hxxp://roblox[.]com

Resubmissions

30/01/2025, 15:44

250130-s6gncavphz 8

30/01/2025, 15:31

250130-syaj3avnax 10

30/01/2025, 15:26

250130-sva2esxkbq 8

Analysis

max time kernel
220s
max time network
226s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30/01/2025, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

8^/10

defense_evasion discovery persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 4 IoCs

flow	pid	Process
171	944	msedge.exe
171	944	msedge.exe
171	944	msedge.exe
171	944	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
1760	Amus.exe
816	AgentTesla.exe
1524	AgentTesla (1).exe
2880	$uckyLocker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
170	raw.githubusercontent.com
171	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla (1).exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla (1).exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla (1).exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 194472.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 691347.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
944	msedge.exe
944	msedge.exe
4688	msedge.exe
4688	msedge.exe
4248	identity_helper.exe
4248	identity_helper.exe
2484	msedge.exe
2484	msedge.exe
2472	msedge.exe
2472	msedge.exe
648	msedge.exe
648	msedge.exe
1076	msedge.exe
1076	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
1836	msedge.exe
1836	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1760	Amus.exe
816	AgentTesla.exe
1524	AgentTesla (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1244	4688	msedge.exe	83
PID 4688 wrote to memory of 1244	4688	msedge.exe	83
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 3228	4688	msedge.exe	84
PID 4688 wrote to memory of 944	4688	msedge.exe	85
PID 4688 wrote to memory of 944	4688	msedge.exe	85
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86
PID 4688 wrote to memory of 4652	4688	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc6c2746f8,0x7ffc6c274708,0x7ffc6c274718
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6772 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7244 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6580 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4164 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14304587133011442742,12854749748397994880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1848

C:\Users\Admin\Downloads\Amus.exe
"C:\Users\Admin\Downloads\Amus.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x39c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:816

C:\Users\Admin\Downloads\AgentTesla (1).exe
"C:\Users\Admin\Downloads\AgentTesla (1).exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8fe50664fd38239e8c01b75122cc6b3d

SHA1
36d011ccd6e5ce47ad0e69559c782d6482e6cf4c

SHA256
c7be861be90fd1a2b4df96b30c8b39739d99f945f79d21bef4eb7481358bfb0a

SHA512
f96af6111881853330c9c8816a354faf8946c97cc56e04b0de9a764a40f4541dd4b59c82a8db8c243f059c386e680f8c1f010c34f6da0cdb6fb1fa4de81afd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\06b9bcfd-bd90-418f-9302-e423fa318529.tmp

Filesize
2KB

MD5
57552c9a3e76461c1be89cb2c2ffe2ab

SHA1
a5338fabc1fd6f9de0dc16f0e2395e0ac640b9b0

SHA256
c982e17417dec3f22759cf7f26ac0934b3c74b7e2cc710ca9f82612e7c58eb15

SHA512
ec127f23b98d854f33a09cfaff2b99311050e04e86c97ad9f43498062f4a1c87cf376b09c1cf6790e10bd80bfe5ce72b18d1e6467bf45612c1fe858290b6acff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0070498d84088dfffa37520eaa3f7dd4

SHA1
7a80f345f7f6d600a1aa4a5115e101f05701a8af

SHA256
ceb132cecb27fe1a4bdbe6e58714eaebb52ece74aa5f2820648ec3a394910b4a

SHA512
c696ce923f3088e142086fae16adfb609526d2ccabcd8afc9f9b28f916c276aea63da901571212342b7526086a19b46a7e81df265c93fdc0635df68ffba2b104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
26ef906ac051829b44b459c074fe28d4

SHA1
4a0d719b876e70f402dcf977a0ca52cc7154c868

SHA256
a01693617db3b803b526a2c7dbc6c44461ed4953ae2c136b2575622b693710c7

SHA512
0afd3ddefc62e4b90b592f399b6c62d8ab8c2f465059c1d5f83dae263cb1ac8be527fca521592a8f01369e7aa60be3a829a24710bb780e9c9c73842e07fd333c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46627a6d527097a02cdf2cede1fbc771

SHA1
3fa27a276a3e3edd419d37dda5281d7df3f0e253

SHA256
0b86ec4c780315f58767ebbe8e8ee78c3e09282a37714ee0cce7fd2156022b95

SHA512
214da20b2b4ec9ac197ea0499c4b39ea953ff872fcc47e3496b0b6bc02443475a72c77b6553a45eeb4dfe4d51ca1b6cd51c7c302fbd58dd5a81a72b5c663c59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71b3e8dd9ce6b9ed3aef6f99a562fa9f

SHA1
21b36bbfd80d10d00c0d63d482087a442dfffadf

SHA256
09c5a977ac269efbf2b64e1df7a10f5e003a679e6205d7f0cd69d178d99ece66

SHA512
1900ff2e8a217129a01a9ca71b4d8e0b0186dcb5f31eb001f00f903f0dc9437d808faa8c0dae20115fc579fb4d8bced5aba6bc43b75181304810ef67c29af41b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb5c285b860549f2a60b0f10b4085b5d

SHA1
16c754efc9a6b753ba1e555f28a6a4c00a77dbca

SHA256
be5332232b17459efb7b8964a4a1548eba06c92ce40261a57ce90d3a294432b2

SHA512
9dd84fcb972dc8481df7846520ab5b5ac940c99a2392fb11a7c7f17e478cf93c4be7364f6d89665879db66ec3386eb2128db9f151527e6c14c7bea6b7fe0dcbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83e1c7fa4d8b79be8e2c371e53caf118

SHA1
a789dc898aaa299955e6de52e1f92d220984f51f

SHA256
c05f5407f1105f4bfd83c9e51e5781798195d3d55ae2f8bd9388924d1d9a8d54

SHA512
ef107138d1f5e5de9f81a589283a6da74f96c528c398aaec225518c2721995891eef27e78668e5e8b87ea99c52ac12aa1ad8bcafbe0a6a3aeca5a65c0fbb1b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b554439f645a8c7c00de43dbc14a30f

SHA1
fc14d835a50938f95a8db8e5b2aaf667403ea77c

SHA256
a3fa13add0a3a4b7ba386f90b5ebb6cb587cecc5be6409794155e338535759ce

SHA512
85264ca90f72c68fff9ace65af864dc3a13a8c0056b528726ecdaeeeb98fc450cdc788b760ad0392c86bd722660f5bc63f8eac53dad28ffebf97520930c9ba8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60cab0ad58130a32c2602061c8c8cae7

SHA1
a58877b907948af20feebef1df3616411e887cbe

SHA256
8b1cbe3e71bea8369a0392b7ce6e712e1902fff32be54e265fe89f54776f5567

SHA512
63cdf26553f3fc1e157585303fb8a081914a7970d6685feedc03d69e13e35759dde53021c85070ac5fb530ed23fe2e07f542146a9ba7ac6e93ef53db7684bce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0419d9b1185c5bf39adfd899933ded08

SHA1
d4fffe7cfe965ec946d8fd6de8cef25e9319ef82

SHA256
efbdf07a9179184ef91df760e94df906c1a11217ad054abfb49a20ee388d9bca

SHA512
1bb8d273d191e8e977c3bd6b94a05add2bb2eb9be753f2236db3275b4442b2e88fee13464c9fca012edab3597770eb56bf1831f7900a9ffb15b21a4fbc9cf6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b4c1148e974c2d74e4086670d4b853f4

SHA1
4b2b1e12a53593488280e4a50420ba613d8c06c1

SHA256
61abffd641d0d747498ba4073e248d5cbc60525e0d81f11010df023d3add3637

SHA512
9f240b16ee469e4a708de31f592002a7d3e61a3763de8873d8a78c9ebe1816b24ede9f7b9ee5c0912e5f24d9a51ff63880a32e8cd7ea19b528ea0ea9fcbc7121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8be763a684e953a8d49e23b8228398cb

SHA1
379baf2ada2758bcce144505ea50295b13b5f49a

SHA256
9dde268a1d5287643ce47a0485ba467ca8c6eb66a29a01cbbf88a2b6d6736a1c

SHA512
5035b1f603ba503af51ead4dc28bdc60b4d62dc6dae09084ebbf1ee6ccb1956d3592a2a76e57b97b0d22455d2af576cd01060e07111f66cbcaeffc5b9956b619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60ccd35ea3e67c4756b5051fc8614901

SHA1
3b6be7d01fbe3669f9a9229445d24d655d7ea22e

SHA256
aa060711c6b22e7353c6cee0501c0bffb8790c4a8807806d5b00eb5bc3933ef4

SHA512
7eed519bc77627cf39f39e924912ca0c7f2ebe250b7a94752e971896dce51db657a14e87c070e0d9c82060c22cd15f44b841435caf3cf16ec3fbf90d0edd4bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0dc1f99919460b2f7041853d5c0044d7

SHA1
42f58a2d686dd045f6d3fa96b65ab26b76c893be

SHA256
23dc991d6a2e5fcaf0a6993459d9cc5c198ab686f28b5efefe601b65b108286a

SHA512
a630756ee849e862d8fd8ff96492ff32807a125b6cc2ff0c7cd91b28e4ab76c10fe39894449c2d466e7d093ccabe41d975096cf764c6f497150cc5671c02732d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e0a121d70810ac8739cece6bbd8c9f79

SHA1
194984ca3b9cd609cb771010b52412e4f4e4bf9a

SHA256
96f80d8a62016bcdd55ce5b51d0ed9b92ade6714e85f7503dacb4a3b61122f15

SHA512
edf616d3a3394fb0b708969baedeb47a78cbc725d312178ff6cc2ad936f922f867040b41ec1a64b0eb47856855ed1d48ce8dc675c891c52c28a558070a45d4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
79d1867416caaf618fe1bcacce070c2f

SHA1
11f78c3371090e17477245c57350d2781eb15fac

SHA256
6767619fab51e04ff10c0420db0acd2c19646d9217d635d70d40d8ce6e7f3c9e

SHA512
2bc9a379558765727dbf54f78a3c675b2f589b5ded167bc9969d582fea8d7f7d3667a0d4795d3f5e65b1be935fda16acd472d9bcead157d765b260f71eb6149b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ed0b83909345d951f015c8ab6301a9cb

SHA1
81f97b3633ec82e17c86359493bbcb92285c1454

SHA256
0cee04f6f351d2336483d4c00571e1054031a50a08440860ddd309730d8fc7fc

SHA512
c4958d8f7e1c017547d7eba289f739f191647d7e75b989f1325d8d58dcb702640cc615b410fbcd4d5d63300678aee21ca154481780c2cf3a55288fb2bce487aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f1636943abb514d9ecadc03771b0c4aa

SHA1
b9f90dc3cba1ef5e3e1b50b7e5b89cf50d61bd22

SHA256
bdd3e84e102e1dfeaf5e1bd167758f0b4f81ef1d971dab50fdf3b7d2061fe138

SHA512
d3be7a4ca3d9829ed51e5fb622d872fb1fd771b6bdc16dcb97e89e316c0e24db6ca7d34ec8fd7e46127c780913f408d8132ab8967bb66e7703bc6ed4af46042b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8fc1d93bc0475b34d239ce8310a9c97c

SHA1
20d06be8499e164afaeedf13022b6c458bec9d97

SHA256
c25347c64e6dd56f33461af64af604220886d5917fa0a3653ab638f12fbbe603

SHA512
f49f658eab1f20749153944f5e66b8df8df20ef5594ce0c1cb0bb6ca7eb90f69a6ad545c804c5a3c8a69f5397abb7c0f4b8985edc09943b0b5ec2e527ba227c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c61065d1d97bea40269636daf4002d2a

SHA1
a92b446f617fdc10b08fafbe0eef125ccc732b66

SHA256
87b706dcd5ee08f516c2bdd39ba6cb2b3163f175e54e59e34dd7f36293a0e235

SHA512
4300fc73a3a679a0ed06b84181008af7aaffcaee14d4eb16031a930ef887f176af8f21e247fbd18f2f69f6abe2a939d0b7f18d29088fa93fd170776f18f8ec8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4d2f70c47b021dfec54ce8bc6c80c3ba

SHA1
f1fa39f1e9620bc23af35246a44513f617b368ee

SHA256
b5e610b33ca4e4befcdf8935a20d7da9dcdf843d869bbbd666dea3f7bc056355

SHA512
99517b63471ae68b4986ffd1990db4804d2383621e967b3387a339baa86c217928d030890befe9d7323a22f686f3062a39030d3e641c79dabb43c1eb70478de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dd7f.TMP

Filesize
1KB

MD5
e61eefeed454e0f86427e1fc7fe6b519

SHA1
92776ef133ab2e8be1456c3eea8c5362d89136d7

SHA256
643e81dfcdcd114562af2994fec3555fba54f579b792368aa8c37d17e24557fa

SHA512
bb299e482962bb4d0b85197a7c14cd43af62abc76bb0e20bbd6b95a93bf92a88a53127991913f2dcf93b9c77966b03aadea120bf6312801ed492a1e2896b948f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c7140eaabc4d4c0e64de67cf408d5c1

SHA1
594489175756a2b8d400de94b8f433299adab056

SHA256
6a40d9d8772509e2e2535ea374d57382b6df75a62cb2e29218a46f5655a310d3

SHA512
187e60ce24eb077bb94a410bea27df9a333ef296eeb81b75f03a6fa5c26b2b83dfa21ff681c58d3b32ccd058e582d4b2e9b70494d434a33644a39846bcadf391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d95ebca159659846df616f3d23d4301

SHA1
4dbab3904e6a5554e7d357394f16305d68b5095c

SHA256
d05bff2c3b51754cf815f7fc77d8c15556d59e1f8d76b719796cf5cf454c5e3e

SHA512
4e2457fe32b6df0f24f25baa3de733290d6f1a7563f5d2a7c4cc0d2478e35596cf2abc9a20fcc52d30caaa2ce3019dfa8dd78984f3f0555b0ea3bfd31afa0d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c35c5c3283908f3e526275eb4d65c54

SHA1
e54a828ae4a697e43f7ebe6b44fb8a33e1af4dd5

SHA256
5f96c0f94b6e97b2d2a9f43365790dfc6ed361f4f85cf734793b72b67e04437d

SHA512
8efa84f9d9a9ad39fb47cce11902d96cbcc5cfff67ff130d9cf226c602bf31aacb83a6adb50aee2b2537b9cfdd44c5c92b7e9a71f21859e2600032af1016ab9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe13facb519c926baa24a6cb6fab6b50

SHA1
6444ae7c3defb5243bc873a30d28a8d435b8ff2f

SHA256
8a4fec2a84f4dc7f36b92494b7c9d25ffd93d319fb30c176c8a3aa964cda82d5

SHA512
0bcd980351994ae06787fea0863738f0b728644bbeea5651be66d92ac633e11f59369eb85d982a4f1ed638b347bdbfc3dda0c5c3f1bce69460fb3bf7c5b54090

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 342867.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 433073.crdownload

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 604626.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 691347.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
memory/1760-999-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2880-1073-0x00000000006D0000-0x000000000073E000-memory.dmp

Filesize
440KB

Download
memory/2880-1074-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/2880-1075-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/2880-1076-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download