Analysis

  • max time kernel
    115s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 10:08

General

  • Target

    https://github.com/Viper4K/malware/blob/master/Hotbest/hotbest.exe

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Hawkeye family
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Viper4K/malware/blob/master/Hotbest/hotbest.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
      2⤵
        PID:4860
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
        2⤵
          PID:1824
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3268
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
          2⤵
            PID:4092
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
            2⤵
              PID:612
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
              2⤵
                PID:3616
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
                2⤵
                  PID:4412
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5624 /prefetch:8
                  2⤵
                    PID:4032
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
                    2⤵
                      PID:2236
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
                      2⤵
                        PID:3240
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4044
                      • C:\Users\Admin\Downloads\hotbest.exe
                        "C:\Users\Admin\Downloads\hotbest.exe"
                        2⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5004
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
                          3⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5100
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:1300
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:4168
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\imzbclcl.cmdline"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:5140
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4F56DF4894E4F4E984DB425FD64B1FD.TMP"
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:5208
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
                            4⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:5256
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"
                              5⤵
                              • Executes dropped EXE
                              • Accesses Microsoft Outlook accounts
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5568
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Web.txt"
                              5⤵
                              • Executes dropped EXE
                              PID:6000
                          • C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
                            "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
                            4⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5372
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5684
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:1884
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:5712
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
                              5⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1644
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:6032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
                        2⤵
                          PID:6116
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1
                          2⤵
                            PID:6124
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
                            2⤵
                              PID:5176
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
                              2⤵
                                PID:5168
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4580
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1276
                                • C:\Windows\system32\taskmgr.exe
                                  "C:\Windows\system32\taskmgr.exe" /4
                                  1⤵
                                  • Checks SCSI registry key(s)
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:5784
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:1780

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    56a4f78e21616a6e19da57228569489b

                                    SHA1

                                    21bfabbfc294d5f2aa1da825c5590d760483bc76

                                    SHA256

                                    d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                    SHA512

                                    c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    e443ee4336fcf13c698b8ab5f3c173d0

                                    SHA1

                                    9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                    SHA256

                                    79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                    SHA512

                                    cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    1KB

                                    MD5

                                    acd733f58bf155a1bf140b2bf7643bbe

                                    SHA1

                                    04fb61e4097f7f0743ccc135b4db45e30f65205f

                                    SHA256

                                    59d77e3784bd27c65551056009ca85b493e021659983c8dacf033b41be3d4c00

                                    SHA512

                                    358595d389b70f3cadb44f9b632afb526f57431c4c24ee3958bd1922458904772c920c2b72f784fc4b676632abc3b6c6ffb59daa6ef1370b9c34c509dcef70f7

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    579B

                                    MD5

                                    46fa4f5f7344089589d117bd7599b3a9

                                    SHA1

                                    b6cc1fe19e527d4a372c97e4d195ed94eee40030

                                    SHA256

                                    223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

                                    SHA512

                                    6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    92b347c31fc156e25da64eba8ee76297

                                    SHA1

                                    eb1cc9a01940acbbf5fafea4d03e8ace1917724d

                                    SHA256

                                    d388680ff3de951d6b7ede2d71c961b249b708b71d8ce909568610a088984fc1

                                    SHA512

                                    490939555cf8895d2a2f3ee3400515efc1ce55b7fe6cbe0681ff7e8311787c9fcf25d5cf0888a86109a0b62e495483e7cd6a4c46314f14f7e4a9572496b7d01e

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    0a76dd73744d0e38f05ed2fee6c081a0

                                    SHA1

                                    835d82accc81e48616c4604b05590e2711537ee0

                                    SHA256

                                    47a9b76b85eeef07eb4a5439b01e8207f44989f75f0f0a8f7c50a5f83c3cfd42

                                    SHA512

                                    7ab7dff97da0b9e434a41b4caa4759627454ab2a27829dfe7c19f31a8336d431d8e21477453318e2fef345a44e6102e753d786af6f2bcc7821e2eccb38fef81f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    10827b3563e7ae55bb1dce0ca0832b37

                                    SHA1

                                    3279c57d76924b8a0692b3589c17e7c9f9bf59ef

                                    SHA256

                                    7420c7785a572510f8096a1bb16a3f85c9a6bdfd9966c7b98381a52dd70f96fa

                                    SHA512

                                    5dd4d447a4ef8b2c15e2921f4aa22807bc6d8eb17f37914123e9c34884bac52c03af20dfee50d1c154061f712d40d4285f590c0b2e2d2bd0bef1d53963f3bb79

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    1139f7312ca390a8adae1293e0007edd

                                    SHA1

                                    bec6f6a9b8bf13b6672d1ece9bcb08cf9ed53672

                                    SHA256

                                    a4322d2ed0f0c5ba007157b8b97e52aad95cf2075f954e1e83d3c69fc4d5409c

                                    SHA512

                                    ae6d07d92c76cd0e668bb2ad3eeaeb3e60a889eabd985b30d97ad0eb3ed6dbc5d2420662d1902783fd5ebb9553404410be0d1e5809889b2bb830d3d5c19b6ac2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58176b.TMP

                                    Filesize

                                    1KB

                                    MD5

                                    878edd33e460e5af814b54fa2700c142

                                    SHA1

                                    ea51eb805f85fb9e6dc5ab9933d26fc07c71487e

                                    SHA256

                                    67060ae5963317050d835fa533f92fb9cda8d20b5d9a9bc7156fcbfaa9862ae8

                                    SHA512

                                    9c8f2a184fdeb2b337ec433532e74d5896d9d10845f4052d941611319ab52a0d518cbfffc48c4c70d7607efcfab67f55ed63881283dab250e21843bb2efe6933

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    bcc132bceeac78d8c4f9f4bfeb6f90e5

                                    SHA1

                                    bf4f24eaed73de93cdd5721c327de51cc651dbe1

                                    SHA256

                                    a8d08e125934e016d2a0193634cc32e4aab152ee86f3bb951b74c7835fe611c2

                                    SHA512

                                    5e815f7fb3fa4c6cb92ac8adc74dae16652e3c5bed11bbe1d189acd3bbb79e155b7a15af95bfee5562ed5022b1d4cf333d2881e3e82319ae3b19e8bae7f48ac2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    c15ddb68a238ae0e2a87fb2517a4f95b

                                    SHA1

                                    4ea904c5f3510773cd83074bd6a047b2e9219444

                                    SHA256

                                    5aeaafa31f57d45d8e3e2ca5e0b2d7372e490bbc59bcd6290b0041d79c5d889d

                                    SHA512

                                    1ec9a54cc38860269a82de7e55a9e8dda151cd7747e626003c49be8fe0ce5afa1d55a38764dd9a1d6650d80a116bdf55c8ff70c1498c5796c9663c34458359a8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    291e6694a3a22e99e7c795aae3a9df43

                                    SHA1

                                    95bca371e1206497c455dd2e4fef4ec5ec1b04ef

                                    SHA256

                                    da88cc06e418c630b2b9cd34c490296fcf648a7f1297b5ffb330425b9c0f8167

                                    SHA512

                                    dd9900ffcec8424ae46dfc6dbe39b1aa83ebf09fa49d69b66b8d785d6b96a71072632a95d721fe1630e22b211a71573bc82cbc10dce3104221a67b4341452c1f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    3d7daa3df68eb79aa6c04d030e0ae4d4

                                    SHA1

                                    c6f948a46b4d73099e0503765de843c8892ec379

                                    SHA256

                                    1062e3170900f4385c4a01bd2a53c1caeee46f38816369c922bf41ee2f88332d

                                    SHA512

                                    b29475106c92cd4205180938a1c653ffde22c61fc9d95b6b2f99e17b22b95afd2f7272fbe19a043308c213879513ed066eba5efa5f1bc8c4f2d03261710910fa

                                  • C:\Users\Admin\AppData\Local\Temp\Mail.txt

                                    Filesize

                                    267B

                                    MD5

                                    c114ca9951083036225f8685229961c5

                                    SHA1

                                    87c68a210524e95f774cdfff35385cf966c11c9c

                                    SHA256

                                    6f5af57d51603a4f304a1cc68c3baacb3344d265f5fce727b1bb19340ff5dd02

                                    SHA512

                                    68b3df07358f38bc8083fd705d114cfe81209083fbf38ad69389149e84a2ae51a32cb334735aa1ff97d054f9a0fcbc60245eece267d5e286f92f5f4e795c0011

                                  • C:\Users\Admin\AppData\Local\Temp\RESDFD1.tmp

                                    Filesize

                                    1KB

                                    MD5

                                    5a2bb13d6b1d1bf2fe875a418869441c

                                    SHA1

                                    4b4f52632fe1c12f19e2e1c678148a2b092dc5cc

                                    SHA256

                                    9c77149f45414b18a462c44a22355630e6b40660a533c51d91787a52c1772d63

                                    SHA512

                                    edf05849326d48a54e75e0d18602b1dfb7a2901621bf8c98b492e7ce1d95f64c92900267c1110c838332220df6c3e866367d660b198e3f0b49a97a0dc539b7ae

                                  • C:\Users\Admin\AppData\Local\Temp\imzbclcl.0.vb

                                    Filesize

                                    3KB

                                    MD5

                                    e40446114fd3a07083f484e14fcba4c4

                                    SHA1

                                    086fcf1aac441cbb6f59fa079b506aabb94a493c

                                    SHA256

                                    ec6b3348f5b776c8adaba5b50714667f393c693d1839bccf01385f7094d6c9ac

                                    SHA512

                                    4143d482b15938b44505f5e5ecba5c0080f83d8c29b84f4e93819afd5da1bf37327f16911ff1ace253b9167c514bf5422f1c85fa72cdbe7892180fe22e9b5cc1

                                  • C:\Users\Admin\AppData\Local\Temp\imzbclcl.cmdline

                                    Filesize

                                    224B

                                    MD5

                                    374e25ba7721b2bd3106a3581609c62c

                                    SHA1

                                    a5b9e99b1a4f3fb17b88d1c891eebcf007cefbc7

                                    SHA256

                                    e1508cbe7af0f8ddd79ca0bd7b7db53562d5634967fc997107d4793f5d05a0de

                                    SHA512

                                    b583a9f1ba0a68dca4d9516453aaecac9e0d0add6b183be301208971e74dde32bbe67e8c72792048e211d963c38fa4b3d02efe1aa41f1407dc1f3929817cc273

                                  • C:\Users\Admin\AppData\Local\Temp\spoolsc.exe

                                    Filesize

                                    8KB

                                    MD5

                                    e65d00efb7f6a5566924c5fc5ab7e2c6

                                    SHA1

                                    1c04d62e2558e485b931b117862c846ac78c0b7f

                                    SHA256

                                    1e530aa440929261891b134c30039c5dbf2ecd7dbdbc9c43ee295ee0aafc4fdd

                                    SHA512

                                    c98b593198669cb5b5974243ae57e398b0117a73417e57a4e72d40193433c107f1479d787220ac6f41d50c95d227f0c20a3849fbccb554c3848aa3f6efc5f295

                                  • C:\Users\Admin\AppData\Local\Temp\vbcF4F56DF4894E4F4E984DB425FD64B1FD.TMP

                                    Filesize

                                    964B

                                    MD5

                                    52d9c8ba23ef6a3c6542be3c34f9adbf

                                    SHA1

                                    3bf7b4f0ba7ac08798c5f5c52d119f79c26017d3

                                    SHA256

                                    e7c06aca847231b51e5303b631cf78f34cd2fcb074a239267bc737258f6a5e9b

                                    SHA512

                                    6dc22e583b418ca4da2cb996f3bc1e18127d3849ca3fd175f580d34768e32eb12a3f4675a2a346b324e72845b870d42fa6397d2aeab305dd08a2eac9f3fe57a0

                                  • C:\Users\Admin\AppData\Roaming\pid.txt

                                    Filesize

                                    4B

                                    MD5

                                    8819159f9246232ed1299a7414448ab4

                                    SHA1

                                    4ac7f0107ada07797a925b4d27ea601359cddf1d

                                    SHA256

                                    6c6be40c2a563b401324a4e221da74080d0f4fd9425aaf18a771ede47c3109c0

                                    SHA512

                                    0cdf1bd9d2b98d3e1d248dfee82c69e8bf169062b0e015ba3238fb840d8d435097a639a291d04d17a89e67be11db34dbbf560c64bbfc7e22b458f16a56f00303

                                  • C:\Users\Admin\AppData\Roaming\pidloc.txt

                                    Filesize

                                    76B

                                    MD5

                                    69275d427c2c6d00d029ffb971798f3e

                                    SHA1

                                    1f7c3f5f55c97cc3013bae5ed4d10d526c147e9e

                                    SHA256

                                    3a6f6356af22109ac68f3a13ef149c8ddbb5457cbfd0f867a6600e196121c5b6

                                    SHA512

                                    012fa24d8d75f6a3a4ec43628077a9454809bfadba3e00ae5a6da2fcf10a77fd24d349f46bb7a054e9e9084eb8f70a51080affaf879c38fb7c55dc3e75b74980

                                  • C:\Users\Admin\Downloads\Unconfirmed 922103.crdownload

                                    Filesize

                                    572KB

                                    MD5

                                    6c9177754244a999e36b838622c8b3a4

                                    SHA1

                                    449df07d92f65d20dfffb60124e6123c5a85c491

                                    SHA256

                                    dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5

                                    SHA512

                                    4ff43bc990248d5fd043551244e00daf0988b973246b234413ef82d9a9a74c822353ddb00235709e594c9211e7df692fae73e9a6be8d024b1b661ba0f8d59b34

                                  • memory/5256-210-0x0000000000400000-0x00000000004A8000-memory.dmp

                                    Filesize

                                    672KB

                                  • memory/5372-216-0x000000001BE30000-0x000000001BED6000-memory.dmp

                                    Filesize

                                    664KB

                                  • memory/5568-236-0x0000000000400000-0x0000000000422000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/5568-238-0x0000000000400000-0x0000000000422000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/5568-234-0x0000000000400000-0x0000000000422000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/5784-273-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-272-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-271-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-270-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-269-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-274-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-268-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-263-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-264-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/5784-262-0x000002180F370000-0x000002180F371000-memory.dmp

                                    Filesize

                                    4KB