xred | 6f513f4b91acba47885d8b61e4da53eb233305956f18be998a5d56048e9c400c

Analysis

max time kernel
12s
max time network
107s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-01-2025 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vnhax_new.exe
Size

7.0MB
MD5

1cfc313319188c7db6f2e77675101e7a
SHA1

d63cdf56928e870868867032bfb09550f2315dfc
SHA256

3dc0a471eebb84b66dc17e71c00ab6c70541237a870fbba297e3436053c55c66
SHA512

9d250f9d57ca2fd2d2da40f2f505562e5ed5fad502959f50de02053129152a05a86c6b57d50abf40c404b3c95d12ae53fe8612b65e390eb1f01e845d53611997
SSDEEP

196608:HLxlFP7GIFourQ6CJQbHdK3lgz8UXiU/0V:H9lFzJoNi94Uo

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 11 IoCs

pid	Process
4340	._cache_Vnhax_new.exe
1332	Synaptics.exe
576	Setup280.exe
1388	._cache_Setup280.exe
960	._cache_Synaptics.exe
1940	Setup280.exe
1896	Synaptics.exe
4616	._cache_Setup280.exe
4872	._cache_Synaptics.exe
2084	Setup280.exe
752	._cache_Setup280.exe

Loads dropped DLL 6 IoCs

pid	Process
1940	Setup280.exe
1940	Setup280.exe
1896	Synaptics.exe
1896	Synaptics.exe
2084	Setup280.exe
2084	Setup280.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Vnhax_new.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Setup280.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vnhax_new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Vnhax_new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Setup280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Setup280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Setup280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vnhax_new.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3104	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	._cache_Setup280.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4340	3552	Vnhax_new.exe	77
PID 3552 wrote to memory of 4340	3552	Vnhax_new.exe	77
PID 3552 wrote to memory of 4340	3552	Vnhax_new.exe	77
PID 3552 wrote to memory of 1332	3552	Vnhax_new.exe	78
PID 3552 wrote to memory of 1332	3552	Vnhax_new.exe	78
PID 3552 wrote to memory of 1332	3552	Vnhax_new.exe	78
PID 4340 wrote to memory of 576	4340	._cache_Vnhax_new.exe	79
PID 4340 wrote to memory of 576	4340	._cache_Vnhax_new.exe	79
PID 4340 wrote to memory of 576	4340	._cache_Vnhax_new.exe	79
PID 576 wrote to memory of 1388	576	Setup280.exe	82
PID 576 wrote to memory of 1388	576	Setup280.exe	82
PID 576 wrote to memory of 1388	576	Setup280.exe	82
PID 1332 wrote to memory of 960	1332	Synaptics.exe	83
PID 1332 wrote to memory of 960	1332	Synaptics.exe	83
PID 1332 wrote to memory of 960	1332	Synaptics.exe	83
PID 960 wrote to memory of 1940	960	._cache_Synaptics.exe	84
PID 960 wrote to memory of 1940	960	._cache_Synaptics.exe	84
PID 960 wrote to memory of 1940	960	._cache_Synaptics.exe	84
PID 576 wrote to memory of 1896	576	Setup280.exe	85
PID 576 wrote to memory of 1896	576	Setup280.exe	85
PID 576 wrote to memory of 1896	576	Setup280.exe	85
PID 1940 wrote to memory of 4616	1940	Setup280.exe	86
PID 1940 wrote to memory of 4616	1940	Setup280.exe	86
PID 1940 wrote to memory of 4616	1940	Setup280.exe	86
PID 1896 wrote to memory of 4872	1896	Synaptics.exe	87
PID 1896 wrote to memory of 4872	1896	Synaptics.exe	87
PID 1896 wrote to memory of 4872	1896	Synaptics.exe	87
PID 4872 wrote to memory of 2084	4872	._cache_Synaptics.exe	88
PID 4872 wrote to memory of 2084	4872	._cache_Synaptics.exe	88
PID 4872 wrote to memory of 2084	4872	._cache_Synaptics.exe	88
PID 2084 wrote to memory of 752	2084	Setup280.exe	113
PID 2084 wrote to memory of 752	2084	Setup280.exe	113
PID 2084 wrote to memory of 752	2084	Setup280.exe	113
PID 752 wrote to memory of 3812	752	._cache_Setup280.exe	92
PID 752 wrote to memory of 3812	752	._cache_Setup280.exe	92
PID 3812 wrote to memory of 3096	3812	msedge.exe	93
PID 3812 wrote to memory of 3096	3812	msedge.exe	93
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94
PID 3812 wrote to memory of 3596	3812	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\Vnhax_new.exe
"C:\Users\Admin\AppData\Local\Temp\Vnhax_new.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\Setup280.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup280.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.vnhax.net/p/gflhfdokln.html
        5⤵
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f553cb8,0x7ff83f553cc8,0x7ff83f553cd8
        6⤵
        
        PID:684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2004 /prefetch:2
        6⤵
        
        PID:916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
        6⤵
        
        PID:3512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        
        PID:3340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
        6⤵
        
        PID:2808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
        6⤵
        
        PID:1064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
        6⤵
        
        PID:3548
      - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
        6⤵
        
        PID:328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
        6⤵
        
        PID:1612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        6⤵
        
        PID:2012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8318600982841326342,9481010667919465170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
        6⤵
        
        PID:4068
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\Setup280.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup280.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.vnhax.net/p/gflhfdokln.html
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f553cb8,0x7ff83f553cc8,0x7ff83f553cd8
        9⤵
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
        9⤵
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        9⤵
        
        PID:2440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
        9⤵
        
        PID:2428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        9⤵
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
        9⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        9⤵
        
        PID:2808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        9⤵
        
        PID:828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
        9⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        9⤵
        
        PID:760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
        9⤵
        
        PID:4104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
        9⤵
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
        9⤵
        
        PID:832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        9⤵
        
        PID:3916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
        9⤵
        
        PID:3144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8417966253313449288,8598563832550974786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
        9⤵
        
        PID:752
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\Setup280.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup280.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.vnhax.net/p/gflhfdokln.html
        6⤵
        
        PID:4080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f553cb8,0x7ff83f553cc8,0x7ff83f553cd8
        7⤵
        
        PID:4112

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\GroupWrite.mp3"
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.0MB

MD5
1cfc313319188c7db6f2e77675101e7a

SHA1
d63cdf56928e870868867032bfb09550f2315dfc

SHA256
3dc0a471eebb84b66dc17e71c00ab6c70541237a870fbba297e3436053c55c66

SHA512
9d250f9d57ca2fd2d2da40f2f505562e5ed5fad502959f50de02053129152a05a86c6b57d50abf40c404b3c95d12ae53fe8612b65e390eb1f01e845d53611997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\._cache_Setup280.exe.log

Filesize
1KB

MD5
ac45cc773216001c355992d869450b47

SHA1
1f19c3839b521e1bf1ec7928f32f45234f38ea40

SHA256
c9c03abe98c496376975747c9b617f5f6e1b50aec09aa8be31aa24e81254901f

SHA512
3d73620a59089bc05d60ae07f0811ddacd1661599eca096cd9927813f86dc9cebac1de221691373601c743250694de43e408a9e607e813fb28260b1509f84574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
852b3c86a6d00a8d3060b0e512794602

SHA1
587d453d6f65cc18b93d7a337aa8469194cba20a

SHA256
4c284c3b63994d4c70b60f8aee3eb6a30299524a3069fd7a33b163bdef47d8b7

SHA512
5714749c9a80abcda6b4afdc2edd387d486d0011799e19f597a8a40be98cb2af405eecd0d38a39954f772b68508642c3ea51cd97e50222d3d78b68652783d683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ad92cd4f23cb4c9aca348dea2ec6363

SHA1
7ffe3bc242a16d616668c46531ba45b9b8409cdd

SHA256
b4f9094535a0d97ad33d2a82dc9495a90f80f49a8ffc21f579e1713736b73529

SHA512
6d2b711739bfab13daeebac060d6c9b202d572ce2c8901092e6967ced1cac97111d040472db81b30d86fe8279a4433240b6393a832e5bf67a73619fd41187312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
34KB

MD5
4150be91c2a3cfe950ecd06dfda28bd6

SHA1
aec65ee382f38ad6e2d4d6f35bbef215b97421b8

SHA256
a5b590c1b46928f9679900f4943c4caa3cab59fe7ba28645f21c20331ebeb4e6

SHA512
25d1c2dcac5cd67278960fa6fb8a82cea482b3426db2c4fd1e5e91e840954a1e3b076f8b2de7aba959a9360167306051b68e81e061a2d5335724098db6b7ab16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
546d85dcc27802b61dd60578e26cab23

SHA1
09cd784642f97e857f1fc4bba303e4a3e82c90ab

SHA256
07975332334882e6947146cd88850799f38e1deb415aaeca72ed7457faf35c45

SHA512
5993efaf7398290a838855c3bb0171762fbbbad371c005bee8059eef695ce91b553ca279b7fb936edf6aa499ca402d8ab8b8dff324c0433c4df643cb8f16f27b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
01909f2011cd79c78b6b5c3017b13f73

SHA1
a7c866c890ba4a99adcd1fab3de1a5ab0fac061a

SHA256
778661d9b082567caf4017f87bbc3c983d751265fa1e1b115fc330bbe4ea806f

SHA512
046e41059da2be51e5312dfb4a06cabf08c43b1ed3b90773b236596cc70ed4c561ce6fa15dcab891b128bfc34d25c7fbdeba3e6d23f326b0bd741197c953410c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
dee8ae77c84790bc4d56abc6e141e94c

SHA1
c35968cbb5dc359bc32353d2359544ecf395e145

SHA256
2c107e95a875f88f8d4b9e75cd30d764e707bfec1cecccf0df6e99111895dfae

SHA512
e2c96d32d52c54376cb22b3f147ac9bdd3b90ecfa13f901a5266072269de6a423b8b46412685f27fed2b696f5abef3c08eee5833490dcc15c34e0fcb0d5b6c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
ddcf8c468b1b065a81aac75f4624eaef

SHA1
56b9c64abb8b6190464cce6ff74b3fc4ad1790fd

SHA256
5f154b2178d800c712484e32770bd6d2177dfcbc66f41d4d88ab691327db17de

SHA512
c0eb0a3caa2e4551dc0b1e6ede2cb6b3ee68567f835c2bb5f2756682fde620ed0926852f9e5cfc07e7869be53eef236b70f8d5f6990cf42940eea64d4bd8919a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
a2fc490087ec9fb9fa7f1d9b7764fdf1

SHA1
d468f58363a545cbbd7adaef463df4508793ec01

SHA256
55a53342934907ed15e8d32d25178fa15334980467c8486405c85083e5957c78

SHA512
122a3ec5eb1a631da4d212448ce5f56dbba2fb66a9f06f4a72a0dc11f97149d20a73ef8658bcbc07418abdf92a157831938bebeed29807e90d5766654d31fbfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
077c5412665e48d8305a4cb6e21feb62

SHA1
e971b7589b50483d669b56ee7c337fed841381d3

SHA256
56bee2128992ad6f0f7dfc67135910a79bb874321e632d7b668cbeff7c86bb2a

SHA512
964792129a89ffe121edc1398fe4687459bb8f0f5962c1c4ef1212a52263a0ed86eac8318bcbbc444280310e39cc8a2d0ff8cf5eed3cec90e470f6c48b68ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4f9647a9cae58c84dea4eb5e3541a1a

SHA1
f2e6423a80723f6b8d3c9eca6be3e754c3b94e3e

SHA256
7141c57a976b20baf0e3549db8927239c48f8f12ca8970fe046a268df62fd93d

SHA512
eb1cd0299ff86701f4de9324fc782328a64596e7ffe8b9242e2dfdab349800f120fbd63dc6333fe3d80a8264e3117c4c3ef5c63e9bcebb02820376372abcce0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ffe82e5ea03572164087cca799ca4f0

SHA1
e0dfae6b22901fadba9dcef3082a90728f219a75

SHA256
1c2b64efc2f9b14135f55d983ca6b5a8b5586bf566bf6eedd91aea77732fbf03

SHA512
3d2094c67c532ab334552063700a9bc62ba9faa3d711675a9f0d88d9d12b9b081df85b30e6dbb62946e0c26126346b205a93fcb7abac88be4adb9dea7c14d71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2ffe079377e93473221f70b79e9c2ac

SHA1
a7ac5733a64780f7963c5886e0caf794118eca75

SHA256
c856ec183da1cb102d175eea6eb0cbb465e4b660564584d5bd9084c17efdeed2

SHA512
859e8362fa75b061998e963dc81dfd01da5ff3c0338d32c22294f197b59ada67bb87ff8953a9ca0a7909ede5dfc1c550d003663871e8f162cc25d842a3d06b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3804ca1edffaa8de6dedfe213dc01c97

SHA1
54c92d3d0446d7c123d1158211d20336fe309964

SHA256
4b53650db65a89f0dfd490074e497932b70917fac1885d882b3a1abc9b14fbd9

SHA512
d54d116e2396e5966d6658cd7f370443eb743c35ac733610fb84b9bb9e51d2045b0e0d849c2b9e3a44421695b594525d729899ea0b63104392f4c9c362d33b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0da255b02c00a0203660d98d8579dbc9

SHA1
37c1aba5914b5462c63303d03a5bd11bee671818

SHA256
4b81d8747d7861b1a5f82f84f0625fdd8c4882d6d4e736a8756349e5358c35c5

SHA512
7f4921df15c0dc9f1b771ad3aa673c0b7a878a7115a2c2ad0b2a9fdf2265ebaf2b8f7aa4d59ed3b102a8144014a2607e2f5cf6ff453fd6ed8ec4e8cf0c5f282b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380576964908749

Filesize
2KB

MD5
46acfdf7b11030c0ea64450c4d1e54fc

SHA1
7c961f219eae968f48281f18e7dd56f2bb74181a

SHA256
023394f962d9ce1549d278c9c48539ab31ee0f6e24e395fe6b54ccf1b02b2a30

SHA512
044aca27058d22e211257c2b560c31787584a60b1b1e9628084d87dacf0a15d0426bc37de5ac7c27dfccd0ad7e28d124be8910fbf3934bdcee3a136218ca4d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
7aa36d3096c8e1439e6c78af061d842c

SHA1
63f40d62ed55e72e197cef48285f5e54f77f3cf3

SHA256
7c2c8cd89d305d82c4cc42b472eaf5f8ea335b70c32215fdd5093b8d03d5a8bf

SHA512
8a547f003b5701783d6ee004a13af2c85c58693f7bbc39671454607ca09531cabfe0a843c70599b38fd5ee9c15475b5b7e2cd660dead91bd7e37ce0d1c9a5b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
99e67d181a82fdd10798c019d76a6ae5

SHA1
f0223a03de5dd5e937b3cf51c78a688cd158c54c

SHA256
961607a395f41e42be0f5a20c714e94c013258c2ae36d5c8a8ba5d0f8e75f3d5

SHA512
63c2ffdc58fbc777bb27c31a1924a16f9d7f9afe76e7a79a2c0b8b4e0942b43ff35740cf38a5ae255bae34b4e46c31b5a80d4d7258fcae3115d7503039859e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c7ef0031e574ce548d5a6211ca2babc3

SHA1
de7d8a2469a74befa26732cd1f71c78839684899

SHA256
93ed56eeadde16a5c4f5df5a7d80bd7178d32c1889c18387c870111464dc0530

SHA512
9d05b81ea313e72f1735af798619cf48f14ddc15e236fdf96a726604a469599715bb242068ff1b8b71f1ab28d16d3e8127f4fec8167ba039dbce0fa69d4839d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
509e03d9f38e930c1145a8e2cacc0116

SHA1
cb749132d395cd6dc57358a8f236db68817dd6cd

SHA256
0a24a1e93d1d470920a9b13956d706e7be5c7e03566adba3a719b2e31a89fbfd

SHA512
2c7c97e64253975beb7414b5d7e18a7a8e0805334557290cb317f248f6b345d236bf1823f0ddf0922ea79c8459b1825ea7d9a0c3c340fbf2da2bcb558be530cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
c7e28c12423cafceeba702b3a21db60a

SHA1
c96d4172634bc0ce88917a80b26a2d54e8bd2122

SHA256
c78e4b73a15fe820444cc370f509dd3fcd82bce189c59833671ad00c145bb07c

SHA512
e8d6f12f3e1c8e1fb876d0234a204eb73c2d3be22260a7ed5fcc386d970a4d2f2f0f3e8f2eb8d6eb5991907b4b4ecc5dbc41a32f2df62539d79e249ede32f385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2ec29e420274a0fe5853e1d6b73558f0

SHA1
c3cac53802382b2cc6e454a765616cd702241f89

SHA256
516271f701a12cbac1477ec0ebc5b5fb062205aeb8717129eb3991395797cff0

SHA512
4009d3e25ee48089cb84401e740d2738f6407eb7f1e7c566d1ee33f9634a053451892d57262d886a3099f7cf56b64a07381af3865288450aecc507e1d33f116e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
291ecdeea2bb1abf531939ceba7b4968

SHA1
f887de3c3888b9ec7b375575a96e157278c17208

SHA256
af2f0ae407bf455e15da17aa0f272206bc6e58a3e31cc95fa602e74e3a8e0c11

SHA512
a6d8fd9667a5fa6af2c8492132f44218628369766754ddfa053b0a6dc508dfa211730610c32883373ff2dcbc2b678273e330e1b502d393ff657fd89e633005ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4cdf907f3640bd530313c85a3774c027

SHA1
2b96421db2ada3982344ad89ed106fbea2fd1564

SHA256
2fb8a4bfe4c318df59f8d7e4af6c73862c814ea0b14775ff0fb51ec27f4db77c

SHA512
bbeb887c2e0e5abe45d63993814d2cfae85c60a63ad3e327360cc3c03a87f8ef00ae7e6eda22e28e6a5383a927684171a6b5d431132c0377f3a0143c208d3167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a153274849910af1c140b8e192a94dd2

SHA1
398e487e563b2884b9f36eef84d52760a0f10372

SHA256
a27b5a5cf725ed332bdaa0eb578b91917fbe78084042cfdc4027b0c47f93d06b

SHA512
d004698cb507a5170ca18b88d756d5e7a8f4fd64e2a4de02a2ec910734353ee961ac431b75d27ba8ac8b33d551ae00699508c6bdedecb5fcb00292598954d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe

Filesize
180KB

MD5
787b77ed4a3970d0565f1e22e3e72065

SHA1
c396438b5cce7729e756c53c5b43a2af63cdd6a1

SHA256
467c4a87b06cd1f0c71f0a912551e51bae533875f5b831afa6cba06dfaa53c8b

SHA512
6a74cdd984810202c6e532d2ba0121e12803844399fcb07af7f697c7b00fcde6013a764bd8e954dbb7d3713a1448929d1e2a08785635a3e52ef2db79b96958be

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe

Filesize
6.2MB

MD5
7e252e1a74bda7c621c9c45b9bff2df9

SHA1
f06c87842777d1cd9f5e0c2bb5ec3ffc0807f545

SHA256
21e920cf6b6741aea46a5548c4ddffc1ad079c834cc46e81dc091720eb3c4325

SHA512
69baefaf7ed0349ef50245d16f90255f2d00abbe253ccb001b0098243a38bb4fecabe14f90b8334e3bec9351dfe73726f0d7edb352ddb00fb671d01d9375c8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7A75E00

Filesize
24KB

MD5
05a8a2c215cd2dae9d8cb28838252dab

SHA1
bb0fabee14c3d332d7450a75319dbd0268ab8cfd

SHA256
39d982e7872aadeb82e940690aa24062255686e5a519ad847b92b7ac6392790b

SHA512
a1074bb42418ab44cd4abcd20c5804e9d921f7fc25024a78d9e0772f80078970dde86d017970ad72dfb1315b644eaebb05b7f6cb6edd37b774e2bd62ad064b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup280.exe

Filesize
933KB

MD5
fd1247e7caf911c86f9a3ec6743d0ff8

SHA1
c43c2501f18b1454e2daef94f27bcfaf287b8023

SHA256
18f89cedbb9a651d268bbef4472575e026df00aa3625cfb98a2091e7791b8a44

SHA512
76bcd728a116b8784fd3a46c9f5c10bddbb45410ebfa7ff615b8b1c8ebb192a54b90f60abc28f3b167741f637be6d9aebf8e34666edbeae283cd8df2751ddac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bLzanlFa.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/576-222-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1332-279-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/1332-366-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/1332-457-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/1332-649-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/1388-216-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/1388-219-0x000000000A430000-0x000000000A9D6000-memory.dmp

Filesize
5.6MB

Download
memory/1388-223-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1388-214-0x0000000000D40000-0x0000000000D76000-memory.dmp

Filesize
216KB

Download
memory/1388-220-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/1620-686-0x00007FF84E040000-0x00007FF84E074000-memory.dmp

Filesize
208KB

Download
memory/1620-688-0x00007FF8396C0000-0x00007FF83A770000-memory.dmp

Filesize
16.7MB

Download
memory/1620-687-0x00007FF83C2B0000-0x00007FF83C566000-memory.dmp

Filesize
2.7MB

Download
memory/1620-685-0x00007FF65BB70000-0x00007FF65BC68000-memory.dmp

Filesize
992KB

Download
memory/1896-303-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/1940-227-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2084-233-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3104-237-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/3104-239-0x00007FF825350000-0x00007FF825360000-memory.dmp

Filesize
64KB

Download
memory/3104-234-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/3104-236-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/3104-235-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/3104-238-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/3104-240-0x00007FF825350000-0x00007FF825360000-memory.dmp

Filesize
64KB

Download
memory/3552-114-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/3552-0-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download