487c6c9ca5c523a8224812cebf466025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
6b1b50c0fc80aaa4a1038e003a93b1d2

SHA1
16ac13eb6f9f67c3e618bb1da993ada4c178a478

SHA256
0f6c05293692fe57572b7260dc60b078b82f6a4d4d23e3be23354ea6c0a3d122

SHA512
9026db1276cb84794a1c1ce4701d9a6543e7e83af11594769803d507b86c593c69dfb73be19e7a3c30f62b6ef6587c397ba266de52d1d1955d67d64f079ae45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
34b04503bab5fbf5637080655136e1f7

SHA1
cc943b9626889a1dad6810ffde52ff650dbcd236

SHA256
122de1c3e01611e4c0cf14be7f998abe7f768a42b92392e5f1b209cdd76d6db7

SHA512
81200fa86da7992d87a1fecf17ce8e736dc20e1533cad9ba91cb275471896a611344c713595d09be8a26a8a040227036f5c69e76d3446c466b2f3543d415428a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
50be91e9941be9d92d55122437861554

SHA1
4edbc1cf5833199063561ff47ea4baac5baa6816

SHA256
aa0353fa6c47cb82f66a15b5de093f5f0aecf1e50ad827347f0fdbae1cb0813e

SHA512
b7fabba68a5b1c258da9586fa2865ecd3f6a71ba9277ce45f4e687091068b342959d282bfab394913c6fd1964c07ad2adff58b9a8f23bf8abdc4f7305a0e6e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
367d6f1d3ec555b748aa2f5bf99b6ebc

SHA1
d2f56a9973a1f6daaa60185617aa9c8dc882acb5

SHA256
9c672d6d1df21ee41105a4e94b6e1cf49296e9c1a930f221e5ef2013c3d614b5

SHA512
0563e1d0b8543e136cac803a34cfb054d77bd1f2edff626f9c4bd847f9061f8df864a5665aae68333532e134843919d4f29734fd6a4628d482cb2112233a596c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4809bc506c30cca69f67f4a8d0115eaa

SHA1
f7391d35d3451405bc558d5354292d79be404343

SHA256
5a4946263d5fb962abe56267a8523be8cc8f0bcf31ecb4f6f000eb662afe79e4

SHA512
9c363e757b02c7a7b1efbf7e840f5a0e3b810180015ef57e7f3903ac47f8b5c6dab32349026c1ea197ad98157ffa3df4522bd66550f3d9ca9a6b9f1de2a0fd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fa6d.TMP

Filesize
1KB

MD5
0f84a03f4360b22f10f22b4356ff94a4

SHA1
b04865f4c349a063636fc6f1c03837b832de85d1

SHA256
73d91bc12dfbe4b8aa602a87f03e259020a1f004073bc162cff7db5fd09b6fea

SHA512
f430e86c7f63334d10f5a0a3b75811f6f9fab132bc007f5cda492edd389ba16b01cf40726424ff3e88577e7422be63cce73383d2015d4f580ced22cb9eab465b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cfa756e8-4417-4060-a32a-5b194501eacf.tmp

Filesize
5KB

MD5
bbd41ce48528f8d236af6701d6240196

SHA1
04fb84aeb12003f3b4939f17bbabe8fba700caa2

SHA256
b768385549a386c01ccbc6319f2afb3bea53e52c514dba610099c9a33aba2a6b

SHA512
1ba47e3aa54f02aeca51bc468a6ef6a643e197ef6b8293585ce4da46b01d5db0534e789972fa247fba0e0ae574e7bb751facd5a57be72e2f7b3b357c522f78a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b8d23cfc483e286d06249c06ec274b0

SHA1
35ae2bd3d4b01c4884d689176144a01268475ed8

SHA256
e079cd4ef6e2d9092fabccb3ac116f8dd328b33e8529dcbeb5a7ed614327e367

SHA512
149ccfea7f1f5df7e9a170119000f6a352d77678059f18e67322e82988d4653318aa740b4df9d0f2804cb5bd6f50083964e8f6c8c6050265465f96e3d3748601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e7b7d168a660aa4904322761dac37518

SHA1
a79ffd184975afa3379de16ad8a51da48d323577

SHA256
2159bcbb45586f9b846c0b14d596f13c4141ed62a1f42fcd6a1b241bd686aad9

SHA512
4798b95fba4d6d3c399d71632cbc97a13ed0078ee1e94020fb376c6376990c039414626be48bc1268c8c7a82f2ad5e3764fc41c26efe9f88717bceda2fb6a283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\76561199786602107[1].htm

Filesize
35KB

MD5
1b5c4b0ba354c9ec86cbfd703dedf87e

SHA1
a244772c8721681998e4d028d895517a2fadce13

SHA256
9a9da80a39ae0254e6d597f251e54399193380170b1dd86219d1d22b679dd1c1

SHA512
2ec68b27a01f7a42a517c658058668ce48cf3dd29cfeeffbad225881b314857eeb496be22cb8f84d877b0ee4f408f0436c6354e2ebad4ae907056c710b56b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avt3xcs2.3t2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/976-645-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-651-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-652-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-640-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-642-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-639-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-644-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-653-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-641-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-650-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-643-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-647-0x0000000000BE0000-0x0000000000C00000-memory.dmp

Filesize
128KB

Download
memory/976-648-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/976-649-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2276-465-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2276-464-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2276-466-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2276-654-0x000000002C0A0000-0x000000002C2FF000-memory.dmp

Filesize
2.4MB

Download
memory/2276-477-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2276-470-0x000000000A450000-0x000000000A451000-memory.dmp

Filesize
4KB

Download
memory/2276-467-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2276-468-0x000000000A430000-0x000000000A431000-memory.dmp

Filesize
4KB

Download
memory/2276-469-0x000000000A440000-0x000000000A441000-memory.dmp

Filesize
4KB

Download
memory/2276-471-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-559-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-440-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3324-433-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-434-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-436-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3324-438-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3324-441-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-621-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-439-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3324-437-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3324-435-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3324-449-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-450-0x00000000254C0000-0x000000002571F000-memory.dmp

Filesize
2.4MB

Download
memory/3324-475-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-478-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3324-530-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/3576-590-0x00007FF7B4070000-0x00007FF7B4BE9000-memory.dmp

Filesize
11.5MB

Download
memory/4548-557-0x00007FF7E6470000-0x00007FF7E6FE9000-memory.dmp

Filesize
11.5MB

Download
memory/4760-566-0x0000023F48390000-0x0000023F483B2000-memory.dmp

Filesize
136KB

Download
memory/5184-623-0x00000208A8220000-0x00000208A822A000-memory.dmp

Filesize
40KB

Download
memory/5184-619-0x00000208A8240000-0x00000208A825C000-memory.dmp

Filesize
112KB

Download
memory/5184-626-0x00000208A8260000-0x00000208A8266000-memory.dmp

Filesize
24KB

Download
memory/5184-625-0x00000208A8230000-0x00000208A8238000-memory.dmp

Filesize
32KB

Download
memory/5184-624-0x00000208A8280000-0x00000208A829A000-memory.dmp

Filesize
104KB

Download
memory/5184-616-0x00000208A80D0000-0x00000208A80DA000-memory.dmp

Filesize
40KB

Download
memory/5184-614-0x00000208A8010000-0x00000208A80C5000-memory.dmp

Filesize
724KB

Download
memory/5184-613-0x00000208A7FF0000-0x00000208A800C000-memory.dmp

Filesize
112KB

Download
memory/5184-627-0x00000208A8270000-0x00000208A827A000-memory.dmp

Filesize
40KB

Download
memory/5424-632-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5424-633-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5424-636-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5424-635-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5424-634-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5424-646-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5840-592-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download