hxxps://drive[.]google[.]com/drive/folders/1CCDtQwmoxnQFloMtGVkr0KwXqFNWu_IQ

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1CCDtQwmoxnQFloMtGVkr0KwXqFNWu_IQ

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	osu!install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	osu!install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	osu!install.exe

Executes dropped EXE 7 IoCs

pid	Process
5352	osu!install.exe
1368	osu!install.exe
5880	osu!install.exe
5832	osu!install.exe
844	osu!.exe
5036	osu!.exe
5772	osu!.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
13	drive.google.com
6	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5764	GameBarPresenceWriter.exe
3584	GameBarPresenceWriter.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osu!install.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{D9D152C8-E1BC-4220-BD76-4FB6B7E8A2EB}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{C24B1D84-7A97-4A8F-9E54-A437EB75B148}	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 970523.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
4416	msedge.exe
4416	msedge.exe
1788	identity_helper.exe
1788	identity_helper.exe
2628	msedge.exe
2628	msedge.exe
5344	msedge.exe
5344	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1548	OpenWith.exe
5132	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5352	osu!install.exe
Token: SeDebugPrivilege	1368	osu!install.exe
Token: SeDebugPrivilege	5832	osu!install.exe
Token: SeDebugPrivilege	5036	osu!.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	OpenWith.exe
5132	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4000	4416	msedge.exe	83
PID 4416 wrote to memory of 4000	4416	msedge.exe	83
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 1264	4416	msedge.exe	84
PID 4416 wrote to memory of 2864	4416	msedge.exe	85
PID 4416 wrote to memory of 2864	4416	msedge.exe	85
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86
PID 4416 wrote to memory of 516	4416	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1CCDtQwmoxnQFloMtGVkr0KwXqFNWu_IQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,3844723530029974775,996877647590122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5344
- C:\Users\Admin\Downloads\osu!install.exe
  "C:\Users\Admin\Downloads\osu!install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5352
- - C:\Users\Admin\AppData\Local\osu!\osu!.exe
    "C:\Users\Admin\AppData\Local\osu!\osu!.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:844
- C:\Users\Admin\Downloads\osu!install.exe
  "C:\Users\Admin\Downloads\osu!install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- - C:\Users\Admin\AppData\Local\osu!\osu!.exe
    "C:\Users\Admin\AppData\Local\osu!\osu!.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Users\Admin\Downloads\osu!install.exe
  "C:\Users\Admin\Downloads\osu!install.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5880
- C:\Users\Admin\Downloads\osu!install.exe
  "C:\Users\Admin\Downloads\osu!install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- - C:\Users\Admin\AppData\Local\osu!\osu!.exe
    "C:\Users\Admin\AppData\Local\osu!\osu!.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5380

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:5764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:5740

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
2KB

MD5
32101a09fca85655a139a04fe6988173

SHA1
fdf4dece53a91714ba8a035d65b4c1c6ad05bac4

SHA256
7106a87241c2eada0277d5661bc199ceb3b5bdc5dd19a5838811a3791a735711

SHA512
35685987aa964f955f581b252223b75af80482048a7797569088318ed042c53f75cd41376796f2741a9a2d314963a798934907287be53992135076953924b3d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F

Filesize
2KB

MD5
af006b084048299fa21e577bbdc24f37

SHA1
f1475f23b462a51905cffd060a18a87ca6198ad7

SHA256
259a65571abc9fe084ee6594c9b655682bd29e376197b11f46eb1a521f966172

SHA512
de231b7a72f0cb11c093b68231a2c5d9d86ad130ceddaf0b3c0cc9d689094ac42d04357a3ba979b8659da97c11891ed520d9ae009f82d927fa57862fc3e6e05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0

Filesize
3KB

MD5
56e8dd03c256eac0fbde3838aed88027

SHA1
aad52a59da5a121d3d15cfa2089aaffaa8a7f442

SHA256
00d6541545f73c360354007ccdbb11d7b3317d5632ada3466d89a5c0c4107d24

SHA512
442d5afd963c90bc78968ba69786d24fd48b5b1db981a00b67a5ac4b53eb776ee7f2f465a9c676a8449f249c680660d93e11b1e2e32601a4f30988fea03f48d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_DB63E9C2662FC45CB0B3D65E2AC369AC

Filesize
2KB

MD5
71aa64cf520e397c2aea07dacf581365

SHA1
8cfc8a6ea9a3b89b1f9cede88708db1c699ffe20

SHA256
f517f15ca7a56542f0e3907d579695580d2291ce8304c85813a64fe7ab8a5535

SHA512
ba37058b6eba37ef89c2a58d64b7598fc2d9f9b781207b289cb7c1dd9150fc8c830cd1f117ce7d4bedbd8284d6d32ca668cf71a2de354465a3c5cb4c62f57214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
556B

MD5
00ecd43971713bf4a16ff8ac7da7a97e

SHA1
6db99c5e5076be352e7eca4c9e7b72eae1ef00aa

SHA256
abdbf1eec03027d58e26871a8c5ab1e3bb04a5f41268bfcf552ff8742a173b24

SHA512
cd19651450360b82d4f4c48c4a9166b673c14f4db0fbd563ae50d315d9c1f27952646a092f194aac68e5a69f7181b2b41017197839bc2970ab51c2973f792e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F

Filesize
564B

MD5
df15567f4c58a2f6e81876feb3d5c107

SHA1
091889e427ebedf382430d57f026dbb2d19f40b8

SHA256
7cd34e89dccf3c0b0af72c36bf26c9b23f888e0acc284923a5f1f538ca6a4490

SHA512
62f90a8038da53bf1b18dacb40afbc6227c2cdabcea50094c7ec278c994119efb14217069501c7e05d7b01c30c0d21f739bc330b6db59b86a11cfdcb3fe6fa2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0

Filesize
290B

MD5
4daa7a097a730c942d1a2089b96806ab

SHA1
82e42e88fbddb93d78aa442c25f14fff12ecf4b8

SHA256
ffafe0eac3bdc97fbf2698e2461a8030696a56840cf791c91081992e0cc771b4

SHA512
ac3f4d4a95dde6afcf424d7affc853dbd591bba7f6857872ed1281c15f9ac37779e0d301bcb00798f629021802947433bb28994f00589ff67d451e74ce01b595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_DB63E9C2662FC45CB0B3D65E2AC369AC

Filesize
564B

MD5
7cff1cab660d614bdc00ab22995ab757

SHA1
833efda613d64d5b28f6941d1e184ce07732a68d

SHA256
3ad23b466c555a834c898ec6f624e6ecbc80e990d05ac22df5df09ed916f858f

SHA512
9de184f0a79633a1cd40c34d2c8a0728a9c8d5734d71a2a15749c69ed5052202afe061041f4d28bc1bb079e8c6436ec9ce3253a03d255f8b9b5869532c7ba866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\osu!.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
25KB

MD5
9222217ea98c35e71acd00dfe056b030

SHA1
42fc786d7b865bdba84117ff15357fada69d3b35

SHA256
1bbd4cf227b3645dccb3d9e3e03736d4e7612326ef09126cf18fccf00b1aac4f

SHA512
7aaaa2031579bdbc89a31201613e26f4a1b67998cafc0d2372438beb22f11ba0bcc13d41c6d6e074b3e5a8d87a15dee42747b796c92d619549e83bb117362780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
1024KB

MD5
09c44d7d3fe021b80c0c6983d43e7879

SHA1
62ef901550bb1438f574378cdcce94aaf37249f7

SHA256
3fc829a2ad9ef1ded5449ed209d27c613bb1dfb1226d8512e411594f50a5699e

SHA512
5c2422cb651ca203ab60b8b140fff001fe598835f4f7aa96c72c90680ed89c836a436b86337f9673426635468a7ff26655df2fe0ba3d20ea091e5d57d5e2c431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
20d3c0916b089fe4ea8ac29aef342a4e

SHA1
8f664f4f41a6f78ba50405b3786c019eefb0c0b6

SHA256
77429aa99a8b9c60b6031533a4cb354995f35ef299a03f2681e29b26eac6bec3

SHA512
20c83901adac00e6f827b9b285936a4860d547b9ba10044e2e6eaeb6adb7fc8de1848aa5b82b20d39a461e1de01b341b219965e931c3cae53fa3cb123f6f0573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8822c3fdc123b98dcf9d97431dcbf30d

SHA1
02ec3e07b4f01a0ed0b8cbc48ae83cfa0ff38c9f

SHA256
5f3e38f51ea38661cd0fb4b760d98fbfd25590fb8af5f3d00f8569c801b99af9

SHA512
6dde1890b521e483c3390ce8b73c9455e6525260ca70bc3c613b74f506c0793c12822cadb366fd6e7e098c75a5f68b0fabd70be3934c2f89d09f98dd46c4a849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
540b3999d50d6ef82336349a211afea1

SHA1
8c5122ab21f4d40e91950a29dfc681132d756e84

SHA256
e4e766431781451795239353924e1e8ed027874847b1f15ae31cdddc99ef0d00

SHA512
39213e4eea68936093cf16cd6fbc5b5c0b0bf9b5e4f4532e36d2f7813870a90edd2f3f955df15846126cab278820a2a23bfff15076c4af15737a65fe1b724e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
4e5c9fa4062fd71f6462ba8e94dc41a4

SHA1
7eaca3f40997cdd7f729de638462283c7f948e66

SHA256
dfe7821b545329fd2a5f8e17f5cc0f250534bdbafdef20d77d0f5c04538af545

SHA512
113b37bfcd914d8ccc82abe6108ecb962e061082c05db5dd5560278b6701e8d73f36f217f3bc2bc8eae40201e6026a80c4bf78fb7431c2ab93d514a2bf14c588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62ac99404a959d3d1b3bf883b9b23210

SHA1
91c9eec830020d3833349fa91131532b2cdf1df5

SHA256
efe05d20356bb78f701fec3ad6acf2743493aa8fc232885cb13ae7ff55f2f112

SHA512
d5e575c83ce4489df3f0f17329875fa69626387e98fd452059cf5c62a4886d18c20b5ad5f1d06e4c5ce8f1e4fec0b8938e227f76285ee12182947a93d276420d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ed80d5a10886a02a937ee9132426d6c

SHA1
bf5bd7fd4fd1761b3b17272a9f7584c1dcb4cabe

SHA256
c62ffce8bb15bb2ec25f903ceb7f9d3cb9692af405abf01d04ffcc9130571e94

SHA512
3953fe1eaff8be2e85f2fb12d28d596d83a5563796ab6188ce1cc875ea8e94a6d6e95ee307f0c47e966c0128871959a6cca5d1f15735decfb2dd741ca8093665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0635f2984d13121f38af188c17467c38

SHA1
5ffd0585d6f3c9a1b4e119735b936823beaf4e9b

SHA256
bba903b4b04067065df890cbd879da6d223d7caf43158f2f49873624f60ab560

SHA512
a1521ce19e514a5ed66135b3020c8e33c39eab514168b0a15a93990e0ec085438aa61796aa9c28e1a25fb3d8be3ee324b3f1f784a3d5efaf15bd568842a643be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1c1027582e6e38e3f66889d66a2f72a2

SHA1
3a065f60bb40d013fd3c31b81cf3d21c2910daf1

SHA256
aa036f12cb13f2530caff39cb706fadbf84563169024310a4c69f9a9fb16e2d9

SHA512
e1af10cca5ce74f818c53a2c0bf99dd44963cf311b937fbc695e22da40c50c0c3a565f8f72bb77f1d3121c86283917127bdb97fc511ca8e1d9cd3d2be209e075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fc7a39458a4a100663c5673bfe37f43

SHA1
f414e61946cd479fe8ab41ef0e3399952c2550c9

SHA256
233d3af577f6e14f892955d5c1ae00da06d76a5db15ed00c3b87d6c69555f577

SHA512
85e14ae4a29888bcd2e950aa14edac231d0e40338cbb20fab5feddc0a8fec5308488ca0c1eedd5d53a3fc28ce39c1820a286c3c2aed8f47f4cb3525515e02b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9eb523ecab3e2328009c3dcb1625773b

SHA1
bfa67eb90a63f6b94dbe1e8c294735e09f0bb3f8

SHA256
7e04b2f7416118638c7dbd057ba78eae249dd61f7fe23038a7266e61dc3f624d

SHA512
b80f0be105405ddc602f89c2f217047627ff6915a4d32049f1ff04a4689360a5c011b998fac4ec2983e8055158e444ad2a5652d6816ebf860f509ab9bd02afe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be8c2208964b546cda25ea0b10088b75

SHA1
e96a798d36cb93e47db7f4e55ad5cef91f776992

SHA256
e0b420b86f20ddf494b63e7282d08301d70e8b6c6444cef375adc15a31acb2c7

SHA512
d5e92fd9e239e7f563fb27296e4e44f58f4a15f24b155a58cb6c23544d0891121d3728d06555301fe65b2ee781d5c8bea291f69665d2557c5bd2b29355225621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
91c00efd1a7465d5e4150018f3842984

SHA1
3c5a7f2dabc35d92b8ec1c6278c62fdd3fc03e07

SHA256
07edcb1fcf3dee5966ed85204faaa9e6380dcff181f3174ee553cc57e93c7303

SHA512
ec667a237430578f4c6415c834895b2fce28daf9650cdd2a9fc07cd283bc7527ebe0cadea5599f7236e942ca3de7340b3827406f981bb674f51fac8626280910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c2183efce808322a314d8ae8daf7d063

SHA1
d580fbae4416931c1160b5a936307de40cf30b89

SHA256
3b27b89d573658ff3d4c00352322ee8607421119e1e98eb9fdee801a5d25d9d9

SHA512
e5948bf18a406b2d93f4ed230131c9a72275cd578235560d8ee0682cdae76c9b5d56ec72c8aa1beaeff1f7d5cd43c34f32d8448b88798cc8b820281f3c4c08fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f712.TMP

Filesize
1KB

MD5
1bdbb269f67e4392bf46c91baa940783

SHA1
1842b350e96f3bff94a1e9c05927d07c8cfc84bd

SHA256
6ec7945dbb0a55c5570eb5cca96d6170ac28b94e7229836affa7110ec767c777

SHA512
404eac0d99b782b69e0dcf17ffb3e7de67dcd658e020c6963d78a6200589bf7789944f4a1e5dbf1e3d1d82ee873e6f870b5c041cdcaf401f0d3dcc3e674f1433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c0394859cd231bec0746ac63c7da7b1c

SHA1
3369073b5afa4d491bb23ef462526b7cb300a70c

SHA256
b1b7d66853f78133f92815a353dae7b6fa2db3f3d2099e9a92a3bfec6c298655

SHA512
98b25cd748324b8ec7b617a6091f439e3f91b5c30c9724c7680230b1d5183ca95e40523f4229997095d4bef2f7124a241cf03c5cacb3a0423f050226fbdcceea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46bb77b9bd0ca0c03ee07c041269b209

SHA1
0a5b4aa89d68638591246ca3c8c991bf6187205e

SHA256
97f76d33d23e86eef6b46990672b4709ac9de5a9dcd8380f1bab3516ac72acc5

SHA512
1573a8ac21af6d0c6c3aaed3b32fa2f06c7a0fd3dc89e6a84275fe8199020cec252e66d58d7b04557696b6d6e2f4fdeb5c8c84fea89f4fa2bf28de9a79e6c7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2954d7e1ed6eb7626972fd7fad78ecf9

SHA1
7e0ee606eee667f3b0ff0c61b34b31623e128802

SHA256
4f8a9cfe8edd3f61ae755cae6c39c8d07afc16759e5da06811ab07b4136e2943

SHA512
fa1f11e8b01f806f7251369f2e09a2bdefddcade7fdb9c9062e31e8c4c2cf3648ba509c89fb30b7e80a2500d321a049dc8a6e2466e74a94ed546885d9dd7aec5

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
90B

MD5
0d84b5cb53b209e829a3bf16f05f5917

SHA1
07db316b55ccbc98443bd4800a1ddccebc70c43f

SHA256
3c2cd1da6cabdc66b6cac4a5cda0b541992781b242aebdcace375e9b3bce2268

SHA512
1dc6eacca958163ddd28435abaf91dd5058a92eadd4b7692c6a2f302552be4c9aecb818c1e7df6dac89c0e0ad25ea84a5b35d9fdf3c9a4e567ccb0e160b0a682

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
135B

MD5
26bb0c5e3356d82b30fae1422e1f92fd

SHA1
51deb269ef9c5aa9ad99dbad440cbc906dc8fc92

SHA256
235b17fb32c5fac65703575194dfd10b21aff6f7aa7fbf0fe74cd21c337408e2

SHA512
38b7b6edc7e14a230c25e0d78ef71b2f5822480a4e1a61f252f731b03ba90325f19180b78c215f73ef996eff8a5191c905061a23e7b2eae34aeec374908580dd

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
323B

MD5
d9b40d15b0316cd3d0ced5bc1f5b31b2

SHA1
d54b93f44bae37ab99082032c52111178e1948c7

SHA256
2a5e594f281885c5ae5b16029c5b4e6e607d8691735b772ce2168210b8a301da

SHA512
edee3b9cebd48c8dedec432a116cb9f08fd30c6d0f7e6e6accbbc7d21947d0586b51b5cd8ca0cc179a135145f0950d76a50615d78e4de902bcf2f3c046e1c470

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
706B

MD5
769595381b6eaa345d9199108022bc25

SHA1
bd96507bcd5bde8cf9ef05f796e1e778b3fe6921

SHA256
7db62729aa897df6ca78a0cb42dd117da3cc5f16d81f3aaa71a96fcab904cc05

SHA512
77695feffdf01f0a573eede6caa126a105b9cfc918e89ed3b6fdd631939ae0e516514311ed94d8ecfa77dfb44623a000af3b6519060762cff2692e56796a94f5

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
3KB

MD5
d0d562c1b7867ab6edf5d6c133bee968

SHA1
29e80e7a1fde2d92afc8a5dffc3084f4065aa9ab

SHA256
63e155814cabecfb74b20dce5067b3d5ce37dd99a41f21541d77c20aacd2fe6b

SHA512
56ead0de5398bc17312cbf3f195b814f3e5ee42e37b318435362d2934e2dcfa70d66c1bbc45e3936b64f74f761bc20162fdda28f201e5ed1b73de710b6d2f5e0

Download Submit
C:\Users\Admin\AppData\Local\osu!\Logs\update.log

Filesize
4KB

MD5
5fa1a2ea52534ff669d450f95824facd

SHA1
b6358be1ec58ff24decd0820c6135ad310f3fb4b

SHA256
89e14d0015d42c001ae9eba0033b917b689e4c5fb62d9ae63edd907e3793da95

SHA512
d32d4094fe903b8107cd8d4af4ede2e36737a63ec8713585aeac4e50fc6f4ab464d7314a3f64d2ba4b1887847de9a922c0fa1d045c203f432a1ba346609d9489

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 970523.crdownload

Filesize
4.3MB

MD5
f9d81cee8cd45ad56baf9211067eeafd

SHA1
f0554221c337120f1b7113375d7b9c87acefa813

SHA256
dcb945dbb702c9239f998cb41f2aab78bdeda329d4e48c257d6a756fd9abf509

SHA512
4164bb55c1a4ec2a871e4ed4b35b9fe582b1d4dd7768c74db3bc49a019da6dba58ad813c3941b12f82a04f392c17442bdb2dbab0fe83e53e5c1e9e291783343f

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1368-594-0x0000000000190000-0x00000000005DC000-memory.dmp

Filesize
4.3MB

Download
memory/1368-596-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/1368-605-0x0000000005CF0000-0x0000000005D2C000-memory.dmp

Filesize
240KB

Download
memory/5036-811-0x00000000098F0000-0x0000000009E1C000-memory.dmp

Filesize
5.2MB

Download
memory/5036-812-0x0000000008750000-0x0000000008772000-memory.dmp

Filesize
136KB

Download
memory/5036-813-0x0000000009E20000-0x000000000A174000-memory.dmp

Filesize
3.3MB

Download
memory/5352-606-0x00000000066A0000-0x00000000066AA000-memory.dmp

Filesize
40KB

Download
memory/5352-595-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download