xworm | 0cea3395a719813d0a1bab5a21ded480f70b6da0cff2b8ff632a0d42bee303fe

Resubmissions

02/03/2025, 00:54

250302-a89g2aysgz 10

02/03/2025, 00:53

250302-a8sjhsysfz 10

Analysis

max time kernel
456s
max time network
459s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2025, 00:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

X64v1.4.exe
Size

76KB
MD5

1a6ce13e6ca5801d773725074d8127a6
SHA1

abc2d87c256950524ea6bc06466b7ad63dec042f
SHA256

0cea3395a719813d0a1bab5a21ded480f70b6da0cff2b8ff632a0d42bee303fe
SHA512

461708a2a62701c4af06d54e0c86fa5380c12a464a1e208c539f7835f4c5b0f3d4064377674759e0f9b237971b9414f9c39acf9da455aabacdb8ca2ea1018d10
SSDEEP

1536:F01NQngfiQr1jx9/9EBeJKYamex+3tDUUGcDl3nIAd7CK8byIMn:y1KgF/9+FYajk3tDUUGCBIa7CK8by1

Score

10^/10

xworm defense_evasion discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

80.76.49.15:1111

Attributes

Install_directory
%AppData%
install_file
Xclient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0004000000025ab8-6.dat	family_xworm
behavioral1/memory/5100-15-0x0000000000E00000-0x0000000000E16000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4952	powershell.exe
5036	powershell.exe
3004	powershell.exe
2828	powershell.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
145	4332	msedge.exe
206	4332	msedge.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1848	attrib.exe
4544	attrib.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xclient.lnk	x64 Loader1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xclient.lnk	x64 Loader1.exe

Executes dropped EXE 6 IoCs

pid	Process
5100	x64 Loader1.exe
4920	noescapedemo2.exe
2760	Setup.exe
2976	_INS5576._MP
5036	_ISDEL.EXE
224	No Escape.exe

Loads dropped DLL 6 IoCs

pid	Process
2760	Setup.exe
2976	_INS5576._MP
2976	_INS5576._MP
2976	_INS5576._MP
2976	_INS5576._MP
2976	_INS5576._MP

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
104	raw.githubusercontent.com
206	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\noescapedemo2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\No Escape.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noescapedemo2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No Escape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "6"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	X64v1.4.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3696	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 804021.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\noescapedemo2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\No Escape.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3380	NOTEPAD.EXE

Runs .reg file with regedit 1 IoCs

pid	Process
4976	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
3004	powershell.exe
3004	powershell.exe
2828	powershell.exe
2828	powershell.exe
4952	powershell.exe
4952	powershell.exe
4332	msedge.exe
4332	msedge.exe
488	msedge.exe
488	msedge.exe
992	msedge.exe
992	msedge.exe
3712	identity_helper.exe
3712	identity_helper.exe
4392	msedge.exe
4392	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	x64 Loader1.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	5100	x64 Loader1.exe
Token: SeShutdownPrivilege	4852	shutdown.exe
Token: SeRemoteShutdownPrivilege	4852	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	_INS5576._MP
224	No Escape.exe
2292	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 5100	4992	X64v1.4.exe	79
PID 4992 wrote to memory of 5100	4992	X64v1.4.exe	79
PID 4992 wrote to memory of 3380	4992	X64v1.4.exe	80
PID 4992 wrote to memory of 3380	4992	X64v1.4.exe	80
PID 5100 wrote to memory of 5036	5100	x64 Loader1.exe	82
PID 5100 wrote to memory of 5036	5100	x64 Loader1.exe	82
PID 5100 wrote to memory of 3004	5100	x64 Loader1.exe	84
PID 5100 wrote to memory of 3004	5100	x64 Loader1.exe	84
PID 5100 wrote to memory of 2828	5100	x64 Loader1.exe	87
PID 5100 wrote to memory of 2828	5100	x64 Loader1.exe	87
PID 5100 wrote to memory of 4952	5100	x64 Loader1.exe	89
PID 5100 wrote to memory of 4952	5100	x64 Loader1.exe	89
PID 488 wrote to memory of 4524	488	msedge.exe	97
PID 488 wrote to memory of 4524	488	msedge.exe	97
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 1188	488	msedge.exe	98
PID 488 wrote to memory of 4332	488	msedge.exe	99
PID 488 wrote to memory of 4332	488	msedge.exe	99
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100
PID 488 wrote to memory of 4820	488	msedge.exe	100

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4544	attrib.exe
1848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\X64v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\X64v1.4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Roaming\x64 Loader1.exe
  "C:\Users\Admin\AppData\Roaming\x64 Loader1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x64 Loader1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x64 Loader1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xclient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\thankyou.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffeee73cb8,0x7fffeee73cc8,0x7fffeee73cd8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:1
  2⤵
  PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=216 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3644 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\Users\Admin\Downloads\noescapedemo2.exe
  "C:\Users\Admin\Downloads\noescapedemo2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\Setup.exe" /SMS
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
      C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_ISDEL.EXE
      C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_ISDEL.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7684 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1832,15358071780570817406,12559549406243753178,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  PID:2324
- C:\Users\Admin\Downloads\No Escape.exe
  "C:\Users\Admin\Downloads\No Escape.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:224
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E419.tmp\E41A.tmp\E41B.vbs //Nologo
    3⤵
    PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
      4⤵
      PID:1196
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\msg.exe
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4544
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\launch.exe
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1848
    - - C:\Windows\regedit.exe
        
        regedit /s hello.reg
        5⤵
        Runs .reg file with regedit
        
        PID:4976
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
        5⤵
        
        PID:916
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:792
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1124
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
        5⤵
        
        PID:1376
    - - C:\Windows\system32\reg.exe
        
        reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:2328
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
        5⤵
        
        PID:4700
    - - C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        5⤵
        Disables RegEdit via registry modification
        Modifies registry key
        
        PID:3696
    - - C:\Windows\system32\net.exe
        
        net user Admin death
        5⤵
        
        PID:2124
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin death
        6⤵
        
        PID:4856
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /t 0 /r
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x0000000000000474
1⤵
PID:4056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e826770e88318fe8f2db3f380cc22916

SHA1
d4ebc1b80456022971bcbe046fbc95b821592eca

SHA256
39b58b21a085a32ab8c05a900f7865051b785bc0cf2b499a1cc8e26adc34165a

SHA512
c8f2f24e216db852c957bea9d5d3961b15d7274b02e72534ae496bbae0149c682155a6a24a0b74bdbda62374050e71e897d8010aeefd4c13d1290327b30708b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aceef780c08301cd5b23ae05d0987aca

SHA1
d7dacb2528c70e3340a836da7666fcffd6f2a17b

SHA256
257d92d753dd7de9a01fb0c77c63f8c3ed01ea6d7c14d8c5e1fb2db50e0077aa

SHA512
95943d8b8db3450627559344429cb82c09fa2a61b35721f400a26378bafdb1d3243d52c7eecd3c2c355373de7f48d0bf290987e7064d80b9fa689f17475ae729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
e355eeae241a7810b41135ebfa4c8fb0

SHA1
42c33a01c7d4927cdea1ace1fd3784a5fccdf56b

SHA256
31ff0740ab9252be56eb754108ff51b3544f72c5bdda4e2c838816cbeb928ceb

SHA512
e93bdc57c6c6ff8fba683140f5b0ebb5093247506c04a3320e5144dc9d4641bfae773dad7cb81d1add2fc54e9572ae61bdd6af1e12ccd59d330b2ddbe2637a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
79KB

MD5
f22fc5850a05b8c3f3ea1d2e07ee52d4

SHA1
1ab1d80e508cdf5214763eaefdad3adf073ab807

SHA256
d032e15310379a5158a61aff62c4fc612b9ff1f58138b53c9a9f7ae458ca4ce5

SHA512
2716ec34bc9c42908b69db863f7e81321d7edcb839adb4f46635bef75166c6bdf639df8c241b34508e822020b520e6ee100fc7c4acf6e031d200b06b97a5cb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
99KB

MD5
c27538be17a3e088b0d31dd70192248a

SHA1
57c0315831fc5741fdc79b34cd44ba602aec2463

SHA256
8c8ecd6ddde9ea09aed7ffbfb270367c8ced582415549927ad7fccf1a2aac5fc

SHA512
25534120e77ede892f9aeff71c9350b5e7b7a5160c35b773164b6fcc7f217206b5244b8c079b9123570e5210797608f6cb6ef94ad10b489a5465ebed1ebe57bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
33KB

MD5
a9c696a7b95734f61d97169e0dd54525

SHA1
a5b2ffd69a8de1985db24c61b5b08befe4014a7a

SHA256
20ef088bc923dcc16e6a697752b690ca29433fc3c37312f5be4288b5c67ac175

SHA512
7a63a6c58c4d12d48c7036ad0d1424a8744661e077eca277668c8243deec92d8bfba9b49bcdf24c404f305ddf790c1eb2926204c8752d3d94de06b6def86b174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
33KB

MD5
75abac4814151513cebf5f7c6a164d88

SHA1
54b556f8c1e91ec40c058aa2380128fba2ac4760

SHA256
79758f7448be2569043bdd6b708e00a3df113587032e7beb9e5ee0dd53db6a45

SHA512
9081992ac24bd7e2e02fe3d0b0cef87b32ce6ab0fdb57650bcf7663f7dc00646351c1f592bed7680618e65bf856ff956ace24e9ef048506b18811c471cf8f9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
84KB

MD5
e8d5ee51b2a83e49ba6446b104d798e7

SHA1
3c99d23b61fd34099a0094126ad873fbc24e0a45

SHA256
d4e77c0e68ef71239905cbbbe54cdc05be3d32f7d0a535ded377324b0d744ab6

SHA512
dc5e4fb86edba4c96d9fe0d7c6c21128c433541db80d996f4f6c9ccb1a58b8a0ed333c8ce8fed48fa4802cf5cd43dee3ec0c8d0284c98c627f7ba428138edd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
50KB

MD5
76d8283eaff6897b58478e01b7c2d06d

SHA1
7d8da92642a873fdd2481f72336e5d87147c7833

SHA256
b9f3e9c0a16d7caa894e52387af549e3eb6ca10e096d9e3eb1d9a55602b924ac

SHA512
21f2615a00c6a4ded4268cbd520e7e1acff76ae428ed6dc43c5db5b3f7ebf58777d5d993915029d338ba2c8e193ad260810fb28125d1c87a9d64a1fb6b682086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
168KB

MD5
7c1735900f3035058755673c4db400a6

SHA1
a19415f05e85b680537dc30024bc9e3cfed514eb

SHA256
9c0126533d34f544c84cfd16ea539f00c20a0bf44fd93989959959e9ecd019a4

SHA512
698659be944a141002ad9b3655e713f7c441542f542a50357fc7a619a6551b690f73c4a7753bd37e5d1cee8fe7326b0c3075ad28936106c26b331745bf343f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
159KB

MD5
3b473f43245dd3a3badc954563660c0c

SHA1
0755d6ed62fdeda24c4e307c1c0c78426bfa417b

SHA256
c3f44f71236b3a1fb641da460b13fb4c4427e34b91a734d26bac2a5890fed456

SHA512
989f3cc29b674da5ad581e65d1b9fb34bbff59825abb9cd401da350cc29d9a80e33076e82f0e7e6d9d775466a87409862a2f77be081e73742fe119be333a4a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
28KB

MD5
a57e3079bf6ccd33b5ce85acb0183ba6

SHA1
d6dd04202e4114a9bda06d556b6829746461e504

SHA256
56ee37f733f4f693ace0e0cacf2e6728efdc5f4cd0bd11bdb5123e09e35bf03a

SHA512
86edd30a4610b1972bed1ec55bde5d7beb34cf4b7d780aefe7cb1b43783ce8ef12605281c9c7ff1d8e8edfc2901ffe589346a0a248c9c13f472c8928b9e6fa49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
22KB

MD5
50c62543d13a9708e344f1d473646900

SHA1
35c28c50be3113cd1c1abf994da1fd33b2a14e6e

SHA256
9add964aff34b0525535cd326bc85261c9f97837ad7cf5d131d9f8368f06ea4a

SHA512
52bbe9751b47ab733a99b6382be871261cc6a1425a8125fce9dd1fc2eddd69f41fb2569eb3e57da0b00e8346350258ef86ec076bde74c663e54d781fc9e5d013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
23KB

MD5
30c1e9c1d4cd51f5e40a1ea3611b1360

SHA1
f3fc5507d1df27946b8d6e93956ed5c53ef7ce13

SHA256
c598dbcfebc80493dd04dbde9d906182be7cdc02ac09064efa41a58b9c05a1f3

SHA512
772b7c1c5f9138876b037ad126616184fb8737f8f3f273bed015496f4a543784bf435b0de8bf5fd3ed501170af8855078c3cba0b06d8f06442c751a6f85ddc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
21KB

MD5
e916752f8d8dbb7a105179b2ddf2ef67

SHA1
e05ea656700164e916d35f8b7a76fbc2d4220ea9

SHA256
94a56372af4e9e09743c9389a71f9acd19261399b2708b52deaca670414af19f

SHA512
5fee79273801699268abdac2a324c4387704df54b9eabbf3422e3c7a1207f9c4819d5935919b8c9b7a09ffe45466cfd6a4c4b5c759cd0e3a70d93e0c2019ebec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
77KB

MD5
1d4c2cbc9dcd5476f813c784e29c3e05

SHA1
56c63444fa1321e90ac007367a7fe39595eeb3fd

SHA256
133fde2e8f7c6ae4a64a3add837b9280517fffd29eac701f6407ce5e85ba87a8

SHA512
dea88573755ab40bea1bf8fb386845b258d1fa84e45e3fff391eb07830bf2d60afc52d51935dcbbd3ea61f7eab3dc0fe8b136568a1f1dfd4410f6e0b652a4dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
126KB

MD5
a3bf97c422a785ff33bd9dfda3403a04

SHA1
04ab89dd290aeecd0d5c7c1512dbb2c261976330

SHA256
d5952249c473b4620cea9b7c03a311e32022b84f872501f82db73210d26b0c40

SHA512
f82fab9ed42a7f40548fb1ae897f4ef78487c2f0d78cf40408c93d4b3fc47570ed3f42c1cbe36ec8c7fd559a9e06f1ac27b1ffddc72d0f11efce0e0f66a43979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
19KB

MD5
f403065146755efb9392651074f8a599

SHA1
fffa5a1d9fcea77702f1d5ae3cd8268cbd85daa1

SHA256
3a28ca2d8aeea1feba034c09e9a9dd1d51a257ad9d5cb91981e0072b844083eb

SHA512
d36513c423e2220934fb33e3c92e5b8ee19dfb00bc7b4dc22a28da4f09f19c4af2d42abb4773f2dd6b8c0a8e2efb8a844f5185e3aa5f11f401e01653fa7910b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
28KB

MD5
be6e3621512ebbf8ddbbc530de5b305f

SHA1
e449c1f30209c724e63c1361ad5f04c25b0a6847

SHA256
d6acdc50ecdcbbf65cc53e384d665fdd21b16f93dd016942b3beaf74802084c0

SHA512
fa563c3b780b4a82def7afb3f96b2b093848700bc337caacd813bd3dc09e9e297a7f0700c4ae5c6765a92043da2d0145e1341acfb36c0eb5dd29e2a14d15da8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
66KB

MD5
ca4f4e170ed0e43acbf5e5e51407f8d2

SHA1
b129f1725caf9f5e733e9f4897e4acf2da9884cc

SHA256
5e0cd9df546e1438280a2326f4508b2e20a290ccf18258cd7d5192213f19fda5

SHA512
58c8d4dd1cf792d9c64e529ad47c06d6e29762aa76e5624654f63bd7accd45efe54f78c9591dae9403ffeb77783ae7ead09a84798653ab79906905dfac46f2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
20KB

MD5
4e3d7597d9fe391ec85981482487e366

SHA1
af973d6c6839979865f5e07ea63bfc7e3d7cb9b7

SHA256
fcbed11971ea7eee8ea97b4d3e6b5a927e276c0e976359e6b5b44e255123a116

SHA512
0261100d00f91115ebc548e2145482c9cef57f3939dff61cfee6b25550c61c8dba2e50d43f1aece6203595b789437e62940157bcf9fa74e80fce6d782de02ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7fc8824c5797be09_0

Filesize
257B

MD5
36a4cf4ccb504b17e326eaf9c8c90e99

SHA1
f558c6606345840af63deb7caa2ddfaa5ae0449e

SHA256
fa5b23cc25a003e6f1b470da6ce1e89e93966e94a88c4e55aaef6a4deb247deb

SHA512
8ccf1aa8beacaafbde688afb23be4fa81109c9b3dff207f7998589bc7c18cf550984201a8ffb7eab655dc63ffbb607789a5a86390b9dc330d373ccb0f38cafe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c90f1d3db3c22a58_0

Filesize
246B

MD5
89485dc7e915d0e1944e7c289550e73c

SHA1
7b8fde36d5518f8a373c9f4b146472d3a9924eb0

SHA256
7bd2456104d5d321a8bec7896b632c0e9c8ca745069c2a2bb39b7fb4742ba2f7

SHA512
e81e2bc709068a3ca75208ec57a60f6f8b6a4186146f6dd16553b975632012e1d74d67306ac6ada0de8c7efca4b7cacc4443920ed55809f62c73f1353c672ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
5e62388df498da6963c56c6196ab94e5

SHA1
615e89e3203bb45d02d36371b4ff1c8cfc25e241

SHA256
0585101b84c8e70babd415b5532b03aa0795da9ea7b383afbe38c89549b23e23

SHA512
7384d1a3dc109fc08cf54bc62d4858ea580ba452fcf3d59594802e204bf18e459e9bec42ea63faf6fa1ab4aa190e0cea28982f9c28544b17292ec3cdccccdda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f9cc4ab91901aebfa52ac5851ec43c15

SHA1
2fed510373330baa88b698de4f96f87d13e1cd3f

SHA256
01a938528b96c8b4a345ca4538f57f72eaaf0f4f540e3564db33a83fb8f9d4a2

SHA512
034b06123882f6cdebc9aa908b464de39c25e55eccfad7759cda4980b7e06a94dc4074daa523733d32c2d3d63383fd97b3b6717028267a7627c860119cd8a8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d3831a3df4687acec5f78f17e0741a51

SHA1
3891dc77c9a57814b641ff77b90f14f627d2de4e

SHA256
0b763912499a5f65d5d21d3d910003dd5648b1b48ead2c55ba9b1971aec8ace9

SHA512
546376784a56c903a9a2233bc088c80ae5c18fe79b3c0a9344db0f0f911b2ad017028e996d2489ac5edf6494f83da404bc6002f3f1545833a2cb03e1021d62b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
21d5fe69d8d352d7073d71cc13014d5d

SHA1
3537193e5efa8e91760370177085ae842960cc98

SHA256
7cc7a7c330c6d260254e4e09b18b0bed0d71346fc2544c882f8b7f016ca1fd88

SHA512
31000c9c85f1a0c837af27a4ed86f83a9dcd5057b7d93879dbffabf9c7164d34a87fed8248fea8d4d22f65d8e55476c200b7a952336f46977d880b74cb3636a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c272f9c8cd9c52fa803abc91ee1a23e2

SHA1
a0898d7c5f1e2ab133a50fcf00ea44da7ded2574

SHA256
df71149a7da9e7ef8bdca598db2d8b194ee98118e9619f202e83bbc43eb73c82

SHA512
65607c7abd07566d15bf464b3cec212d6a7179601ceddd61b85d1289cf884741dd9508775ce7350c524186fe1c04dd7c9b3d57eaa92d26e0969b1d3b19d45831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8056ecdbafb38e6aa1aafe22c9133016

SHA1
405c3dc3863dd5cebb2c53b5da33bed00852d661

SHA256
c6d2b58ecb7c1cd765cf3b0053b688100cb0c6993b68ae113139d4fa6d91af79

SHA512
cb9bc548513de96a517ab7a12404de0e5278a9f96579e9523397ec741ec8fe5ab608f727b7abcc8748169e5bfc6f5f8a6017bf2786fddf05d5006133c7be8b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
10b400a68c185e765d00ea89577cd3a3

SHA1
488753fd36cbb2c60338f00935c8e157a5200dea

SHA256
dca6e1cab4c6222869cbdb001c4a6d46af62a8c2f102a2aa6da17da279b8640f

SHA512
ee1d0d19e349dd934b6998786e68d6187439f8effabad85400bd575d0c30891f6de38a3ac0c9d4df604ad7f0b76662d31b76998c0a130d171157519c878025cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
66bbb914b7d2f83026e85429c929fb19

SHA1
6b1130e310ed496d574c8546fb12707f86f1ca2a

SHA256
2e333390c8b3fa749c26def5acd661c168ad15fe55a97e5155a8d4d382a9e334

SHA512
e148bf664ea1c407df3b13d9c481cc6ed4ad1de1d65b35f5d45d9aff0e9419bb428bdc064f0faa1430247c50b469a300a7444d72c6fc4868d234ba67e46d165b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
5c8d2c10b5a861d2b070265a3ddd5806

SHA1
cd919c90070d9db0cbcf363d367294dc4cbf0c17

SHA256
0cac54698353913201968583b2220c3d9a45a7051b6874beb3558c5c022baf8c

SHA512
7472ffc7646364554e267b2bacf5b6214f8b168dfc62f8f00e59c544e5541d4e8e217aa6da8b6659d11663793db9ae5a6473bb8f37eeac985e2b94864813cbab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
ad57ed5dd8b59643cba236f14c827a14

SHA1
19a9b28c8de6afbd9ec68b4df86dc62cf7cd8345

SHA256
32e75a2685ac1e8f6cab72e5a9fb1a216677a6aa866a09ac02b2b2362dd20755

SHA512
1d39821b600c06347cffb370e51593f1c3e51fcf17f30399bcae06a82c6c618eecb52576da87e47e9b0f34c0e2c52a0da3fd0214a9ee7e2196e336b99a626695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d89c0f6e99efaea0733855c584eba748

SHA1
372a1e7d06014afab6c8c259f77af35358bb5dc3

SHA256
38862c168fb79951d89a03940a2ca07bd9cae56e8f92b5395faaf4c498a47d52

SHA512
cd407ab099ea9765abed1a84f7929be3babea7ad1e9dd7fd56427ee43c4c77abfe7a572d8fe5ee3d76680d020dcd5e98f13e1f983cd3fff0f9a8db6465ab70f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
374358cff643ae17fa80d67fcaa44281

SHA1
5c6120f8771536ffdf3a5924a91dabed8a6ce2fc

SHA256
c7bb49d0140efc7052c0a9c069270204c1fafe4738e33aaaf7841d8f9c7484a6

SHA512
e90d01d4739f4de693cf479a66da05e5a98b102b3c2d193d589e29c2ae14869574b2b3e1e7ee0d5b51821b016e7246b86b35676c958ae824ef3bb81d39cbbab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b5218f40f58771d7c94c22d30e891382

SHA1
6f051d5b66f8927c16b71149d1a55858a603942e

SHA256
48826cfb61e83566256c045bce4408c9c76bb798b33df2c94a961c3088771ea0

SHA512
8f6a4f5e75cde2cc363a9bbe616e2f6873c8c6dcbbac97efed81325947b2a37056841fbb0c1d60c1f6a4937c39927a782672289d9eeb21ebf44424f0d6218bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
810494fc8f953c17a43a0fc8da77fa55

SHA1
74fffc4de8a2d078b220ac278f743bb67018de8d

SHA256
38ae23c426e0f85bd3d98bbe8ae8f1c5d8ea4277b3dde14479e0d5cc60cce69b

SHA512
8bf4bd3102f939858234a87eb6db2af35620fa8dabe2dd1e8550a14da7a4be6b338f8dbc5b6b9dc3500f57f69e8fda8d32d4308ca667c7ef2a6d259af827028b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
203de69a43d4b69e778431f60d39dd98

SHA1
5253e8f638d8b671f82eb38a96f26bb67001d8f5

SHA256
ea8ac0b37207b959b88cda99ff6a3e4b55fb0c0039070da8b7fb0ecb4caa5fcd

SHA512
23e1cae3c1ac789717471e8fbac6dbf4c8d37fbaecfdc45a70c9a7b7b204543babd7e59abce554bf64a7133f671b3351bdcbc13e7d30cbdf86cfce2c1b5cba60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c99af16f1cb7f6e6e2283daca9fae019

SHA1
415475656063d942823970fc747aa81dc13ed363

SHA256
68e05f49ebecc4610965984beb6515c8cd2ee29d5b5d777d3e512e272ce1113f

SHA512
cbb38d5d65eb0dbdc5f9a5099ccd141b63847fe70bdc180ed28b32e4b1076b5f38c436b455f5e8454c43d15139dc22c8fccddec8e9ef1ab8bc16e2692df7ed35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
01663af74abd04b0c8818b4268ddf0e2

SHA1
879761778765b7291697a1a36966aefafbc8fc3a

SHA256
ec69b5abca14c1bc46040cbd706e91b42e52a9c8bf0ed21abe98d879e32cc6f4

SHA512
ef937d5644d1b7f5c9d26a9aa648cd07cea68975e313db55634173e709a26742b5b427dd2e1e54d01d850a3494c9396cab6307ccd692516457fe9b5b68c1828f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bbe398b1b9bf8d4ad64bdbe0e0e59c50

SHA1
9ad098902fa39a93decfc4abbc8412d0a1442594

SHA256
5779faf4baa3bc42a6025c54d5ed364b82a325ab18ee5ab33a945b3a869ce58d

SHA512
9b22f99a549fdba6e45afad56bd70328135e286ecd4b2684f6ca12e9f112f78755f4f5ad425fe409dd94e69faf35099a87515c87c02ae242da58d387ad28cdf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8b92b2ac64c390c0c2ee588b7a946c19

SHA1
f0caf570c8420b72d88a2b326479d51fd9c0a20b

SHA256
6017cd3ac9f89a5f4c864c2936b53e25cb8877d4c709d8534c558175e7ba7775

SHA512
9013fbcd7bdb995a2176d2f0b3070f91da3c4b11eeb22fb07ef10b3f60d696ece0ac8d6a4d0df5ce6d7d54803f5625ae3f38f3a5557722747a1dcba070d05721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
36103c00c16a346e4e9e5bdb48f77575

SHA1
89815a8bdef12f595464ff9ae32c17f5199f2afb

SHA256
541b6747351d56818c42b1dce1a12db4519fc89867193e7eaf30bfe81fdad851

SHA512
32229544e41a92890274841da9f0c8951fe3654274581d0f5f696d6a8057151ca2c959bea69ee2bb528586b16c41928d13670a03d83b77c62b2c4e83fd2d358e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
82287dad140765f3830265dc5021100f

SHA1
e64edaefb03b1a7a0bb5af17a603c17448e5c3e2

SHA256
94d2ec62804eb8de0f5d252860f6cd6fd6d9f36cc215d1747fc6261be26085b9

SHA512
53213042a35da98e1d15a639a539d8d5a3e6c1487250712f32621a83f36b05d0c8b403c7a8b9c57f5915f390c7a7fbed854dd52fefbfcdccc4a3e300cb305a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2bc5684f62d6dac805a35b886344429b

SHA1
26d1deaa28cd597515b4b5e3199551ae47406479

SHA256
1750369491bb623955eeb3dd3e9cbac18fb3458f53f575d7ed59c9d9df9989b4

SHA512
6fe53f95016c5440c2e97e7556be4dccb3d4367d1a19aefb2579d055b52b652dacee52e8437143136a7ad10cbba7d41dce4ce42718b43cf229144d7b7fd208fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
34655335863faea4cc7ef7664b96829e

SHA1
dd42f682bfc0d44a69ee3181ec8a89fcc0586be8

SHA256
589441767c0dfa661efcc7a246ab2ce39fa1183c321119203c97986f7b3da46d

SHA512
da5cd9bed8fad5a493f2db65db1f663a43ab5581dde5d9b9d2878c55839cd89952d3bf00ffe84eb76fc1007a1a7dc5dc6f43cf2e7dcb137b40694829dc2f7282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe62751b.TMP

Filesize
538B

MD5
54611063b7e5816fd9d0fe4a00475e83

SHA1
c0496a240763784b1a73524606eda546be609af1

SHA256
d6a549d9735f903384e615a808426ad3f185c79cca0799307281f1da2b552d95

SHA512
17fc1baf429e44627b4215356580b3f7aa6c24bf1da749d9683ea67eb764f5a74ebc2dcf458e5ad7d72e4d4f293292d401c7177147a0e57b77eaa5e348fa2a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b6ec8fb0807e09d6dc5bbd908680bb10

SHA1
229685d1f8fe56112833fbc3836b655ef47632c4

SHA256
947acafe9390e1da934aa3e478dc4bbd8082846295f92ae0a66b8ce004a2689b

SHA512
86ee007a07eee56448ba5a1454f481b1293fd1cd660ebfc668ad3268e6bee64bbeb4ad697f9498c4b0cb0ea75c584c008e34c21af4f41cb258b846ad8b2099cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6097a881eb063b0dd9d50b846c0bd5f0

SHA1
5bfcd4c740a02ad3597d1e23812068491ce93dd4

SHA256
a248840610fc9a0c6fd48e66e717aab7706ea2571cefb0cc0d4f4ccd750f4b7b

SHA512
37ec323b2d4fa0e67e7ac1aebb50e50579d9b4b1e97f5f30480f8e6e607a16ef21be1d228fd12bd513e53bbd78d9992e3c3ebdec809a048624dbe9776fd68987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3c9eb0d848a63d8472798a5bb68bdb4e

SHA1
7069a96844225fc4a59eef334065a2cb045a8bd1

SHA256
de8d8734a9fa044eb3a4b8af0222b8092528107f7ace5f64134663416e133295

SHA512
93f23d5abeb7cdd02050b668b17b234e1cb22277a9d6aedabf8b3d0a7614ec32e1fa7fed1e6cc41cdb22e3f4c28d2810bfd4115358040e43bb83856ee5a5b702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
efa54bee5e5536c7c50d6dc8d19d4da2

SHA1
b3ec24496506e4100d759d628f1f5bc6456d880b

SHA256
07f9814d22109f295c2725ba262d0d3a3fb41b2660f6c7ee0b82faaf835a4395

SHA512
0b010ad356198364aac0a87af49a31dd1a4b86b07f4cddb29da5f3fe57544239f2ae3b64a6fcd1f3afb0421a27d94a6a3f26d4a6ad03b692a4ab23f1dd70f1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1189a72e42e2321edf1ed3a8d5568687

SHA1
a2142fc754d6830de107d9d46f398483156f16a6

SHA256
009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

SHA512
b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
182B

MD5
ff89a2e90905cbaec5a09d86a1c1bc48

SHA1
3b910416ed8bdb1caa293da5357ea1b20f846439

SHA256
bd04df09f8f4629b019c74517804b70eed809e88b81635ef36b0fa373a6bc580

SHA512
af08cb55cb50a7845528c8f1f8b326a2befdafb2ca7072143e47f48a2c141085cb396fc8a2b841f24ae7a55b72fa8cbdd7b2ea1c16254c1b2a014067b83a3027

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\e6456db.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aotta1tu.k4h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\LAYOUT.BIN

Filesize
628B

MD5
46e11681fecb7d83d548c41ec15d4179

SHA1
e385b49cb9e47d68fe69cdcb3c81033cccfb21eb

SHA256
63ae5dd3d462590f5cce03180fe8aa51fe6d32de4d3402ea0801115497cd6384

SHA512
43328291624434f688a7163291344956a90925f27b2f75c3b059ba5fe3537a8462b78ca23951befac50ea672e74582e4941ceb556e4bda14db3d1ad25b3c5394

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\Setup.exe

Filesize
72KB

MD5
71e6dd8a9de4a9baf89fca951768059a

SHA1
aac779471a2f9ae3d3e0e39047ef1744feda77b1

SHA256
5656e87da0641c9dcfcd0ee8949ce72b3fa6a7d0e8b1fd985a16f6bd6c34ce52

SHA512
d15bb31ce595767dd366ea2130121a7a2a311c4e639f8b464ceac880d00735c11d950fc16725a3da9459d22a122dd3c33bc0631be90556b4078df9509b0048de

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_INST32I.EX_

Filesize
289KB

MD5
6229a86a1d291c311da49a7d69a49a1f

SHA1
586254e13d8ffdd956f1fb4e6ce858b91a390864

SHA256
b2ff4e8402a5160c491b1ac7eba0073fbbe2220dce107441461b250544eff35a

SHA512
d2e21662258593d17b8debbd74f92e2b37ee3f5f3fdb0cbe8a4c9a16a6dbee6911b92c4afff86f4fa2afa311343e43029dec9c0e08a728309f2ccbf1ded7e896

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_ISDEL.EXE

Filesize
27KB

MD5
51161bf79f25ff278912005078ad93d5

SHA1
13cb580aa1d2823ca0f748b1fc262b7db1689f19

SHA256
b5dc0feb738a91ce3cfa982647fe2779787335c6c2c598d5b49818565d7c3e84

SHA512
c91eac5a01ec7bfb4d3c9df7f90a1c6c6211464ecfede54f7ce2f0c8a79561e4425a56eb41b48bcd89a80bd45228b2ce0c649ed92d24019a15916306d9131d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_SETUP.DLL

Filesize
34KB

MD5
ecacc9ab09d7e8898799fe5c4ebbbdd2

SHA1
be255fe9b6c9d638a40a5c1e88f2d5f4e37654e6

SHA256
1ad637e80a25f6f885604589056814d16ccad55699be14920e2b99f2d74c1019

SHA512
16412756b147a9e6c1e8ce503f374abde87919a5ae1de576963ed748a2934eff9f95d5b33cacefebe1c6cdfe64d9b595986c60bdbce8aebf0a4bcc83b6f25779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\_sys1.hdr

Filesize
3KB

MD5
c4f462d47ae18e975c4f55e3e45241cc

SHA1
dbec6b3939f64b545d233320218a1f316e3db9a7

SHA256
549df5061ce61dd8bbb70512b203fee10ceb73976a4e844e7eb93eadbfbf12d2

SHA512
b9e9595ac37666a3ee07cce74ead896f790baa700c585dfa102db3adc1fce5a64cc8613668c5faa4970f9392c010e1761e35d22eaf8bb5f27fff47b58ba24821

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\setup.bmp

Filesize
156KB

MD5
d73e358a13981609a85e42cf4c572e65

SHA1
9213e0eabd8b5a558615949b4524517c3e53d0f7

SHA256
d946177f0632b391ee93bc3f29603922fc81f47a04971549875d4e67a682ec23

SHA512
1009fe9a2b53a754077068af2de24bb5664d8b6de6af75cdc6539f47c3cf090438219c985916dc912351af821c0a39e0934d9b122c8e677f188975f36a28ee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft33E2~tmp\setup.ini

Filesize
81B

MD5
256cd70b8ed6175f278b787906c15094

SHA1
46dac4a672449dbbce61e37d2f633c2395eae1f5

SHA256
5bb76125a952e896c4e74acaac53d897ace5f3d810e979b0adaf0a590dc99e4c

SHA512
ed337da0b59eb5e64764b02bcf84442143d784e8858bc860ad0d5adf4a8b98a62783eb7ab7cda15017f26099b782a73049b2150e205a52d47c8c2cbd511fc410

Download Submit
C:\Users\Admin\AppData\Roaming\thankyou.txt

Filesize
96B

MD5
56dda8c046c5eb736b67cf2c14ce4c0a

SHA1
15e0bd23b36d009de50aad2960845a4fcc7eb6bc

SHA256
b1bd21a766847c9fc97f742a485db33d204b3af8b836735fdb0e2a3131889b95

SHA512
7615c3b639b879489f66e5251a21a02a9bb3fb4bf270e770857959e881abad26697c954ce06c83f76911fe8e9303fd4cd2e795f0036b6e73da6e2e4b356c66b4

Download Submit
C:\Users\Admin\AppData\Roaming\x64 Loader1.exe

Filesize
62KB

MD5
e23391d72658e5472a976b0e98b18722

SHA1
58a608aa7e854d6e68217b7e8a1b7e03685caf11

SHA256
e744dd225012b9e99b02f3495a3d78810e67ca0fb1b0a327ff522594051d6fea

SHA512
c3fbd633a59674ea46175290cf8a8e676c2854af510c1978be88a747a2b2ac1a8f3a9599bffa50f80edf2d636bf9d01384fbbb99cd971c511acc755f2f820cb7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 711982.crdownload

Filesize
771KB

MD5
2782877418b44509fd306fd9afe43e39

SHA1
b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

SHA256
56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

SHA512
8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

Download Submit
C:\Users\Admin\Downloads\noescapedemo2.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
2KB

MD5
911e17785ae68b1e7a49cd8642753fcf

SHA1
43b24078fd9b0eab75c9cd666ebfaaaea8acc7db

SHA256
f6afc2b1c9e2bcc80893b892472329b76b200de373e40740026780267c5e0b76

SHA512
6aec66751741f95306b68978f48a70d39e44912b18b558ad00055aa25011788ddede96764a17d7a240adfaaa1b82d35801d66de8c0768d5b5608407858a38df5

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
memory/2976-1153-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/4056-1808-0x00007FF6A27F0000-0x00007FF6A28C5000-memory.dmp

Filesize
852KB

Download
memory/4992-0-0x00007FFFF3D63000-0x00007FFFF3D65000-memory.dmp

Filesize
8KB

Download
memory/4992-1-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/5036-1148-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5036-27-0x00000190CD020000-0x00000190CD042000-memory.dmp

Filesize
136KB

Download
memory/5036-1175-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5100-65-0x00007FFFF3D60000-0x00007FFFF4822000-memory.dmp

Filesize
10.8MB

Download
memory/5100-66-0x00007FFFF3D60000-0x00007FFFF4822000-memory.dmp

Filesize
10.8MB

Download
memory/5100-67-0x00007FFFF3D60000-0x00007FFFF4822000-memory.dmp

Filesize
10.8MB

Download
memory/5100-18-0x00007FFFF3D60000-0x00007FFFF4822000-memory.dmp

Filesize
10.8MB

Download
memory/5100-15-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/5100-1807-0x00007FFFF3D60000-0x00007FFFF4822000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads