hxxps://cdn[.]discordapp[.]com/attachments/1309185645029228554/1309864039714783302/Release[.]zip?ex=67432173&is=6741cff3&hm=90f3ef27b699baba3c2ba99ebd0d73789a69c44434b227cff66ec041c25a0436&

Analysis

max time kernel
55s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1309185645029228554/1309864039714783302/Release.zip?ex=67432173&is=6741cff3&hm=90f3ef27b699baba3c2ba99ebd0d73789a69c44434b227cff66ec041c25a0436&

Score

9^/10

discovery evasion persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cleaner.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cleaner.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4712 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cleaner.exe

pid	process
4712	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00650048005300200020002d002000640000000000	cleaner.exe

Executes dropped EXE 1 IoCs

Processes:

cleaner.exe

pid process

1484 cleaner.exe

pid	process
1484	cleaner.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cleaner.exe	themida
behavioral1/memory/1484-182-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida
behavioral1/memory/1484-186-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida
behavioral1/memory/1484-185-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida
behavioral1/memory/1484-184-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida
behavioral1/memory/1484-187-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida
behavioral1/memory/1484-343-0x00007FF602950000-0x00007FF6032F2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cleaner.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cleaner.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

48 raw.githubusercontent.com
49 raw.githubusercontent.com
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

2812 cmd.exe
1428 ARP.EXE
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cleaner.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer cleaner.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cleaner.exe

pid process

1484 cleaner.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cleaner.exe

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com

pid	process
2812	cmd.exe
1428	ARP.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	cleaner.exe

pid	process
1484	cleaner.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Discord.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Discord.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exe

pid process

1168 cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe

pid	process
1168	cmd.exe

Enumerates system info in registry 2 TTPs 27 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

cleaner.exemsedge.exeDiscord.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "f8239c79-a21e2901-2"	cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "22af5bd8-29ad7071-1"	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

1912 ipconfig.exe
3348 ipconfig.exe
3204 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1760 taskkill.exe
4304 taskkill.exe
2060 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings msedge.exe

pid	process
1912	ipconfig.exe
3348	ipconfig.exe
3204	ipconfig.exe

pid	process
1760	taskkill.exe
4304	taskkill.exe
2060	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.execleaner.exemsedge.exemsedge.exe

pid	process
2948	msedge.exe
2948	msedge.exe
636	msedge.exe
636	msedge.exe
4648	identity_helper.exe
4648	identity_helper.exe
1984	msedge.exe
1984	msedge.exe
1484	cleaner.exe
1484	cleaner.exe
2728	msedge.exe
2728	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exemsedge.exe

pid	process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Discord.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	392	Discord.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe
Token: SeSecurityPrivilege	824	WMIC.exe
Token: SeTakeOwnershipPrivilege	824	WMIC.exe
Token: SeLoadDriverPrivilege	824	WMIC.exe
Token: SeSystemProfilePrivilege	824	WMIC.exe
Token: SeSystemtimePrivilege	824	WMIC.exe
Token: SeProfSingleProcessPrivilege	824	WMIC.exe
Token: SeIncBasePriorityPrivilege	824	WMIC.exe
Token: SeCreatePagefilePrivilege	824	WMIC.exe
Token: SeBackupPrivilege	824	WMIC.exe
Token: SeRestorePrivilege	824	WMIC.exe
Token: SeShutdownPrivilege	824	WMIC.exe
Token: SeDebugPrivilege	824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	824	WMIC.exe
Token: SeRemoteShutdownPrivilege	824	WMIC.exe
Token: SeUndockPrivilege	824	WMIC.exe
Token: SeManageVolumePrivilege	824	WMIC.exe
Token: 33	824	WMIC.exe
Token: 34	824	WMIC.exe
Token: 35	824	WMIC.exe
Token: 36	824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe
Token: SeSecurityPrivilege	824	WMIC.exe
Token: SeTakeOwnershipPrivilege	824	WMIC.exe
Token: SeLoadDriverPrivilege	824	WMIC.exe
Token: SeSystemProfilePrivilege	824	WMIC.exe
Token: SeSystemtimePrivilege	824	WMIC.exe
Token: SeProfSingleProcessPrivilege	824	WMIC.exe
Token: SeIncBasePriorityPrivilege	824	WMIC.exe
Token: SeCreatePagefilePrivilege	824	WMIC.exe
Token: SeBackupPrivilege	824	WMIC.exe
Token: SeRestorePrivilege	824	WMIC.exe
Token: SeShutdownPrivilege	824	WMIC.exe
Token: SeDebugPrivilege	824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	824	WMIC.exe
Token: SeRemoteShutdownPrivilege	824	WMIC.exe
Token: SeUndockPrivilege	824	WMIC.exe
Token: SeManageVolumePrivilege	824	WMIC.exe
Token: 33	824	WMIC.exe
Token: 34	824	WMIC.exe
Token: 35	824	WMIC.exe
Token: 36	824	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exemsedge.exe

pid	process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cleaner.exe

pid process

1484 cleaner.exe

pid	process
1484	cleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 636 wrote to memory of 1240	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 1240	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 5068	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 2948	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 2948	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe
PID 636 wrote to memory of 3964	636	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1309185645029228554/1309864039714783302/Release.zip?ex=67432173&is=6741cff3&hm=90f3ef27b699baba3c2ba99ebd0d73789a69c44434b227cff66ec041c25a0436&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd480846f8,0x7ffd48084708,0x7ffd48084718
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15026522513189473736,12911057235921319003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Users\Admin\Desktop\Release\Discord.exe
"C:\Users\Admin\Desktop\Release\Discord.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:392
- C:\Users\Admin\AppData\Local\Temp\cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Checks system information in the registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    PID:3496
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1168
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    PID:4016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://applecheats.cc
    3⤵
    PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd480846f8,0x7ffd48084708,0x7ffd48084718
        5⤵
        
        PID:912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
        5⤵
        
        PID:956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        
        PID:2400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
        5⤵
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
        5⤵
        
        PID:4692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18213822420077907742,5725508367985628348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        5⤵
        
        PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
    3⤵
    PID:716
  - - C:\Windows\system32\netsh.exe
      NETSH WINSOCK RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
    3⤵
    PID:652
  - - C:\Windows\system32\netsh.exe
      NETSH INT IP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
    3⤵
    PID:928
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
    3⤵
    PID:1664
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV4 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
    3⤵
    PID:2544
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV6 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
    3⤵
    PID:5068
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE TCP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
    3⤵
    PID:1236
  - - C:\Windows\system32\netsh.exe
      NETSH INT RESET ALL
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:4168
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:1692
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
    3⤵
    PID:1468
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /FLUSHDNS
      4⤵
      Gathers network information
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
    3⤵
    PID:3540
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -R
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
    3⤵
    PID:3944
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -RR
      4⤵
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
    3⤵
    - Network Service Discovery
    PID:2812
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
    3⤵
    PID:4660
  - - C:\Windows\system32\ARP.EXE
      arp -d
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
    3⤵
    PID:3572
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\20475a47-b039-41af-86f2-7319618d6a3a.tmp

Filesize
10KB

MD5
35244310b597c577c0800c5baa31b962

SHA1
680186156e6438bc49764ef4b9bfc5cac71dd7a5

SHA256
fabc3d156eb7d87dadad494f990c2e3f7128955b50205e433dc9b7324dfbf708

SHA512
2b7e6f7d57a9d28591ff2f7fcb6f298a363d9ac4ae9d75300e87f3dc4f54290424ed68c981978563c47cf410afee64d197dafd96d1c5566ca628abc4c68f09b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2009555c0bb5f9bf2c55e65e80350eef

SHA1
667993bb8554032c3b3755b7733fd6532b0685c8

SHA256
65dfb785a61414136f5b61c4e8e9dea11d6e714917704c752bc5f67568f9f4e7

SHA512
29819a30731703e1e8ea1141314dc1931a6792c99911c60b065653be36d8f9311b2f95014338dbf5924ffdd453e6c1e6d8fca2782c443e874560beba6d777531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cce9e9f4b9fd8e0f9ef79f48c6dbaec4

SHA1
4fe453b717b00775adec43b84db8955e1108d8c8

SHA256
c4191c0180a10c00ab5e70dbb4c01173954a481f48c2202f59257b277868e637

SHA512
ddd6475da132aff41462af588dc4ec8702e2ca6e029f30f42f2410b061530cd535b559a4a5a3ab219e8cfdff388dbb3a25503a4d8d9fd155d9f7e80065fe5b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8dae9cca-bada-4e19-935a-66dcb45657c8.tmp

Filesize
6KB

MD5
c79c07a2d0782e22132292b122580c54

SHA1
0b85e7f9eb6bbcb2cb06b6a700dd4c3913395aaf

SHA256
398c0d98bce2bdf3fd65b65c049d8dae08f254d37a0e9b545d65ce1f1d523585

SHA512
73e04c927f90b4eaa66cfeb8287e18c6a4fbbc8340e18705b70cd538467fabb60ab48b30d4faec543cbb9561bd34b0e8d739e3fb043ed3e8be6e7ffcf5481977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
bee20373744601c85451511dc7e12dd1

SHA1
c2474ed717f348c9d5a1b14de262f888a392de12

SHA256
c8e011f6fe0d74d2b077c47971adf6a0becd86b3be0ca536f88d7cfcd5e71c79

SHA512
1682cd9f1adf6bbef371691127f34ad000d9d990754c8bc595d8042853b336e69fde599e101a071fb5e2586b63d8e8eee16fb322f92fdcb311ed78d5afeeb8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
d35c2d152a98ddf849c00b6a6df618b5

SHA1
54f124f237bd1e6f24900cf80fb093523c5e97b7

SHA256
cbfe97fbbe5078dc0930a4e104447395dc3b704f20b389078137ee20916b9cd4

SHA512
9f549fb8aec381826d62f09b4263d1b7b9594bfea858346674d805beb6232a35ecbbc2c344bfb457e9e6c667c96ad3314bb0d21c93273f10548a583146208aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
7eba3aa3ff627362020cf6fc391a0358

SHA1
16576e9cb7b9c5b1a476fc891ceab94f2776b20b

SHA256
a60a77882a1cc825c7fa9fc06292ce4876283ef4550eb80c790d8fc2ff54f07b

SHA512
8a73e2b6db20e3e79d6a1b0fef8acb955978c36c85cd865948d4ffc5b7093502d2fccb0c54121d92b32b2162f5a659470a598a7efb3dfc46cbf9f3c8635e82a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e5635bfd904e824ee82792998161d1ba

SHA1
f8a0c5a1990e6c673ddaee06c86087851e83fe22

SHA256
4d79e8534b20c42f428e2c2d1bec9cabf64f03bc46f32dc3e77df240c9df01c6

SHA512
7ae7704ba910c6c77b20b33909c16144d45dd05ab8bdef6719f3b7d6cbcdea61c7335ad5dbc4885a4873b6b89f86b3f29c8d13931e72e062b613e26cb34e1b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b4f6b221ff44b62adf8d5414917d2e64

SHA1
27617bbb0039eb7852d2b62d4b580fdbd5cf48da

SHA256
6310fe1b98ae8ed7066d882479380f97066e5f3534767f7e47111d55a3db4d69

SHA512
de31cd24a9fb2abff16e5fbeb2b293bb1473f55578e49a316ccb4f8cb9d6569a5c88510386b7ba72ba1bcb137897bf4abfc9cb765f35b1a9b05f60086789288e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
a71cc812f81ed8cdba54a8bf71feae75

SHA1
f0b2c7080ebd3f2d7a164eae3122aba2421c520d

SHA256
dce547194445ac6886ce63c192ab4404d30ca68fa38f9b3b79a608b1251d0488

SHA512
b1ca1d75c139f823a705ba1792dc761556682fb87eb4196ffde1e1f5b147f2e715c2c2d12a8fca139e6579ea850d720b1a266c031299889c8079f11adac43e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1ad7f6b0a02973bc32adc7ef02aefa70

SHA1
01669169465ca0c92f4d0d2128e2ff11fcc8fc41

SHA256
841bd6b4aa1f469921e879abaa4b361290b0493d3900d520eae02330fbb4df48

SHA512
a71aae2e13bcc508e1813f1b754c2a8de64b98fcdf41a26784a9fc06b6eb1ae4105b290a48ca1aa7efd8f2b038406bbfb1f63902566b90c410e9712a0bc1e270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
2c67a453fba18a771d8f530d7c1b17e5

SHA1
a4c8ad087634405553d39cedf0bafa790028718a

SHA256
e99bcd3ac9b4c5ceeffe96eb232762100dc0890224dd1a8d828ef5eb111b2e76

SHA512
798d086c983ac8fec6d72f8ad783aac9618a658784b7a4d510f0b11f582a8f525c146f45c9186bd3a95caf29783a26e652fed5549f9756d227e423eb2d9c5659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
9d1b6e7aa7dca5c47dd214d0502ab8c8

SHA1
96153b3e64a0f137e45de3193f3053c0a8d959b7

SHA256
8d1393370ff38710453c4550509206561446ed15833b19a6b01d3d11fadc1de1

SHA512
abfab6d8663f273b9c89939adcd5b8ba090724dcfcdd51531530b92268c33c99ee420fcbbf3b3ba2d30a275c87d5b10512f807a1e9f35f683098dcf7cf2b083d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1022B

MD5
5680e06072e1a642e7f5544c85f5c526

SHA1
e08d0b587d881d29b1249cc2b1c08d95f4afeefe

SHA256
599c2ac5083510f98b540447df2df9d7b831578a6233d31e7bd2342e264735c5

SHA512
bed8093cf88a412260e9d081169ed85d389e0ea9cf1b5aaa3c4f75b273fa1bebd7cca53e07109a20e100755c3690a86fbf4e22b2c66bcf1095dfc85ad4312d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31e362e6ff32916acf20bb90b1a76400

SHA1
5f8e8c5872a3e631a84e01f0ce3eecf461ad0b1b

SHA256
ed8c578874c92f320496b3059879e90ba04cae98dd9a1c4a0b27f329d100b49b

SHA512
35abafae1d0b1168df1043f22c08267f73ab48625095b591b5f01d3a752e54467fbc9e7da1f6992f55532abb3e6ee0b8e745ab61e497efcf23093988222b856f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68ed4e8e6a581a146e46292a21d92898

SHA1
8d2826c0306bf580f5ef90697a9878ae018f3fbf

SHA256
64553f320fd538fce6d682419ea729a7ae49e2df141e430d4a96543f67ca1f65

SHA512
a50eaa1573ea132d47f7b7ce57affd825bd5b23d8321dcc33aa0ded4493b7e0b2241d85414c13f7dffd40de9c44dea5432df6669dd3bd4d35a357bf408fd0f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
100576004e8f82b2bf7e57f9f65b546b

SHA1
032e3f209d51a038e56052507f55a7ccb2c0f977

SHA256
52aa308e505a07f5926c0d5a0272efca5dd0ed6dc56c71d00aee1cbf902b993f

SHA512
4198b926c7466f929632702a95c0f471cd6fd82fa8b32b28fa788ac40ab28686f84e2eb4986908d4df048c6746215ef3835eb810c0d84f1ab1bea4a719774a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
039f9730bcdf8d225db26c3c6b7c701f

SHA1
810c3f7461e902087dd229a9fc19f96bece08737

SHA256
034a5bbe927d9d43fe1d11d62df346b2284d44d23afee5fe5a91d7f2d49e5ad4

SHA512
80f669c41a75b2cc83e61ad6b3c2654398008b6b4ebfc167809b99bf59c7efb4ff4946321a7d78ce6d12813c8066b0a7fc83c716340b0bb512df054393fc05e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
c009ded126532156f9d4190cdf1f3b62

SHA1
f2adc8e310a227c82defa1aaaeefac5d2d769f1b

SHA256
4d3de4ac434b3089d94eaa584c60ba83fe372a2be34b46cee32c2df686309a61

SHA512
49d6ec679a66cb871f41313abb1520938bb549c27710fc816d99d77afe483d0839b3ea14445fa1b3b396ef2cc85240387d7d987b7366fd737242a901cd49529c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL-journal

Filesize
28KB

MD5
872a89112c4f369de2bdd586cb19e46e

SHA1
ac007fba890581815a9c9525c6e9fa4e60c30281

SHA256
8369d548d2168ecd1e2fb7387e0675e95788128a4afff3e337355af2dcf0a984

SHA512
edcce35d440bbb9636c2623a8e67f2fee5bf39b34693b14aed2a35b8f8fbbe1a5391341b0ba50bae0c502c80c639e182a45b53d4fcdc9545e2396a7584872aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
194B

MD5
d7d9437445aa960dcea52ffe772822dc

SHA1
c2bbf4ac0732d905d998c4f645fd60f95a675d02

SHA256
4ff49903bec1197017a35995d5c5fc703caf9d496467345d783f754b723d21c1

SHA512
335eb1ba85670550ed1e1e4e14ea4b5d14f8306125bf147a42de4def5e5f75f14c422b014414030cf30378c04f748ac875cf056adda196511a0b057b3598fe9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
be67a5cb65410594a676747b13b3f202

SHA1
d2c9d04b7ba855623d1ec26150b16556a3c9234d

SHA256
dc7ca139cd4e89fe13e456aaff46dc4be448764a1becb9b229e7a6fa3df3a534

SHA512
2b20ca7b812fa252ef5b06f4c899b60518911b233dca952a074c2d47ac54750487cb46f0ec7abc17d17e1b6ba75a9516a76616436d1d3fc746cd0861df6c75c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13376839936106522

Filesize
488B

MD5
8a7359b252516d5475e6952792f50333

SHA1
295f2d51554a06e630cf8a29ff9e0452ab60e437

SHA256
9f88eea83356652c1fc5bffca9ae7385eaf2f6a2c2077bdd4c971a337307deea

SHA512
e3a2bb2d81e07335749be5ef15d0211958b8cf456e981d500b61a990fed08fd4ea04b94981a323e4c98e55ac867218e32b7365b925727d83dd877c15e04f35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376839936262522

Filesize
933B

MD5
12e9f8aac0c030466bfdeab68763bbf3

SHA1
ff5fa0b4f9d05f072ea90783ba2ad8f8a3147baf

SHA256
18119970b80e97fa7cfcd12409dd0d515675a117d66c33d2c384e34a3a5d1d62

SHA512
fd35a0126a801744d7b1f05d6e980f9868736b55861ede67589ba4ad99847b016a8d5b997cb767a4a38ef66d12a4ec78d2b0368e965bbfa1b1269e27b488a046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1e4e0dfed66b06461c1780c68559698a

SHA1
c6c39731d1e8b6913968e83849587ebb1889d11c

SHA256
598803ef5bfb829ff2dce64b9c0e12d0f2b1b7b49d828599cf1b98a3c60053e2

SHA512
dd702eab83ee1f7847e2547c8cee5f21670df8178d97224e83a39f58e9208e2815f7f33d7c22608e5401b457f0552d523af00671fe711952bd9db1bfef450a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b30a498d76339a2848a88224f21c6f74

SHA1
b02b9f8904897a6eb7f00a7cfc0090735438501e

SHA256
e8b196a62f04062c923be7ee0e8a6b5fb0abe3f26c72716a154be0c9f2dfa500

SHA512
67fc6bdb9f85d4f1f74eb7c5426e282c6b2b2aebea81aa24ca54a775cef9861c36dba191c42eba66737269c6c100d0271b2205d249188fe732cfa8a24159fb45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
14c56532174ce159a0df287a447c3fca

SHA1
ee689d38ece095ecf260b1a9b2934d2b0a7e3dae

SHA256
0249ba95b282b1c3d23a0318ce8ecec40063206ec17ad67f9820a415d55753e1

SHA512
ae38d7708c1918bfc9127ffff7bf0cdcd566d43947f56414ddb06f69ed04a5fc02c7b815249bf3e8dbad0e4cc86076f07e2cb7151355cdf94028362391c605ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
b8ea16faefbb3797a0e5f9c857ae77a8

SHA1
54380e8cea2ee79c0427b4d3a49ed1545a2a7ad0

SHA256
31715e0331639fd2fe512f27cc8c0e5be09de650bcfeb96212b284fcfeba0625

SHA512
fe3370835e5b5564a15e2d878c1d3798216a85014bb31569779a8899145c8b1c25f71243e447c2334d7a8202700159539db7591ca45935bd94f70b1f3e8e01c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
5f45db9a5b2a85d919b2976f99910fdc

SHA1
310dc1c60b25440b28f500d01b651831a2ab82f4

SHA256
cf72d99fce9f4a14825d806689c5dd633f8cfc5dd41c0b99d97ccc9a18043da3

SHA512
38313d39738dd42de611b1856c95bf63c31053cabae2b5aa3cc90317369c398cb305f1c303d1d94e8a21bdee2bff2c16124ebe261fb485fc26fd3412bebdd0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
8b1269ca0d6561c40fd7df7a11c078ec

SHA1
5addb0ca46d7b1c4a8fc18ec64872e5927dae1ce

SHA256
2159591fa848e1afe7e233850149c0a2c7e69c8d8035c2611ce669793173e7c9

SHA512
0e81d3524c39f0134b2920f8b8d784ca37a9d2ebc950346891b45ed422155ef06ce6b7dffd346d7ac2185b79ad5a0c128131291e51a09dfe4b4f2e8a9ba919fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
ebc6c4571af7ad0de4e8bcea34ebf411

SHA1
7c39fd036eddf8a8609fb73505b0bfea5c56ec8d

SHA256
9672d84fc67344ed47cbbe50e01ce416cdd7f60a77d53b045017b3df71899bc2

SHA512
eeab6c13e28fb99b9a45ec9ad883e1b55319df7bf676b5c3760329b9f186d7fc520d6b14c6e71589047fc3e5ef34b2b1a2424a88b7b30e7ec3dae940fae899fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
16d4d591e9c6b93257c3dbf59ece3e29

SHA1
eefa87faf28519c302c3b1abddc19ff819dca3c3

SHA256
91a87b767a6590105d5f5501926cb1694dd4a15a7985a6acc92707fd3a9168da

SHA512
bdd9dd5873d5412b3f2be8db82df5f21862cce4f8b54aad4a467fb440732cf2a4ab9e907d5ea3761a94d0908a7dce20df734d38702c7eb96336dd288a634a4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
bc0c577a97fa097cde35c4d044e07478

SHA1
211eae628a74a91880c0a7571ae8be6f85b8f543

SHA256
3f614f42678b028e002c75ac1c983d3b8f942c75f03a810ae84706bf4a5589d6

SHA512
ff73ec2b5b470d260a188dbfe6a207e33a581fad55bf02e55db6eb4ba949617a972a13593cfd0f01e71bb087d21e26e143284e1877bfc3d1fbd02a8f9f0f3bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
6c39e99c30a7cb0c2866fca4de1dc4aa

SHA1
81e92bebc2f659cf3efa77dc1c0d3da476277d8c

SHA256
2b01d331b7b814554d1dd18c8b0413481c3ce06e0907aeeb5bc4a4dbbdd05120

SHA512
12f605275b076a9beedf0609f73dc898a49fdea761500c12e28343f324ba1cf5aceaf30bb7f227ec6f53adf1da5939c4119308e52c0e6a1d33c53ac01ed0c40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0442eba6b876a9881dd29075a1ddee04

SHA1
fe26e9ad2dd4c923955af76d3cb196a891369345

SHA256
a76f096b7bebcade48f57df72db8302aa703fed69f503238309dfdd097a805eb

SHA512
f2853aaa611cdb9b76bfca19d3abc5ba559e1958cec3da2dce3ba0ea89ed6e2348cb946cc133837e4f9aa509bf8d6e1e69bc1835cc6969bf2231ea7e34ab30d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
de65f6a4f2e9152fa24b40f11a298a05

SHA1
dfe5606d588723632e04513e26cecb4a9e5b14c0

SHA256
31ff6035c3d6443c63a8669011648f78766da4c5eb69a59dacb13cb83677ad5e

SHA512
9ed8765a469e8f7f7d9f80038f2f15ec54f680c6ad952f446f07f5c44e940c0a2242ba79b22f3841fc4065d1a8a2588575940fd87b5c033e4d08708cfd3bbe21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
9406efb8585f4c68700426f94887d39b

SHA1
8a01aae3938096d1a680e96f9a3cfb73ef99b03c

SHA256
1abb8f9f07198cf1adda116de68a2fa1ef1c136bf0a38d25d0d9289264a51106

SHA512
5701f0a0065e87325136c9d90fdc21324dbde27a49d434acc2bf09141eb54ca79fad60dfb79889e5a13dd935ae1b8ce8e2fb9f4396c27a8840e1e0416769addf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
34d425e6c449db23a46383ff50edfea9

SHA1
bdf3f213251c90a1256ad30913d946383e2fd76f

SHA256
aa8a0c945673aa04de7b8341ea599f6ab1c99f32be37311ea2e06f0335f048ad

SHA512
2453b9115237b935b6c3bcc266e22fc96912fb0d0ac8bdba169fa72eb623732d731fda52bd867ce08e50ad575e657cdae0ecdacb10455d29f6adbcbba74e852c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
929KB

MD5
177cb0f1fd9f7f008b8e89d0475b9f01

SHA1
1aee2f2bb6fe4aa706ec062232d9fb3ba69ecf12

SHA256
bf12c79ac843b58a8eb30d1d6917ff2a06e28610b47f4b582652bc73d4dc86cc

SHA512
ac87ba087a22a9875685796665019c551f978b9121d70e236b23d47a3859903e57cc633f95a35b29ec85044e60c49773c3544589f5912923efcd064dfade6c76

Download Submit
\??\pipe\LOCAL\crashpad_636_JBZISODFINYWTBFT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-174-0x0000000005ED0000-0x00000000060E4000-memory.dmp

Filesize
2.1MB

Download
memory/392-172-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/392-171-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/392-170-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/392-173-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1484-186-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download
memory/1484-185-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download
memory/1484-184-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download
memory/1484-182-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download
memory/1484-187-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download
memory/1484-343-0x00007FF602950000-0x00007FF6032F2000-memory.dmp

Filesize
9.6MB

Download