stormkitty | hxxps://roblox[.]com

Analysis

max time kernel
684s
max time network
681s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://roblox.com

Score

10^/10

stormkitty defense_evasion discovery execution persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4776-693-0x00000000073B0000-0x00000000073DA000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2716	attrib.exe
1792	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	$77C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	$77C.exe

Executes dropped EXE 2 IoCs

pid	Process
4776	$77C.exe
4384	$77C.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Z\\$77C.exe\""	TEST.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
184	powershell.exe
2940	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 49 IoCs

pid	Process
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4384	$77C.exe
4384	$77C.exe
4384	$77C.exe
4384	$77C.exe
4384	$77C.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1432	timeout.exe
1940	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4244	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	msedge.exe
1836	msedge.exe
4952	msedge.exe
4952	msedge.exe
3076	identity_helper.exe
3076	identity_helper.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3640	msedge.exe
3640	msedge.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
3044	TEST.exe
184	powershell.exe
184	powershell.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe
4776	$77C.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4776	$77C.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	TEST.exe
Token: SeDebugPrivilege	4776	$77C.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4384	$77C.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4792	4952	msedge.exe	84
PID 4952 wrote to memory of 4792	4952	msedge.exe	84
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 956	4952	msedge.exe	85
PID 4952 wrote to memory of 1836	4952	msedge.exe	86
PID 4952 wrote to memory of 1836	4952	msedge.exe	86
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87
PID 4952 wrote to memory of 1316	4952	msedge.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1792	attrib.exe
2716	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://roblox.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa65ca46f8,0x7ffa65ca4708,0x7ffa65ca4718
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,16324731610533007090,15610672949806482660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\Temp1_01-02-2025_4oZvBdmubMXotrY.zip\TEST.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_01-02-2025_4oZvBdmubMXotrY.zip\TEST.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Z"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2716
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Z\$77C.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C8F.tmp.bat""
  2⤵
  PID:4488
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1432
- - C:\Users\Admin\AppData\Roaming\Z\$77C.exe
    "C:\Users\Admin\AppData\Roaming\Z\$77C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp46FF.tmp.bat" "
      4⤵
      PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /PID "4776" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1940
    - - C:\Users\Admin\AppData\Roaming\Z\$77C.exe
        
        "C:\Users\Admin\AppData\Roaming\Z\$77C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\$77.txt
1⤵
PID:1592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62e6ffe7501e581c80b178323e921b81

SHA1
d0881a3d0aee1c256291d34a90e3092fffa60ce2

SHA256
a4f50a6b36e27013a694382c996a1d3059d38310a138f21aa25cc682be5cb0e5

SHA512
0c4e34fc9a7c5308b1cd05ea71d78c75a9fb85267d7f3e5616dbc1390794941eb549bcc70f7430046ca79cc0055edf0bd51b8eb43f84ee42163dd34d612ba137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a84cd7925378cc74972cc4e677ecef

SHA1
30b4da4c5dbd0cc77d756d270ad260ef74987ccf

SHA256
7be0a4cebd74cb4d879e3f9950f5ac5a05acc3bdc415bbf9d3dd691cccee2cb5

SHA512
ef142224cc0b94a1c5585836988a0d544e7e8b5e8573a1893c9fac528a1ccbbab6c9c7acaad7cfec1a415544bbdcdfd1d0c5e0a0819cb94107fd81989df18704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
52KB

MD5
4069a46467647b6ff32701f49d2e17bf

SHA1
dad3313fd7d3e52102ca9321228f77c53cf670d2

SHA256
e9d43321d270b231b629c2f4fa7d6e7ff9e4ade6870e3ca1f20334e797070a57

SHA512
dcf1c7aea751635ad353c97950065ceb097bab707a238693effefe6c74a8db102e539764e5d2ee180c63db02eaaaeebdd8ce59019adf4ddae3c50bc8ce17ed98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
104KB

MD5
daac589aee7b5746201d359be2bf3e1b

SHA1
c14126efa46dba86df631bb3615b6aa9c86160c7

SHA256
16f456b6895898c8204910fe8e0dc702c5586c76f171e022da9a20b63173d181

SHA512
8490ee2ef1696f4321c991807fef2dc91fe487d4786ad0bad33b238e447cce45de572b08e5288a1b5f3882bf769d9ab0e262dafa77ea5f56f8d9207bc5084ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
42KB

MD5
def455c743bf7aa48b2f6a1aaeab36db

SHA1
b9f5549b1f61bcc7f477973bece15870cdeddb83

SHA256
f0b38922fdf9c0ac73f78bf071a639d8c1cf7e81789a4545b00f2010cdd33197

SHA512
a8b0adc7bc90a3131c102e3dd9d96a05f3acc713493393036697bf0d75baaa5d36b089a7f32d9ae8a9ca3a6d10df706263670598877c4b79c86cb6c197a53337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
142KB

MD5
46c491dbe27cd33c214c5ca98c71d663

SHA1
771bf9a663efc2c739112153d6f886c839a614d5

SHA256
dd9a9db4f0888479f8728ab54cff191c7d74110b93fa9776762002cd7d3f14b8

SHA512
64f9ab32ca433491dd0361ba770c74be6e60fba6da21663f7d217be1c50b7508dc36ab5a157a8da99640fb967c700c06b153f469420ae5846b98ef1e065f3f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
20KB

MD5
9b26dbb4f2d9cfd75f214ade72f14bdf

SHA1
502fbd85fb8dd0bff689d93a285adbc3ebe01ecc

SHA256
40ea02a6a6fe75d802200c23c355a036f25f206e0d4c0103e33dfbd46f9a255a

SHA512
7df569979ec28ce731328459dc5aabc0527e4182f44f4b25eb91a4c31addf9eb09166e5e8bf985a00b3b8527ad8fbfd86466b398eae1bc8918f7959f6614be81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a690c0112d907f3a94e8bc0a33c74135

SHA1
224d3bc7ed46eb605da22d4a55f24e17228e8707

SHA256
cc55c57a4f8c2ec2cb0852b787f6a40ca9f21055426b877903910396b857f91b

SHA512
78db77599ecea4b6536219079fd39aae70d5706ff6077709168d8c2336fa22704d33566f3afe2886c517f6e375787330baa500582ab888ef7912e241770e3709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
115a5dd6e98d1043dd9cf8925de99900

SHA1
f29916b5a2623c3ec46d04c20fe2315171db17ca

SHA256
63d1c81cd2414e8b41288e470f122dd979508f0f35f9ed56885c66083cca935a

SHA512
a5577ffa0f582a223a7cbad1e7ac894a86459695aefc6e64d4dfe56bbe29687d2c947964c5b842e1de0f47507b483d76fae68d775a2f4714506d5f0ac3dee739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fb56a8ce8c40ae5dc73bf803c9de2459

SHA1
e0c3d8c60fab3ee6c620d43b44d98d8762681f23

SHA256
76b3b9154b413960598311681ebdc297d9349d057da188eae22046c651468acc

SHA512
f9d0bd5d5806f99bc6cdef7d38a9e6d092954a35f30bcf5a9b55543b807132fdfe6a189b6c49f46d24c6d0570db2009c7bbd07149e1301f368373362cc34bbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9802146ae073fd6c60d8b350d588adf0

SHA1
55cd2b09c1db905297600430644a0127cb06b9b2

SHA256
9e83f8f350571d3f917db37a52ac62b119ad4b1127f7d63a4a08aa354c029259

SHA512
3ac4f8432b904bbe361041a6d1060f46c6ff269e603452c847bc548d605e01251c8477d497f2a4fca2faedad69e90bde08ec1b55b12ab1e50158950d0dfb0d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
06e76692e3bbd8d632dd602619a2ec6d

SHA1
42f1d2be28d2bab78e2699babfa65534bcb3a189

SHA256
57ffa1f6d4da11028ba0e54523d7a9a14b5af9016f8cf2ea03de2f9090d844cd

SHA512
d21d45606401224cfbc00f64b988fc18dc9a697a11f8d14c96a103810d91c6e923c75ca38fb4d763e734b4a334376f70a238dc2cb9d2ea45d6ebbfc3c0205f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
41d0ecf20565b8803a24c47d96b466ff

SHA1
162d104581d9cca0046062763beb4d42e4d233fa

SHA256
94cb066f2a52f63618c062cb01d1f73762a982a1f80346ce49edaaa638c5d8c0

SHA512
073f4a5330f8641dafbda9a522b2284cbc7618fe081deae169b8a88ea66aed5dca5c9bb1638cc2bf4fae12c31a212647670b83e5fccc127d3653e33dcdea3d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f45ebdbb15abc40a4a79a4cb4a033240

SHA1
f4c99b29b10f54a1efa2fbc32737ff156ee0090a

SHA256
88961561cece5e8b470853d9e494466c068a8cbd34d64f61e86fd4e8c2047dc5

SHA512
1bc7ef7a36fc949806ec253ad7d1a44c59682801e565e5984eaa40593a2f7abaadb182dd70151812c6a6998151409b6c353de4957d87a2128f7cf75aed2024e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b52aef31800ea1c3d250d0d2d2bea409

SHA1
601454b06d5e9368fd89f345649636b634a5a01b

SHA256
99f0f2ab82bb3a45d0b0b620f8b3089a862be537091c0b20ceedcbd460c19fb1

SHA512
c5987a558dbd0b9a555393be15c896efcdbbe182abd2c8f25c68f8a82b32507e408d1ef11a5c09b8019e855bea6d2a5104bdf9881db322873ff165c920b21372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
40a7decb1394802242eb7a6938fa5978

SHA1
551978ab6656b536e46435270392098696eae890

SHA256
3d5288b4e0392b029eb85d328596e4ac4bf20bdf8c1dedf7583715eecd928647

SHA512
9980347ac510df05ec0c7c17bef42438483373673c972e3c0cf545953642dd56c4f51e2046320af6f8b7153cc0690767b19b4ca3ff7a95df84d904dc8142c3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d3bf6de7e683de6c1bf578e2f2c8610f

SHA1
6ad92c60add6ea86e4e625205173052e6a930795

SHA256
0597232f10e9901f1ea1f23f4ad12dab0011fd31cd09774733df4e1a7914df88

SHA512
e6a49bcdde8a8f1c69762cd0c863376abdfd14ebaafb31cadc11c26ad55266e7c79f2058b2452d5cf9ef09fd0551b9ad466adb06ad809c13767cda5d41bb7273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
62cf970d7f8684be84e8b744a9ac93c3

SHA1
9850f5abaf9e69ac3c6fd294efd37b34aa473c60

SHA256
5450251f121ef3138dfe825708b23ab60e975cc3c6b55c51a74b275d8b1343ee

SHA512
fa075ce547ab17b9e655da2aa7c5ab8d8451c42d062a3be8d6e8b499d2871ac45c967ee7b23248c1aac34c4e3cd789d3951039b1330efbe1d988a3782ee62e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
60a5a21fb7cec0e0cc0c689fea9ec608

SHA1
b666101b6da43e249e7a47704135aa0d71cd7b97

SHA256
1275a1d5e31f7eceeff1e5b6a7f91846086094f177d2510dba0f9dc9c0c3543d

SHA512
bb5d4d93d34b3248c59982910ec1d651dc5f6be6489fee9bd4973557756ada274d1eb32e7ffdeb0956836ef02761ca3a552f7ea3bd46ae7de526be21bf6ba418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
53179ab9c64e1cb0a68419a96febd5c9

SHA1
851e02e33183f0c035d6cfe249a76a87ae526faa

SHA256
59062eedab399b1523454d67310d182954d1a2a472bf38dd84b5e08568665298

SHA512
f902b785b0c0f5ae8cd440983b603b5ed72d9de25c4b93ca04a0b7b6109048980aefd46430e172b8007bdc774414c23a452d8c3126305e42e4d43f9709c21b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3d91ec7098ee3d725ab02e5cc766bc41

SHA1
3e5b09b793b3da9d8595421c3959679afdcb0bfb

SHA256
8e1c07b5948aa5487195b26339303d9210b171fb92f930aad3c88043e09a8d95

SHA512
c1a3407c942c85c6d6de5d6312d2009bcc2d6b4bfdffcbf8c3ff45d1ca7191ade0a956128adec5fbd8a5ea05f5da22bb61579b1f27bfd3e2d5746743424e8de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58532c.TMP

Filesize
2KB

MD5
e9e1461fb4017ec5b741cd63facf8b80

SHA1
3cab939961ce613eb6e8da15ad1f880441db8b8f

SHA256
500179246c45b91eb377ba5ea51875643c4b1962a2740a15b600023d6af16ebd

SHA512
2019a539c2e6887cc89cc15bd266e0eebe0f461bbde3cd1cea23400af3afe7338da87299616ef7f9ea61e469862000a71b6e484078f1ed2ce0fb142cae64676a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
53732fa00db2942a0dcde08fa552d5f6

SHA1
e668bf48c355cf69d06cfa83e163df219a3f7153

SHA256
da1a76621e9c474516f432acc10a261acdb02eb823f9a610496f767e2e805540

SHA512
3924749f60d3d61e96c79835283f46465db9febaf42519aedc7200d3e2c3d6133ab453966fc8b9c93bd0d891286d6f246c0ebd052e9c29460c5e44bfb085d415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4af1de0747bc654bdd5359bd9af3a0dd

SHA1
a0662879f7004742acaf03123ca3784f23f06c92

SHA256
b9f2dfcde4bf2cd709dc6327a5e075ed9f98558dcc313ad4a7f66303763d6357

SHA512
bd9878a3f0148647fc42e2457897858b7902ec93ad45a832a4d08f52ef1dc80ecbea07702c175d69840320df4b6c7a4ba4cf7b94c0e73220ee2bdbbd59703105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c36009ee805bbe1fe0c58f86b106958b

SHA1
37f1c11bb9382ca4572a1d22967f4163320d58f8

SHA256
044954297b96131ceb90000f03831ac8649d601c2cd2df45a05509868e61d5d8

SHA512
4e82ac2697be69bf2b8b13691e638c4850103730c08885c4a4bdf251b9a4047440b5d16bb5a01c2046d262e76bfbbd5181e1e188c67c4b78d88ee1020af2540b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c349dc3cac60e6b8b985bd8c551f25d4

SHA1
c14a7c431345f2de62aad14b4d0c62e43a0168ce

SHA256
41499093f473ed1470380a13755a8e5a340ed8580eefcba33cd97e5d8b9d96aa

SHA512
d1541349739611b599c12df3af3043ace921addfbbc5987b305f7d83d3a8896ded7e2a31e347338ae2cdb6493c3462327950e628cbede1f141d34435b84d2441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nv0ip2cm.k0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46FF.tmp.bat

Filesize
175B

MD5
70c91e81d4e905d5fe0fdb10c4a8ae98

SHA1
a479cfe8abd3b5d2a8d264c12a7f29d812fae555

SHA256
9465ef1e7f73590a57fa13be9ef7669e56dd3ae031204fbe3646aaa30a02b113

SHA512
6785fdaf3e20bccced8eebf8e7b36f3359444fa8989722a4c9962dca440cc3779282e02311ed1dcb97566a6a0d2c30dad6100655e207dab499967f6a5ac8ad62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C8F.tmp.bat

Filesize
150B

MD5
2b176c709225a9f2a818dc2c9a0c3612

SHA1
d5e1cb4457c83c310b3a04591a636c02a4a5e65f

SHA256
cdab1358e74b5b95bc33d9ef9351eb4350b2d0a51655df3c0aa4694ab3ec3b3a

SHA512
3edae4e0c62dd4babcd2d186b3dd92ee4ef70643cd55e48df3881613c2cf8891b4b8ab058b76d4151660a9e2dcf4003db2f0f026d25e951319795499e61fc0ca

Download Submit
C:\Users\Admin\AppData\Roaming\Z\$77C.exe

Filesize
1.9MB

MD5
a8ea98a6b6e0897fad1a9aa22b3f39ef

SHA1
f4cea1629c0bcf7113e5bf1431b814c37ed86e35

SHA256
c9fc8348332260c5f29035b08aa634d8eb9eded1726eda537bbaf3d9f95cdf92

SHA512
6f711057c7b0b87625180d0c2a9b3d955eca4d90506a360c5b3e9de9ce4dea19f1031c0450e5b5d13957a11f51d10d228093b971e76ce6fb83923094f8522ca7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 555275.crdownload

Filesize
1.8MB

MD5
430eb697d8afcdfd507974ef22c6e51c

SHA1
33b5767910eb08b6b889cf4bb61d9ec16bbd7ae0

SHA256
89335b973304588c18886bbfca6089cb28d8903858b07ef7d7252f534e430486

SHA512
70c28e34f208bd686add50f026cb76de6c080eb223b6f72aa4bf19d02136378910338ae9ce42014cc5b92c649c98e6b2f969097651b03a68ea4f39429b6cfcd0

Download Submit
memory/184-634-0x00000238660B0000-0x00000238660D2000-memory.dmp

Filesize
136KB

Download
memory/3044-567-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-601-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-566-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-568-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-569-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-589-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/3044-607-0x00007FF762330000-0x00007FF762A6C000-memory.dmp

Filesize
7.2MB

Download
memory/4384-748-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-734-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-735-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-753-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-749-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-751-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4384-750-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-665-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-667-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-668-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-669-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-670-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4776-671-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-672-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-673-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-674-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-675-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/4776-677-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-678-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-679-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-680-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-681-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-682-0x0000000007130000-0x0000000007186000-memory.dmp

Filesize
344KB

Download
memory/4776-683-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-666-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-693-0x00000000073B0000-0x00000000073DA000-memory.dmp

Filesize
168KB

Download
memory/4776-694-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-646-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-710-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-711-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-712-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-713-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-714-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-715-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-716-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-717-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-719-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-720-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-721-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-722-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-723-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-724-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-725-0x0000000007420000-0x0000000007440000-memory.dmp

Filesize
128KB

Download
memory/4776-726-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-727-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-642-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-732-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-641-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-640-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-639-0x0000000023B50000-0x0000000023BA6000-memory.dmp

Filesize
344KB

Download
memory/4776-638-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-637-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-615-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-614-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-610-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download
memory/4776-609-0x00007FF7571C0000-0x00007FF7578FC000-memory.dmp

Filesize
7.2MB

Download