rms | e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe
Size

9.6MB
MD5

6e9d2ef6a2146bb9ae5a5cf4d89759bb
SHA1

3eff5752741da1c8f786d07021cad8f1237c23e8
SHA256

e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d
SHA512

713362bc1d2b25f4a8ed695f30bd2d340a43df336cbc598d43fafb3f1505c35585ca8ebaa5dadcfb4a0cbab75abc32a33d1ab17b2aee5d1272c60549d5309e18
SSDEEP

196608:S3o9iCKRyyrUG5LO875QA++LsjNZuxzqCbcsf3KwUyHXpP9wcoAt7RXGR:ahfLxNa0L8Z2Pgsf3KwUy3JKcjtpGR

Score

10^/10

rms defense_evasion discovery execution persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5760	attrib.exe
4848	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	DiskServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OpenDisk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	DiskUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	DiskUpdate1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Build.exe

Executes dropped EXE 16 IoCs

pid	Process
5544	WORMIX~1.EXE
3792	Build.exe
4844	DiskServer.exe
2528	OpenDisk.exe
4436	File.exe
1032	File2.exe
1988	File3.exe
4832	DiskUpdate.exe
4156	DiskUpdate1.exe
220	sysdisk.exe
2460	sysdisk.exe
6084	sysdisk.exe
2204	sysdisk.exe
2436	volumedisk.exe
5776	volumedisk.exe
760	volumedisk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1024896758\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1983079110\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1024896758\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1983079110\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1983079110\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\safety_tips.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1024896758\manifest.fingerprint	msedge.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe
5752	sc.exe
808	sc.exe
4200	sc.exe
3116	sc.exe
5548	sc.exe
1180	sc.exe
1504	sc.exe
216	sc.exe
1664	sc.exe
1656	sc.exe
2000	sc.exe
2676	sc.exe
5772	sc.exe
1512	sc.exe
1448	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	volumedisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiskUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenDisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WORMIX~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiskServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	volumedisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	volumedisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiskUpdate1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4092	taskkill.exe
4632	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869763151144290"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{4014D993-CC84-4665-89CE-BD7FBCBD1FE6}	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
6060	regedit.exe
5964	regedit.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5544	WORMIX~1.EXE
5544	WORMIX~1.EXE
220	sysdisk.exe
220	sysdisk.exe
220	sysdisk.exe
220	sysdisk.exe
220	sysdisk.exe
220	sysdisk.exe
2460	sysdisk.exe
2460	sysdisk.exe
6084	sysdisk.exe
6084	sysdisk.exe
2204	sysdisk.exe
2204	sysdisk.exe
2204	sysdisk.exe
2204	sysdisk.exe
2204	sysdisk.exe
2204	sysdisk.exe
2436	volumedisk.exe
2436	volumedisk.exe
2584	msedge.exe
2584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
760	volumedisk.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	220	sysdisk.exe
Token: SeDebugPrivilege	6084	sysdisk.exe
Token: SeTakeOwnershipPrivilege	2204	sysdisk.exe
Token: SeTcbPrivilege	2204	sysdisk.exe
Token: SeTcbPrivilege	2204	sysdisk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3776	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5544	WORMIX~1.EXE
2528	OpenDisk.exe
4436	File.exe
1988	File3.exe
1032	File2.exe
4832	DiskUpdate.exe
4156	DiskUpdate1.exe
2848	cmd.exe
220	sysdisk.exe
220	sysdisk.exe
2460	sysdisk.exe
2460	sysdisk.exe
6084	sysdisk.exe
6084	sysdisk.exe
2204	sysdisk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5172 wrote to memory of 5544	5172	e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe	88
PID 5172 wrote to memory of 5544	5172	e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe	88
PID 5172 wrote to memory of 5544	5172	e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe	88
PID 5544 wrote to memory of 2888	5544	WORMIX~1.EXE	90
PID 5544 wrote to memory of 2888	5544	WORMIX~1.EXE	90
PID 5544 wrote to memory of 3776	5544	WORMIX~1.EXE	91
PID 5544 wrote to memory of 3776	5544	WORMIX~1.EXE	91
PID 3776 wrote to memory of 5292	3776	msedge.exe	92
PID 3776 wrote to memory of 5292	3776	msedge.exe	92
PID 5544 wrote to memory of 2716	5544	WORMIX~1.EXE	93
PID 5544 wrote to memory of 2716	5544	WORMIX~1.EXE	93
PID 3776 wrote to memory of 4232	3776	msedge.exe	94
PID 3776 wrote to memory of 4232	3776	msedge.exe	94
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95
PID 3776 wrote to memory of 5232	3776	msedge.exe	95

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5760	attrib.exe
4848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe
"C:\Users\Admin\AppData\Local\Temp\e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORMIX~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORMIX~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pihack.ru/
    3⤵
    PID:2888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCXHydDzT9VCuMZscErPlw6w
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ffbc86df208,0x7ffbc86df214,0x7ffbc86df220
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1636,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2024,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4344,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:1
      4⤵
      PID:6036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4640,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5276,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5456,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      PID:5904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5624,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4184,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5856,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:8
      4⤵
      PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
      4⤵
      PID:788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
      4⤵
      PID:3852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6400,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6604,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3756,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
      4⤵
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3432,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:8
      4⤵
      PID:1588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4480,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3724,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=5816 /prefetch:8
      4⤵
      PID:4120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6168,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,5920697267797334136,9604290713230871097,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:8
      4⤵
      PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/user/MrMehasha
    3⤵
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Build.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Build.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3792
- - C:\ProgramData\WindowsVolume\DiskServer.exe
    "C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4844
  - - C:\ProgramData\WindowsVolume\OpenDisk.exe
      "C:\ProgramData\WindowsVolume\OpenDisk.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2528
    - - C:\ProgramData\WindowsVolume\File.exe
        
        "C:\ProgramData\WindowsVolume\File.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4436
    - - C:\ProgramData\WindowsVolume\File2.exe
        
        "C:\ProgramData\WindowsVolume\File2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
    - - C:\ProgramData\WindowsVolume\File3.exe
        
        "C:\ProgramData\WindowsVolume\File3.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
    - - C:\ProgramData\WindowsVolume\DiskUpdate.exe
        
        "C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4832
      - C:\ProgramData\WindowsVolume\DiskUpdate1.exe
        
        "C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5760
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VolumeDisk0
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VolumeDisk0
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:6060
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5964
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VolumeDisk0 obj= LocalSystem type= interact type= own
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /start
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2020

C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5776
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- - C:\ProgramData\WindowsVolume\volumedisk.exe
    C:\ProgramData\WindowsVolume\volumedisk.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1024896758\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3776_162224157\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3776_1983079110\manifest.json

Filesize
118B

MD5
395a738237cb5606743da99d5459bd59

SHA1
53a2e376dbba8020189b4d629d1ce452c43abc42

SHA256
6a15b2c0969575a4ae419e8b0eedc7c5515c8ae3dd73771e431e484689684aac

SHA512
0ac1112218d23328eb3cccf777c9bf7b0c31b71387fc620d0f91fec73994661021524ae66d8b81f26d1d7f4df8ac60c12f7852c72c65030d0c106a0ba773a8bb

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3776_586668461\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
C:\ProgramData\WindowsVolume\DiskInstall.bat

Filesize
1KB

MD5
a46bdedc1e6587433dc98119f338d175

SHA1
01334536e159f71bc5bc1e7b7a0e75490c169c36

SHA256
604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50

SHA512
e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

Download Submit
C:\ProgramData\WindowsVolume\DiskInstall2.bat

Filesize
283B

MD5
52d57e611e45ceae3107a9606c798df8

SHA1
a559ee95833113e022c4e5116508641847e31dd3

SHA256
1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7

SHA512
1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

Download Submit
C:\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
3d93858f86cf6760fae7b7c708049637

SHA1
b998ed10c7367b055bb745799fa373dafbea3d8e

SHA256
1c1869c735c799eeaaacd2d4e2cd342c33071c5e327f8020ab2101750b8ec86f

SHA512
696faeb9b76d2ad4e743b5528ce0592ac5f8c34365225c81e281eff98bab3bfd35573dc75912969dd3843ad87b3ac39c766108cb2764f8181ac5003a03a917ae

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
74a2b8793fbffe747ec6beefa02635ba

SHA1
09361da432a79efc14a7376140c21b3105cf8a6d

SHA256
58e7fe8f1a9e8588a88023ca39855a30a9451ce90ab107ec8c6f68dd8153fb62

SHA512
b922243ee39e41716fe5cdce0c89c4ef246d9e2961eed9927a64c21d68a731a8dbbc7de1213eff5a394531379248fb117b496929c1629abb41bbaeb9dc836431

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
384KB

MD5
01fce99ef71f219c297b99252ea31abb

SHA1
8f45a949b777f04aa47fc4db77eebdb24a2bcfb6

SHA256
9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64

SHA512
57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

Download Submit
C:\ProgramData\WindowsVolume\Diskpart.dat

Filesize
365B

MD5
1a18270fb3fd76df0d01087e99dddcc6

SHA1
26732b781736ed80654e3a41839b50e3d2e36db5

SHA256
fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda

SHA512
63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

Download Submit
C:\ProgramData\WindowsVolume\File2.exe

Filesize
564KB

MD5
09db93f15dc76aebd31d6e7a081e3649

SHA1
ad354b445fbcffaa8fee0024d6b7a6b0aff3540a

SHA256
d3656c2455709d6ac688d423b05e98a1269e8274d49787db78bec7c5bdc27b12

SHA512
54a6c0eedbddf84c3f776fb833a4757d4c01058bb593b22f8cac166e52a049ad84fcba9e423e1d418c4b780e10bec9338476f804dc8ad4233c4b5857b05bde8b

Download Submit
C:\ProgramData\WindowsVolume\File3.exe

Filesize
2.1MB

MD5
195b78d84c914c7691cd22f9f2f66e86

SHA1
7d93b4ef14e1a06f27d00fd03eed82531103d872

SHA256
244626a00b53706a89645f5b94049d6ea73bc2566e34b579d8e22955f02bf459

SHA512
dfb28aa74803e2bffee00224f395b51e6ed030f5a2c24feb109a4d10e9f6f99c94d43a9c6aeeb70774f9f07fcaa516a248c86572fb984f6c8dcbe6dbcafc255c

Download Submit
C:\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
375KB

MD5
33fe1f9da3970f862da541a2547e8a57

SHA1
17f09e35174d44cdb8c38833f497d4f51368ac01

SHA256
7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06

SHA512
0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

Download Submit
C:\ProgramData\WindowsVolume\config_set.reg

Filesize
12KB

MD5
560e095ba5d4fe2f486da25f428c4ecd

SHA1
daee776fa0b6691013520545f02a942c346e8e63

SHA256
bcbdccc5ae83261e46493ecd383c5942cf0d013161e5d5ebcde18818db46b0fe

SHA512
a3c508daadab65f1430697b6b24e6f2368553b0b5e7c73833508adeb05621b645887bc373c4d3a7bd29ebe61aa188d078c994c1a50b8870ee3847b70ba6da30a

Download Submit
C:\ProgramData\WindowsVolume\russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
d0d98989f5fe001826d2b09a5303d844

SHA1
7311c310fc25c6e74d88aeebe64556c6f24a1996

SHA256
b102ea797e42bc804d7d9387107c8de633f5e45b5af654ae42ec0fc553fd9110

SHA512
8ead40caa2bf07bfc14eb0a617ea259be3e5cd9d8d3796ca3c0a452d7d17f7a8750d176115c685ba6364057771c44b3715d2fe9a30bab5e72c99c6fe980cccec

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
5.1MB

MD5
8969782b82398387c46fb9887bf9850d

SHA1
9f927e2acfb6282f24f7221ce5451055f930b47f

SHA256
32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051

SHA512
1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Download Submit
C:\ProgramData\WindowsVolume\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\WindowsVolume\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7a29c9592b301c8a1e945c1935b260e7

SHA1
00928262c5a16dc1b45e3317356bef8c388f34cc

SHA256
9e4e819d0a3c90bffa7a883aceb6638f89c17cb17964412b98406f1be1b7ada6

SHA512
eaa59cef8f4e96a58be69102c0216d774092356d4088f7e790fe508c0b82b3fb2ba30c97850e1f6b8248cb38aa1bcab5f241a17db90757c400bb844cea724916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57dc75.TMP

Filesize
3KB

MD5
f9af10c6a8b5da0e7e3b3753bf52f8af

SHA1
f9f9dd3419cdc05a23733bb95b132f3d2bd59a61

SHA256
089a3963b34187cc45bc9f18dd579e887bea37452eb00b8d6c88440d483ccccd

SHA512
146c19a12f818683dec117ff0d371bc98ab0cd348b0604bc7675559bc65b2e07dd7c835d54a0b87c9bc53073e4b066276139954d256278ce20d1d02b97ae6eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2b6a379e61d7820bee761b7bab76b3e4

SHA1
d85c2212ddbc4a51488c58ab8dbfece0fbbfc7be

SHA256
9fbbc471c50e7f49f47ad72a10fd45e4edf27a2f424a24fc8412202f512a3a74

SHA512
ce77210c9f09ac335aafa39624a437ddfbcd15c1601741f81bd95c5f7f96543e8d124fe0785b2cbb1265f9fd000753bf809012ae8b82fd65bacc42495e57e3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
88b20b6546546accac9ccafd981ed072

SHA1
c6c0bcc66328cb0ff03f9083ef0130f6a89edbdc

SHA256
b6ba6a96d37cc731060db8a3712d6f9718c629b0fa11121446bc4ec595bf80b7

SHA512
6e7bf1d5eb2c7607516f0c748863ee7e37a9dc8345c17f80e44a61445d68558fcb8f31e7c194935110fc2e11f0eff4f02fd4194ce71c1147a0efcc383ba97b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
298ace974cd4d75aab492255673758a7

SHA1
05c21f2fd29a20a8cc653bb05dff0369f9042013

SHA256
5369ea809f476cbce36b3ca9f73d7d30ab72538e68e5f5dcb0de23e334e5b0c7

SHA512
f1333c5f503b47c8fc43e0998b1a6ee9ab381603c56a73bb9b74c092e983b563b84e194c90608fa076092b8481f35ea832134baf54bf36f939bd4e4bf1034fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
5de039f688d1f481f30005cbc86c98e9

SHA1
42f982191236dce205827de8f2fd9eea2e8aabb8

SHA256
56e738aa64416a13a1e2289fd1c4eb15562728b2adcee089c5f26ed5b767862a

SHA512
e23650c35eaac29bea718ad9b3be9785ec2b53efe37eb4eb707ed500f38c406b4c386343bc377ee82221e9383e604b0f3029a1cca4506007714bd0258f238c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
d83d7072a9db76ce691274217240f83d

SHA1
2ff59cdd7beb72cec7bb1fa1ea4e0579463d074a

SHA256
0902315ada2a1e81dcedfc75c7a848c36d80c286622db6186676e9a69c2d0f3f

SHA512
765e2f70a6ee90629410e8725ed5f3f55ca9b8e7f4b30c860f21772501482ee695cf9b6b177cc203d88cf92b71bda62d13acd553c00ad56d8f14465fc1d6ebe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
baf3bc399585efe24b376d283aa7bf0f

SHA1
2d8d0250128a3d8814d8a95347510ea92a0973c8

SHA256
10c8cee120ed8a6ae76a9b8553f659029493b03777fb43227c2a8d743fe0ac6a

SHA512
7e539d7a4c410d212ca55b8974283a0de949be7a21a9fd4eb8f6db5c2912464357e6fccdb2e19e8713183d1e70b2a2515d5aae2b9fdde5b21a3c00e768de7558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
16d7bd50d18668c55ed0079b11345c30

SHA1
bcd0d39081e1d57e7313d75415cd883547f4fb04

SHA256
93c5aa4932d96333d287834ef4333ee259c46b026bdeea977119bcffa7f4412c

SHA512
60db188aa728feccd7abf19928f72f7e12874bb3f2e1c2ca400675025a3b4730af11ab4ec4677dcd8774942bb40425ecbbf4938dd2571451d01fbfff662d8b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
a6c67574d2b656466a73630942eb6945

SHA1
f1f62b024fbf0ea70acb42cbb8ee0ce0e15ac8c5

SHA256
a54e98ef44ba96a178b2868a7c4744626e23f4af23354a368a7a8f8bf3f7ce4a

SHA512
2ffb1fb542303b874556f9c4638c03a864415f2b1a1255d4428edca474ae5821c4a44eb2376de52db25483191097e458efaf8de5dfbc7afac6baf0583310e547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
b500d9d044f9b2f3994a007083e65296

SHA1
31648bd7184cefb345469bc0cf78459116c47d46

SHA256
a8727fed05a4edf2aed160c50052f04d07b5ced98082b27d9ef59d7b9783d06e

SHA512
420aec1a36982f047aad35c715759d0d5fffdf4d944539aaa2cddf88c17bb113b42abe3fe0a9de7be32da7a82dd635190df846a35db1f76bd2fa56b20549c3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6da6e041e5b1e650ff8d20608528c395

SHA1
116ac13193a776a8bf14c2a6fd806dee1afebef7

SHA256
acbc1dcbad922724df0e0dd5270c4ff29bef2ac210ccff19bf2c80255261b69a

SHA512
003be876f1a9c09a9dda0c098144f672ddfd293a4f774c910e28acbb05f0b54a34a0e4e62bcd59ec53587ca5f83f447790af5fefa3f50de6627e7d33b6c3d9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
4282ff23bbf48d327949cef51bd3cd53

SHA1
0e608a94f671a24442e410a7c877896a1d496073

SHA256
7e228c9f5b092b05b784cf27901e9e42d5e42d24e66b33c7f78114fdc5258fc5

SHA512
35051505adc95bb29d91a9f29358a06f7bec0fe162119463ea674440b908fa18ffbd8362e268f0c1823d66db23504d925ec5a8ed466ac54ee709aa3e8354c7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
38a46f0bb3a294ff5a25647f00e1f9b6

SHA1
30329119b62bed866f52e53b896e200161641db6

SHA256
6852b20d7782dcf4b450d682b330234d2fa65186ee62e2fad59ccb4d4aa031a2

SHA512
4cbf983e43a16f084fbfd230940ca9d4f1282b37c499976c75d196dcacbe5961d3f0857ad63a33562eed667534ec6feff9a1e51edac2cf9d70290cf5d386a808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6f2236dabe002bbe56163a3b48d6ec28

SHA1
bbc7e534e90c5002fc300e5c719702b520f30164

SHA256
aeced7b3291c57acf2dac8628805026807dc8894eb79ea4609bc36b25f82d771

SHA512
d6d811afa4a131749ae5de8523b0428c5d7cbb15b62e87ef08a7416c836c050abc67a82255cd080662352c0dd53c5f6c6413daadc29a0647d1950782f40c626a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

Filesize
3KB

MD5
17c10dbe88d84b9309e6d151923ce116

SHA1
9ad2553c061ddcc07e6f66ce4f9e30290c056bdf

SHA256
3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e

SHA512
ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.20.1\typosquatting_list.pb

Filesize
638KB

MD5
da8609745ded15c07f9b3b42a794f1bf

SHA1
6f51794da7f06ce1e79ea3e42a22f67d068525bc

SHA256
7dd01720dc53471b5cfb185a9b1e39be94a095c53e5dc8a295818e425ca265c6

SHA512
a04bd2845bd6df19cd59eb6d62be863ceffca5841f8c878c289364418a89e4b0f1efa4224f3fb0d10a010ce73a23a60e81e6d7437ec27da3541f085e22ac938b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
62669811fa4d7c0c18bbe07c1ed2ae6f

SHA1
73362e47d9bb203b94f9c3837c2335aa3cb58270

SHA256
dbe70899403a91cb6542cf5d046e81f3ef0ec940fb5c1d3aab9ad9b911e5267e

SHA512
4243fbcec87e7efa8cfb6fff7e242b15757eb3a0487b7b21e1597b8fef56699047be87a5e20cd04daa4fdb45dd29ed7ca17e9b2fd9e1a6d07c4d75bcaff77438

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Build.exe

Filesize
6.8MB

MD5
bf1f50e79e91f2014b2a4ead463cd704

SHA1
ca1e8962dd2d99bd7e19e65d7d697719dfcdf350

SHA256
ab7c6026d4265002ae623b0e2ebe40279e6609c70943fe3eab867c2a2c61fd2f

SHA512
0776cfeb8e5909703acc4a48439d2d90b9433341c336a8df10bf3d32af31ab66bff55c1fa4cdf0d7821c1942fdc18bf7709d03555efc63029567a75991bed918

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORMIX~1.EXE

Filesize
2.9MB

MD5
36cb128085970809b44d1691dd79ce6b

SHA1
713bf4d7c2051c71bb5cb244ca05e85c9af6973a

SHA256
273a0b1560194f7eb3a765604f2758dd691ac09caa63cad021ce5ad58cc70413

SHA512
208ac202bfdce1dc54a78535472b4a76729884b20750a01d2cbf44ffafe0f035901a26dee80a5cc197adf9eba9f5a631aa0881782a6e06c79794d9ea89e2b18f

Download Submit
memory/220-336-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/760-354-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1032-279-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1988-281-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2204-364-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2204-412-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2204-407-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2204-454-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2204-581-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2204-504-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2436-366-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2460-338-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2528-278-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3792-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-307-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-280-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5544-8-0x0000000000B53000-0x0000000000C6B000-memory.dmp

Filesize
1.1MB

Download
memory/5544-10-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/5544-7-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/5544-217-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/5544-6-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/5776-514-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5776-455-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5776-408-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5776-380-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5776-365-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/6084-347-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download