asyncrat | 36ae29df569363f2ab310bbfab894f449c530f8b1f0320f42714cb26cd744750

Analysis

max time kernel
899s
max time network
829s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-01-2025 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Petya and GoldenEye BUILDER.exe
Size

258KB
MD5

fe311cbf28e46b0bbfbd7e848ac6867b
SHA1

14b231291b8370fa08da5fec80cf96ac713971f6
SHA256

36ae29df569363f2ab310bbfab894f449c530f8b1f0320f42714cb26cd744750
SHA512

8835a89c2f52ef10e5363c5caf9cebb94f3402a8d37aa0460f95307b6e3f626c5ced6220e92a6fa875b9dffe118ac15adcd8d01a5771c8d2cd951966e7571838
SSDEEP

1536:EbJWf9d1f5oua8byL76pmqMQoXhVN4aooJhDCSGyfel82WNxK:Ebkf9d1zRGL7NTXh/sEhD4yfdNxK

Score

10^/10

asyncrat default discovery phishing rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

ioehvaokzsdfxllja

Attributes

delay
1
install
true
install_file
gg.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Executes dropped EXE 1 IoCs

pid	Process
3428	VenomRatCracked++++.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
19	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petya and GoldenEye BUILDER.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{E962C9E0-5220-4239-8241-B5213EF6A1D0}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\login.htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\login (1).htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\login (2).htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\login (3).htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\venom+++++++.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
244	msedge.exe
244	msedge.exe
2088	msedge.exe
2088	msedge.exe
2820	identity_helper.exe
2820	identity_helper.exe
2220	msedge.exe
2220	msedge.exe
4632	msedge.exe
4632	msedge.exe
2292	msedge.exe
2292	msedge.exe
4460	msedge.exe
4460	msedge.exe
236	msedge.exe
236	msedge.exe
1712	msedge.exe
1712	msedge.exe
2116	msedge.exe
2116	msedge.exe
3524	msedge.exe
3524	msedge.exe
2876	msedge.exe
2876	msedge.exe
2812	identity_helper.exe
2812	identity_helper.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3552	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: 33	3332	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3332	AUDIODG.EXE
Token: SeRestorePrivilege	2128	7zG.exe
Token: 35	2128	7zG.exe
Token: SeSecurityPrivilege	2128	7zG.exe
Token: SeSecurityPrivilege	2128	7zG.exe
Token: SeDebugPrivilege	3428	VenomRatCracked++++.exe
Token: SeIncreaseQuotaPrivilege	3428	VenomRatCracked++++.exe
Token: SeSecurityPrivilege	3428	VenomRatCracked++++.exe
Token: SeTakeOwnershipPrivilege	3428	VenomRatCracked++++.exe
Token: SeLoadDriverPrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemProfilePrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemtimePrivilege	3428	VenomRatCracked++++.exe
Token: SeProfSingleProcessPrivilege	3428	VenomRatCracked++++.exe
Token: SeIncBasePriorityPrivilege	3428	VenomRatCracked++++.exe
Token: SeCreatePagefilePrivilege	3428	VenomRatCracked++++.exe
Token: SeBackupPrivilege	3428	VenomRatCracked++++.exe
Token: SeRestorePrivilege	3428	VenomRatCracked++++.exe
Token: SeShutdownPrivilege	3428	VenomRatCracked++++.exe
Token: SeDebugPrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemEnvironmentPrivilege	3428	VenomRatCracked++++.exe
Token: SeRemoteShutdownPrivilege	3428	VenomRatCracked++++.exe
Token: SeUndockPrivilege	3428	VenomRatCracked++++.exe
Token: SeManageVolumePrivilege	3428	VenomRatCracked++++.exe
Token: 33	3428	VenomRatCracked++++.exe
Token: 34	3428	VenomRatCracked++++.exe
Token: 35	3428	VenomRatCracked++++.exe
Token: 36	3428	VenomRatCracked++++.exe
Token: SeIncreaseQuotaPrivilege	3428	VenomRatCracked++++.exe
Token: SeSecurityPrivilege	3428	VenomRatCracked++++.exe
Token: SeTakeOwnershipPrivilege	3428	VenomRatCracked++++.exe
Token: SeLoadDriverPrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemProfilePrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemtimePrivilege	3428	VenomRatCracked++++.exe
Token: SeProfSingleProcessPrivilege	3428	VenomRatCracked++++.exe
Token: SeIncBasePriorityPrivilege	3428	VenomRatCracked++++.exe
Token: SeCreatePagefilePrivilege	3428	VenomRatCracked++++.exe
Token: SeBackupPrivilege	3428	VenomRatCracked++++.exe
Token: SeRestorePrivilege	3428	VenomRatCracked++++.exe
Token: SeShutdownPrivilege	3428	VenomRatCracked++++.exe
Token: SeDebugPrivilege	3428	VenomRatCracked++++.exe
Token: SeSystemEnvironmentPrivilege	3428	VenomRatCracked++++.exe
Token: SeRemoteShutdownPrivilege	3428	VenomRatCracked++++.exe
Token: SeUndockPrivilege	3428	VenomRatCracked++++.exe
Token: SeManageVolumePrivilege	3428	VenomRatCracked++++.exe
Token: 33	3428	VenomRatCracked++++.exe
Token: 34	3428	VenomRatCracked++++.exe
Token: 35	3428	VenomRatCracked++++.exe
Token: 36	3428	VenomRatCracked++++.exe
Token: SeDebugPrivilege	3552	Taskmgr.exe
Token: SeSystemProfilePrivilege	3552	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3552	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe
3552	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3120	1168	msedge.exe	81
PID 1168 wrote to memory of 3120	1168	msedge.exe	81
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 5116	1168	msedge.exe	82
PID 1168 wrote to memory of 244	1168	msedge.exe	83
PID 1168 wrote to memory of 244	1168	msedge.exe	83
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84
PID 1168 wrote to memory of 4528	1168	msedge.exe	84

C:\Users\Admin\AppData\Local\Temp\Petya and GoldenEye BUILDER.exe
"C:\Users\Admin\AppData\Local\Temp\Petya and GoldenEye BUILDER.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc67443cb8,0x7ffc67443cc8,0x7ffc67443cd8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1628 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3562217614729692847,4913810509226698117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7828 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc67443cb8,0x7ffc67443cc8,0x7ffc67443cd8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4985123333759183347,1473084909190711276,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1696

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5052:86:7zEvent140
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\Downloads\venom+++++++\VenomRatCracked++++.exe
"C:\Users\Admin\Downloads\venom+++++++\VenomRatCracked++++.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HideStart.bat" "
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HideStart.bat" "
1⤵
PID:484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2816
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
243b0c26443e4c20e69971e11076cd99

SHA1
cdb5f45337822fb6ecb18633b3785d8cb9884590

SHA256
f4d3e99dc7bce3de51d47451ca4f329109119e4f106b9166cd1da5171d48ac61

SHA512
14f10c3f4aa986a17842603e20bb78aee6180e43e85cc027f8835b770ebe27c04f4d72779ebad3dc791206496c84ff39952cd8b79fa59d71f03ea695140129f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2b738f73c497356658c446db2fc10268

SHA1
66d26e82276abc9483af685347280bd8f49b27b9

SHA256
a1f8be621c685be4bc35db6d36ae6a95b8217f4834004fde7f4ee9f17da2f96a

SHA512
69cf44d575d0cbba41052b635f4758d943104fdc14c15f0d116c0b617aa04bc6e65d19523029656dbdea49395ac592bd1161f971acbe0af248f3f6c5502a68df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
37KB

MD5
3d6549bf2f38372c054eafb93fa358a9

SHA1
e7a50f91c7ec5d5d896b55fa964f57ee47e11a1b

SHA256
8e401b056dc1eb48d44a01407ceb54372bbc44797d3259069ce96a96dfd8c104

SHA512
4bde638a4111b0d056464ce4fd45861208d1669c117e2632768acd620fcd924ab6384b3133e4baf7d537872166eb50ca48899b3909d9dbf2a111a7713322fad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
31KB

MD5
0df35fd5b91779a0b474ab3f6d9cc863

SHA1
cd7c196fa83c92ece2e35a20613ff4b4be11b648

SHA256
856f1798a2365376a0dc05859a9ffd887d5a8c760d80535f2eeb2f6432507a9d

SHA512
0c5b80925f4196edae88247daed62985b3f50ef10bf2fe8930848a0e81998ff2261b254592b6e8d784666283338c54c5fff4099ece25d24be22ac91a48c31237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
43KB

MD5
58cf2c4759e0d1c563a5d5583f675839

SHA1
5857ae44d10523740ae956ea9a6f5a55f4adcd5f

SHA256
9bbce79ef0bf5c077b55835273dac6ac68016c091d978f0877fb9397ae92b93d

SHA512
4d177af4de0ae32a0bf60069aa3766b8b09887187a11938bd19e4e3b5f8fc0249b3d49c8d41a3fd6baae9b91f354b3dfa32941b71f0a0a8c4f147cad01af06c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
175KB

MD5
7cf1be7696bf689b97230262eade8ad8

SHA1
8eb128f9e3cf364c2fd380eefaa6397f245a1c82

SHA256
a981989aee5d4479ffadf550d9ecff24a4ac829483e3e55c07da3491f84b12ba

SHA512
7d7c7dc08001079d93ef447122dee49abd2b7a84d1619a055ff3e7ec0009261ab6add018560bfd82ed22b29c1915bfd059f02cd83fed2e15e9af05a5d0654e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
133KB

MD5
f9bf0f65660d23c6f359d22720fc55ae

SHA1
9fa19ab7ea56165e2138c443816c278d5752dd08

SHA256
426ae06cd942849ab48b84c287c760f3701b603ebcc5c9aaa4a89923ef5f058e

SHA512
436019a96e47848533684a34e3c360f516c29b2aa2473d0a05d50c0fd3ad19eac39df2de12b6ec1c6760493efb5abf58e6a54d32080226fa1765983435634d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
136KB

MD5
db985aaa3c64f10506d96d876e350d47

SHA1
aad4a93575e59643fed7617e2feb893dd763d801

SHA256
234feb9a8a2c759d00a4959506a3b9cb94c772186a2d117aed973347c7ef1891

SHA512
300d0d35ebb9e27d66489ffb3e5502a4dcd3af032fb0f672d4f004e3846fb795772b6938c99dafed6fad0c25da8412d6f6a7b0221eb2540e84527703db5b7073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
20KB

MD5
66f3cd31cadb165239ba789ddb2e71ec

SHA1
1cbc12aca37e7b5e25f4d06e49e6c87a898b47df

SHA256
6817dfbae770618c3c5b759dea958455b69df2c2f0fbf6c1c98e8dc236049e13

SHA512
9bc2775a86a54ffbf63bb2cb745e6c0961d56c6907f51ff9f5150610bbe5fb653513b6f86a750fe2ee24c6dac7b9a904a5229d8ac2e24c531cfdd08364c42398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
38KB

MD5
7f63813838e283aea62f1a68ef1732c2

SHA1
c855806cb7c3cc1d29546e3e6446732197e25e93

SHA256
440ad8b1449985479bc37265e9912bbf2bf56fe9ffd14709358a8e9c2d5f8e5b

SHA512
aaea9683eb6c4a24107fc0576eb68e9002adb0c58d3b2c88b3f78d833eb24cecdd9ff5c20dabe7438506a44913870a1254416e2c86ec9acbbcc545bf40ea6d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
05af76b319ccd707c7ce061bd68a0932

SHA1
e8d1adf84d667b7e716d677279b15a5bc617d16e

SHA256
3ea6b978008a6bd8456c75d3225944dfbd9e82e1f8249a9d738fe50a45386ee1

SHA512
bfea018a51c133f882a4b84b7cdb22854b955860a8554a5fe8237dfadb01e59622705ec983451070668e248d24b35f2efe376a4bce53f81514dcc2e2937fe371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ff1fd7bc7b066181d9d11e1770589534

SHA1
2fa68f6810901fcb4747ab984addf5673141189a

SHA256
69a4e6417f9b41526bb5b4185b28d466f61dc3a1011b090e9d9a0f7d1b8fb795

SHA512
e6d9f62bac6852f5feea8ecc30eb55a083e41a6a2d88975dd382a87801cdad1b06beacd2df13a0743800fba0503002e1062fdf23d2cf22b33cc45ba9e686a8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
100KB

MD5
7e650c61238eb6aa0ff5fdc815bf119f

SHA1
07363c2a248db549b9bc2feb9f2802129deac30a

SHA256
c99fc5a4d6b087fa81a690fa3f9a0bc3a7aecb6fffc80e3662c3af67649bc6a2

SHA512
7eadcd70b838ad1719f03e33ba892e18d82f97ce0dc375b7746e14dea6686fab1f359adc969c134f0121a3527ba6c4eac7bdf57e2beb27e1e91749d5ddcb9b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
88523bb50f6ab2ec502c863b86406fea

SHA1
bb3280b563c29741bb4edb7726a85f667f99bd4b

SHA256
d2733370274f7bc8d94ecb4e646719629b573d6446be674216ba698b10f14382

SHA512
b5daaeae459cf1b1bf1ace7c8241e5a08a38036ecfcb32009b02539a7911201f347353045d24dd865335356e1ca15b6a4eeccce1a3bc2293b25cb56797622f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
878776b6d46efb0358fd87618cffc1dc

SHA1
ed44286f07b3cfd54448537dcd54c1cf0c36f11f

SHA256
2ad61dce0cd97c4fabfc8454acddadfea77348effe8672c4b05c22b6ae0b2863

SHA512
0e8d2ebfd30484c6db8521018dab5c777c4b5aea78773e1f47ec6432b5c05fc6b9d46ea9507d2761a61bd1a606db7a15120b2d811ce416ea161a528e620e6de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
c58bf425f664d1745a8ec7d6a22daddd

SHA1
2cabce197b2d1fb5b1eeb74855fb3cf0d43ceb8f

SHA256
c278623e995f64a5412b1be56bf16bd22879e19ca308fb2d7b3653a40e694139

SHA512
94e62d04ec6b4917111e717fcb0f1caa0d9286640f464a4bd581531d6ef7bc93296f713c8f0ec83ac14ebe0cd79ba7fbd0bb56e34d37a2934c7f1124f78e8eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
46KB

MD5
42ddef2342bc49eed23882da8f9f346b

SHA1
60c7fef5998b1bf37d501c5add734529461c1a5e

SHA256
09d46f625f87e80081483d774873509111f29c98ed237db783a5b6115c267537

SHA512
186bfd5ce8cc1c1048ecf22ea59f34269e832e6a01dce2abdc2c01e5e6193a5bcd3ec3c0b25e9df341e4ccb9e7d55d5f9bd39ae3e5e7b26aba3e1ca08c638339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Media History

Filesize
76KB

MD5
ce180d49bcda6b664bc8944ce3e01d4e

SHA1
af200e4dace699212d84fb2f6641d8e0098573b2

SHA256
6617caf526cf98b717d30e5fe64ef9ddd99876a9805764ce3fe05b0ea6d8c82d

SHA512
43b42ddc9f0e7798b481b47f4ca9da360d357a6d72a1982a7531c1cae31ef75132b07f754bf915e4c096f162d024c871a23d36988b2fb93e703f86fa99fa270a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7fa755879bdf9b1c56b2735b54c68f93

SHA1
78e3d7d75c570b7c8e5978b3760a67811f047735

SHA256
4c5565c28d6d1cae19fe87d35c72921996d4d26d0ae3c90933a407adc5b3f44c

SHA512
b11314ebaf80518ef0f4a79bed29dd8a157d2bce19476992421a4a7876173a172d8c54632a68e6a66640b417a2475243a2110811c9e060efbf57b66761acdc1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48c3ba40d26ba8db51b54b7d96ed37f0

SHA1
8d169e31b908628e476461856f0cf1d9829fc666

SHA256
4955de23da98fb130de7594d38345c8fb5cd1428e999c0edbf374023f5f4b6a3

SHA512
bdc93d916eaf3fa7551dce7a34e333dea6fd3b3d766d01cb8017a55a1fb1c3b6e204d7ad43782ba944e3a64f70a71b9170c4ced57d846bd347cb8a881e9736c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b856488e59ec8a6b8fb44292a7bebed3

SHA1
33f85fdd5fcd09f9f757020e2332fbeaf12fac85

SHA256
b8fff683e76742d3af84114529100a43b3f40b3ea4936e2fc9699c527f6970ea

SHA512
9f7ad4e9f01133797530af56c3d1173066af23ec1bbd8ed718b3910b0e673e5db0a706f1852cd86a05975e07624d276f9c79d28bf6831ef667ca6ed03ef842a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8c39a1131787d351427d461ecd5fe9b

SHA1
9481e0927925baec82eb8b99681642e02e188e8c

SHA256
ad56fbae1d613812045b7e881d11d596c84012db76e54b69a1b5673b9e6213d6

SHA512
073b5781d727f18f233c8f716345ce8311c4a1761f8c3d7a414f4f2c4fc62cea3bb3c9b8353781c90b66f025df5d22ae0d4820bd7e6564d48c636c230d5d5707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1972d745f6584661c10ff109d5ad93e2

SHA1
681906b035d90b7bfb5be028ab8dff5955da5669

SHA256
4f9404ef37daec57931e717002ed150ae47c2de1985f1a9b8bb540918e11a886

SHA512
f317ecee86aeb246dd97db3f0d883ed2ff251eb4bd78d3e3a719c54973e53817b2c61d3edee7d80657b818bed7fc563c8ddf9ce9dfe633d87b6da489a07380eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea90a6761ca60cbeceea2679ef1ac84e

SHA1
d13c55358a296af5851c2faf064dff1d0c891eaf

SHA256
0ba3852073f4bb8e3934234e91db71ba7801c332570287128e9494aba62002c2

SHA512
329310027db32fa24cfa920c74e381cafd27c139b355ad34af0988968afd676127547a6d04daae6cf30e4c2335f62fdd23ded84037fbe04973dbe884a2219c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
270bea31e780ad252d065ed7b7333b96

SHA1
3df1043740752fff65dac8b346effc1019b5c131

SHA256
4304ea9891b5fa14b946f975190af429267e0fe672341c613a07af8210d515bc

SHA512
d6a3c59f07fca08b6f197a346aa5dd25daff45041bb8734b29ae58df8753acd1233f5b4649de902026a8db71dc799cfc89aa0fbc20627d64d3f6bd2565de609c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
adeda55c2b707b2d03c557cb843a6ddf

SHA1
99c8a286afbc10dd2e8da5610a2e46e56cc0ab6e

SHA256
bc934156a9d71849bba844b5953d3d313a7658a503eefba04431fd71de1b823a

SHA512
6232da7d5e6ff7f9fc639fadfb87d1751379e4165bcc2ed2c27bb11f65be9dfdb6ef231ea46adb1adf76c93aa7c57154537a753d302f0d4c3fc75bbdcbde1977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
342b32fe1859c26df54dbc1e5329b370

SHA1
0c8510948276f9c9f681057076fbf10741d7f46e

SHA256
cc19bedeaa83d0fcaea603513858fb0ccc5d74f32f73b039f2178ac5b48cecc4

SHA512
f0c60a14ab5d234f286ad628aa5d7a579efe4add0cf98256aefffbb0ac793a40a42dbe4156e90221f16270d5a1fa3f058951b02ebe400bdb4a66d5f32961b642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380193385746136

Filesize
9KB

MD5
2ebaf9275fa48e47c3be992b18c512c2

SHA1
1c817191b40867b1c8639334bd4db577cc730392

SHA256
8baf45e9240471ba108e86b01372b6cf9d01eff027b414331f5653ca49994f30

SHA512
0b481f7cad03975ccee4db9cabba7aa7ae4387683ac130378cf9247f9b4476f2c5f0bd3391441b8ed8a2b06de7ea646f51216633bd4a95d2b83b1cf6bc93e151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
e14d2c6af55283e0f17506e528c790e4

SHA1
d7eb16cf12db7610d03ba8871c2b9789308ebdb9

SHA256
32fec817ddfe3aa4a2cebad5fc783fe68aed50d44f193edd9f52197c19b1fba2

SHA512
10f3c5dc486afb6196c7d82d25804d23e35251f90ddd8d03d335df7674cbb9c38e078247d514c6f98f607cf207246dbe239cfb435c35da859b5d5e047fc277be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0135ff7b865e336c1b5be255f9e83f1b

SHA1
ebcd3789863cd805c91030be5e532636f41039f7

SHA256
f6a881620ddfbbe40628fdf0a4f9274216da2942d02e20917ecee0502378a4f9

SHA512
f4b3b68f1bd1c1a3504d0f2c3d40df039e6be4338af679e7a29f46e2c4bdd0447d3b644a68ab1ab78ef2fe17883d902315b1d98369f09c0e6a25d04cb4b4acd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
dec92a34f6277a266a56944f0f88a38c

SHA1
c4eae57d7dcdfbb7cfd5ffa6c8b9c4603880ed67

SHA256
6938e53f88a8862c23bfa4062a0dd76c84e7203bca2dbbfaec4d5fae4c3eb4e8

SHA512
634da60cf63445586d407a2fa5acb6012e12c12c0c0e74598d77e5393cd45093035351af8648f59034af996030a942254ed0497d9edac4135a69235563f1428b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
bdcbf4b2cb1c4476271ca9a3bb8bfd12

SHA1
11325d21e8db68d36eaed9458769f6b68d21b264

SHA256
061177e7a6d2efd122a2abbeeae9a8d1b0d42e1f7af900181e3210841f7d9a62

SHA512
a00a3b57d42c8868190974fd53a08eecf75e9d6b23f60a97336ec3de575ba3f112500c465a6eb8ff18bdc289db00dd812ae95a5564db8500ded882fd7a00b08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
de887490ed993492a0f427738ec5e898

SHA1
1f6c3bf3f8a5c3c194e909a9d700d1bb1b50f587

SHA256
79a723a44ec6882c6d4f41587164cbad16a94361cec1c28e49bbb8f216f5df97

SHA512
7777a3f3aef1d189112637242a439a3078f31f56be8956390ac5486541db907f9475668a6ddb2e2fdd7bce20fad053dce13153930034202ec5898d5822830aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c3253eac9174e324d4cad748705dff0

SHA1
008cd1e418878d8b221e1797918fd0ea1f1f1137

SHA256
cf6366f34e446e9d26ce0c373874654a25da63da2c96cdb63160e684fdaca4bf

SHA512
17a8f0277ddccfc6a106868ecc31cfbdb03a0f02279a09653354bcf115ab859886dbe13b27b783a5d8af1ee1c0ade5dff9ab613cd13ef5af3c9cb335e09f32fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8afdc78f91b8ea8c7abd7d30cf164c21

SHA1
669c5391295802a9377617511269d161db1a6058

SHA256
62ebcd852d8b0dd5f44e7580ddc82f6521459d849b534dcd5e45f3a01d1fdd7d

SHA512
745cb28ac36ae5d6dcec39ee800972237195a856a1724dcda5ce511f8855fdfc86f6681ba334aed0c1abc4fe73aca83fb01679b436ec77268dffc6b743b4d675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58afe2.TMP

Filesize
872B

MD5
b5adbd33eaf70fc4f8fcb145c4d10362

SHA1
9e198f145bb3246b55af152744b800561862e404

SHA256
dccbd63b230ca62effb57b8f80466f81443d96f1ece103e18b9356106195523b

SHA512
af307aa5f472825b3a7fa2cbd656488bdbfae02be4101cb66df7ea963a44d6a5cdb669444706b882432851c955ebff2bf6ba283ffd7f0cade3fd10f80249e154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
8b063f06310907f9a7dae541019fac14

SHA1
377b8cfd0663f633625adca6fe6a31ad37134e83

SHA256
b6dd22c4c8d8b5b52a87811ab4f51b529e42c0a15fc6881e2c4e478c09603208

SHA512
508479d90c3492e49f986e18a91b786df0eab957df662027ba4e9d3b8843a511a7056c10b20a69e01b676b03d1b37f4fb8ea7c09b2fe5e7fe9f85f8b86335c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
6eb6d5271447c7caf1e6c77388cdc7c4

SHA1
3eec9a1d6ae99794380d2bda70273ec4ee8bad26

SHA256
c20b4af2816b3a9d6e934a9a935151d1accaf68103dc98d60e174d79d6512633

SHA512
a734bb5a29570f9804cd4d904f09acb024c0395440bf87fa10af254eefdf7964d448e85b2af40215a1226dd9aa56c915ee21b8d11ddc773c1b814a7a7b584aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
7ca6571c1aa7ede98b86b28936fe192a

SHA1
cca9c84c8aca1e2ca04d809fb5ffb2d0d2a11558

SHA256
c8ffa97b9e9bcf62cc869bbf9605a4d48b1cff612bc84da1fa410916ef7ca992

SHA512
4be72c56059e03fe7b0e3ed3612a3f25c3106f98e3c811d0efcb28bc1598f8e8db9b6cf7cbb26ad6cac3aabd6a9c38bcf8ef8a5368dabd4ddf1a599a5df0f9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
13KB

MD5
3e24453a5fb914d672171a2d60b629f0

SHA1
df98be4ea76a0eabee2ef7a49bc9c5e8d658b561

SHA256
b6f7623e641bbb852f9f5d3ff7df1da6b44836ca89a641e6b1c725fd5e004152

SHA512
adeb3e230a0cd69651aa0f3adc400cb67602b522c148cd22001700a13fb3db76de3db6ee5783a3986889ddc2f73a1a695f5fa4345228c811c0f14f6ed37c4a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
43ce8cae8b6fff72fbbb173214335923

SHA1
3de1e17dad3788e4d31b194dcfbed8a5902f9e6c

SHA256
5f92e37d8e5e5455f60627c410fdd470bd12ea506002b8afb2b25ea298eb1c59

SHA512
64158db370306f2f513fcfc1fd9b28edf92fcebaed76b31ed090e3ef093f99be690621e63badfa15f0d6afd8f7742cd2e33260440f4c952a1280205389e1653a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
376B

MD5
9aaa2d5222663642df5617bb473fc6f7

SHA1
1180f723a4202d2e8ebaf014843dccdcbad69ba4

SHA256
5b1ada0c83630224bfe49a2145d7e22e153ebaee923abba41336bc7604b0f79d

SHA512
fe7b6f9c09d52ea41c2fe99e5471276ef582e667184d8eb04aeae738937fa2d35b9cff666193b7e51c348bee253904e638e836f8f94830b61961bb840b252d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
7760c1020b1da88397b37efe3dc0140d

SHA1
42fb0668182d0e6a2632d8abb6b173e0dce3860a

SHA256
8b122bc077341ee6d80f1ab8d4b2da7a9b9ad95cdcfea07904f9dcdfdbe557ef

SHA512
859272f7fa75217abfb7968dc9c4fd7ce4561163a81655528185f28b9703b4dfe127874bef8ac1dbcf8725561f3093769851f1d081f6e1d98d87892500b9a9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bf839c8f06f2551e8bc11453a3abd237

SHA1
37e2907732323febd8cb80955a5468a90ed249c9

SHA256
c3f8dc64b980b25e8395d385ee5ee8dd649cc51f0a1ede62372b1642fa0e66c5

SHA512
aaed349eaaffc5df67af30eda9a085e69aacb0bf3d68d272a6fa802f4bf993d754802808b3a2a92f16fe9fbd894c179a3fc54a2aafe9a87f0a6b9e39e7b0e1cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b65467e1a100fcdb38a28ca63e8fc3af

SHA1
bbc38d1cd39e5652de4324b26b11e94f5e209e5e

SHA256
e9497d9b96beb4e28dabccbb7e900240ff8f7c9548984a6cfd409f914ad2b0f5

SHA512
5f4dbd2d6533d5d109912d47c0653530ba27d10579b6a7976503cfaa78b33f0b04f3f93c2ca86667f279d1f200c709ec6499ee994fef9448becda380c94928a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e76acdec9a41882f27d5a908fdb0c82a

SHA1
aad57a6f266e2b083f87d96b7b853a1384831c44

SHA256
3349ce1778e00319eb43db41e738379fc68c86f2ae785f6bc31c4ceb6274d194

SHA512
dbb5c69f66842c447bf324d7a754e7f66cb89df69fc28ab9e05cd36fdb9d178a973cc0fd2174252035bba1b7e88b3e8cf1964b7ba2aee3b7bfc25e7c3f53a2fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f773154c248a24d4fb59ef7b406e448a

SHA1
9db49b7801c22fb86f24c5e0e57d44a7db961395

SHA256
ce6ea7dc4ff390afb6e39720e3d71a1be6d215117c76061f38b5bc038b63d49f

SHA512
83931bf56f60f13654866a24cca85b16b7f1db3a978969f878fd5328f6b1f3b810deab39e56bb6c884c6e8d669d7ef833dfd5bda51b869532903780e9bf8fc2a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\67c941f9-e5ed-4332-bcfc-b2c6072a2a23.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
8618f9ed0725d81ff8ec9b90e6f6c19b

SHA1
bf27e874290dd3336f9880a2674c07b32ed78e7c

SHA256
f3e30d46a05d18f3fb853e2b84921bf2cf4f44eff5a36366dee1e43d50ff9c88

SHA512
9e2673953df60cac6002669ead464240c5f98efd33e430deea7d161342213dbaab28cc03705a9b00b2e0df69b5d41eaecf6253fab695c8beef5f1498a9b8e5a1

Download Submit
C:\Users\Admin\Downloads\login.htm:Zone.Identifier

Filesize
95B

MD5
e2c6090b8244c64b96b78c671303cce1

SHA1
685c2c9944a8775e1368c58a39a2a487bf4cd186

SHA256
8e77822fb82a0a087d6ed0a509c844cfa6360c4e36b959dc521354394057585b

SHA512
fa621db20afbc49539624018fa0f959478362217a836832b190a2f7675595c0eaf1589983ca4baf38285f531e1b9bc764975aae4dd00bacad305b21d7577a308

Download Submit
C:\Users\Admin\Downloads\venom+++++++.rar

Filesize
40KB

MD5
41dd20d1c4ddfe7a0b4cecd2804a1b96

SHA1
e08faa7e2de42b4b628bbedd7b0d1458be454c7e

SHA256
41a5db6d5d49bb5718013a144d47e057e40ca30ea220a749ba944b1e93b1c406

SHA512
00c5a3ddc10bfd0af9dc68cf8ce4280c5269eb016f6110f38948ef02072afad9907aa161f2037272d7a2cbb60b6f6ce4e682f085e4cd5a50eb9463d2b1b9851b

Download Submit
C:\Users\Admin\Downloads\venom+++++++.rar:Zone.Identifier

Filesize
103B

MD5
4da81f7a1f9ef9ce21b313afca804415

SHA1
02a1df245e399633cbd71774e06510794043fb33

SHA256
53082cc284e2e3045a8ef682ec7314ae0200bbc0dc77e7af96106c3fc4523417

SHA512
6782bb992833407fff00460bd77317710f85f1583b8e913a4ea59cec642e2633d8ad96b9e074756232e8cfeb707cdeb843043fa8e3651bbe45f1bfaf174ff62d

Download Submit
memory/3428-998-0x00000000000C0000-0x00000000000DA000-memory.dmp

Filesize
104KB

Download
memory/3552-1041-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1040-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1036-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1037-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1038-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1039-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1042-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1031-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1030-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/3552-1032-0x000001790BA60000-0x000001790BA61000-memory.dmp

Filesize
4KB

Download
memory/4468-7-0x0000000074D50000-0x0000000075501000-memory.dmp

Filesize
7.7MB

Download
memory/4468-5-0x0000000074D50000-0x0000000075501000-memory.dmp

Filesize
7.7MB

Download
memory/4468-9-0x0000000074D50000-0x0000000075501000-memory.dmp

Filesize
7.7MB

Download
memory/4468-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/4468-4-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

Filesize
40KB

Download
memory/4468-1-0x0000000000200000-0x0000000000246000-memory.dmp

Filesize
280KB

Download
memory/4468-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4468-2-0x00000000050C0000-0x0000000005666000-memory.dmp

Filesize
5.6MB

Download