crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
195s
max time network
191s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat modiloader defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b3cc-2014.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Modiloader family
modiloader

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b31a-2087.dat	modiloader_stage1

Downloads MZ/PE file 4 IoCs

flow	pid	Process
91	1444	msedge.exe
91	1444	msedge.exe
91	1444	msedge.exe
91	1444	msedge.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5604	attrib.exe
5620	attrib.exe

Executes dropped EXE 7 IoCs

pid	Process
5216	CrimsonRAT.exe
2764	dlrarhsiva.exe
1424	NetWire.exe
412	NetWire.exe
6972	Remcos.exe
6156	Userdata.exe
5780	Blackkomet.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
91	raw.githubusercontent.com
219	drive.google.com
45	drive.google.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6156 set thread context of 6204	6156	Userdata.exe	154

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\keys.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_189463441\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_439278916\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_439278916\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_854024333\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_189463441\office_endpoints_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1259966991\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_854024333\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_189463441\smart_switch_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_189463441\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1259966991\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1259966991\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_854024333\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\manifest.json	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7152	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875098328595586"	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{4F590E8B-66C7-4740-B27D-0E37903997BD}	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
7052	reg.exe
6284	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BabylonToolbar.txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3476	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7152	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5780	Blackkomet.exe
Token: SeSecurityPrivilege	5780	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	5780	Blackkomet.exe
Token: SeLoadDriverPrivilege	5780	Blackkomet.exe
Token: SeSystemProfilePrivilege	5780	Blackkomet.exe
Token: SeSystemtimePrivilege	5780	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	5780	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	5780	Blackkomet.exe
Token: SeCreatePagefilePrivilege	5780	Blackkomet.exe
Token: SeBackupPrivilege	5780	Blackkomet.exe
Token: SeRestorePrivilege	5780	Blackkomet.exe
Token: SeShutdownPrivilege	5780	Blackkomet.exe
Token: SeDebugPrivilege	5780	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	5780	Blackkomet.exe
Token: SeChangeNotifyPrivilege	5780	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	5780	Blackkomet.exe
Token: SeUndockPrivilege	5780	Blackkomet.exe
Token: SeManageVolumePrivilege	5780	Blackkomet.exe
Token: SeImpersonatePrivilege	5780	Blackkomet.exe
Token: SeCreateGlobalPrivilege	5780	Blackkomet.exe
Token: 33	5780	Blackkomet.exe
Token: 34	5780	Blackkomet.exe
Token: 35	5780	Blackkomet.exe
Token: 36	5780	Blackkomet.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 532	4240	msedge.exe	80
PID 4240 wrote to memory of 532	4240	msedge.exe	80
PID 4240 wrote to memory of 1444	4240	msedge.exe	81
PID 4240 wrote to memory of 1444	4240	msedge.exe	81
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 3060	4240	msedge.exe	82
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84
PID 4240 wrote to memory of 2936	4240	msedge.exe	84

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5604	attrib.exe
5620	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x220,0x244,0x248,0x218,0x264,0x7ffad0ccf208,0x7ffad0ccf214,0x7ffad0ccf220
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1740,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2152,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2392,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=2996 /prefetch:13
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3428,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4028,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4064,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:9
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4184,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4232,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:9
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4112,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:14
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5344,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:14
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:14
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:14
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:14
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:14
  2⤵
  PID:1968
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1144
    3⤵
    PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:14
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6120,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:14
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6620,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:14
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6148,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:14
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:14
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6876,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:14
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7048,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6884 /prefetch:14
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6884,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:14
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4296,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:14
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4308,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:14
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4648,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:14
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5360,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:14
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5244,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4260,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2364
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BabylonToolbar.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=4600,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6776,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6460,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:14
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6692,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:14
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:14
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2068,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:14
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7532 /prefetch:14
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4120,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:14
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4132,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6820 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=3648,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7032,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1924
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:5216
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:14
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=7608,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7080,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6864,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:14
  2⤵
  PID:5552
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1424
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:14
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=5604,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:6680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2716,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
  2⤵
  PID:6752
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:6972
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6996
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:7052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7104
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7152
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:6156
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6284
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4172,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:14
  2⤵
  PID:6304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=3960,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7640,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7612 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,13609729444601098390,10140522483244803596,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:14
  2⤵
  PID:4680
- C:\Users\Admin\Downloads\Blackkomet.exe
  "C:\Users\Admin\Downloads\Blackkomet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5780
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5604
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004B8
1⤵
PID:6344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000085

Filesize
100KB

MD5
80b5b90c4f3c45f46d57b5e1bce1e629

SHA1
367e3928b8c501a0827fd1b56083824932e9dfce

SHA256
f8f5766093e3c09b37b085fe81a7d8307c69b34710794143efe460ae62bafb2b

SHA512
395fe714443f48f04896aaabb79d852a79e6ae948fbdf1678505be724c0efd172043b36feb8716d9882585a47d23746f2dfb1cfbb18149ab9e71310ba0b055e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000086

Filesize
58KB

MD5
60bc14a814d66cf3a9921c21be306c18

SHA1
76ac35ced7e862d93446ddcb8fc0e873bc3e2d23

SHA256
0d893305ea3ff6c666ab99e86b7469f6d371de214f74efaa9190783e12a6b8c5

SHA512
3eeb791e36ed184930af6518a2998c49996c4cc76ecb7192d1786ffb48db1f5babb9ad6e3b7930be2ac335c7d2bceba23b608d019c0b4b63f57ff54c37e685d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000087

Filesize
355KB

MD5
be012a2d92f00e57693bbaf5365a56da

SHA1
a4a423fbe35b6d5af402ed443974d69708a77577

SHA256
38b0217024ef06e52e4fc097791de28fcb9b6e37833d10178e95fcd8b0aeef8d

SHA512
a1ae998d97100ce2301e06e99fd715cf463d00855fdd900fa3f2c7a5390e2fa9105a4e62e5cbb0a6f1812de5fb88c343c4f8caed039c8fc0e2c36feb5c2ac0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
190c221230f308328651f263f1b71c1c

SHA1
97ffa2c007bc590867e27b8286d73e8dc2eef634

SHA256
e179aa21f7580fb7008937e9d2877e549c635b688de567b42ea58b8a5f102737

SHA512
608971f673d17d401bf2b66185faa083d1c873ba31a7a48c4d444227c131af064ccee973594a1291ca40527d1274d35507ab7a704bacc16e144b9e98999ac83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
098ccad882fd1d211c1a8a824c67f0d7

SHA1
9c3f44136ea6e3bd3ed22a0458d54388d8c9a1bd

SHA256
d781d8c29d832006994ca793ee7620d7c4930f621870dee2b013aa346b481f93

SHA512
bb1ebbccdd9c6d243c9e1402d1d8d47b8547e9044999905cfcaf3e20299d6c9ce3757ca59715de73d38f511b59200a48b766a0f45d7000583dd1919df0c9141a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584c17.TMP

Filesize
3KB

MD5
6b47c7098ba079bf24af33f433369bb6

SHA1
70f92775a7b8dca3806f9ef5af45a5724d8a5e6f

SHA256
e273ea05c83bb56474dd2b4bb3f5c03540929d16cd7f8df6157c1f590215e328

SHA512
5f3295c49afc83380b4e8353e120f15909efc1abf7645b3ba6ce17a2a08e23271c5ecb1bbcf8d57e5d402b2a08fb95b8b24e258895d47089275fcc553d50cdb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
f88145a7363dd961b33c83f35ed5e73b

SHA1
ff322b357878c219fb6b61c3e27d590f094ba0dd

SHA256
4d4fc9df7be5a856cdd68aeba7637dca17d8372e46598f5a74f70eb4e645880c

SHA512
85ca413b24f1a61590c0b4afa98530814bddce9fa8fc028ec00bbba2c668bb87964291bd3501cd7ba74730d7070e1585ab36782c21a91abd8f5dcbcfb3bc1840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
23780505877ff87535b10e8827d0a208

SHA1
b297aa981c8b64e9c41e730d2ce71d1c6da7033b

SHA256
f9a7d1adbfc7bf8ffdd1e63070f0f236ec15f379fb1633ae9e5e615e327305b1

SHA512
569a9a9b89ebdd83edd764509799cfdacb004c41ff3c6f79f844f179aa82a3a134f851dbe3562766e4095f3fded396bd44ba9df1556b618bbb542bc8decd9e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
62409bb9cfc74029f767e61474d4fdc5

SHA1
5882bcdbe137fb7e3c35e0d3aeda11c90817687b

SHA256
b7c270dadf814498f0a4039efa1f1c779f5ead2b2adaa734b9252efb94d728cb

SHA512
93da46b52e78cf9d460297d8ba2bf76e3e10a3cb9733a50a978c09329df488ac494d706d9c4e6a8883cc730711746aaf26a2eb067dcca9abf097a67f94bbce85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
9fc7316e966b484be06e4c5ca66929e0

SHA1
fd00e211b3cf83baaf18339651e7ecfa2de6dd3e

SHA256
6ce0400389e7368a74352380b0704cbdc7a160b0cab245b22f1ed1e27d098881

SHA512
02668ec0a759b93f3487ee1a2198f60642352589ed8c7227cf3200087d0b2cb83604473575b939278d0f9a7c65f4417d1c0ab63e9a1fae385fc63b5e82090cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
7ee062c730173b380e8a8c504bf60632

SHA1
9c8686df3ed3f7647dc757ebe2512bf455a4a276

SHA256
54434826fcc235ec77d91d03512cf5160ca9a4240f867e45b108c11695d58c3b

SHA512
7be795686ba4ea31af11b7035fd8da6a3a8e7a44f215528f930bb76c23c9e00d8eb36c596a5ce08a5109e7c38a263c6f1d35fd8f9ac9a4f2c4708a796c3864fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
ab572e4a83f01cdfb489c2b594b05c4f

SHA1
976cb6694446282723e1c04ee71d067131a0c60c

SHA256
649cddf9932b14c1f9fe5ea9aeda0b11a1b86cf3d24d6a8763f9be0a05dd4eaa

SHA512
454d6daccc3412bc49e4d72df8a8f3ad8b6085c4657d450176373e1103c48ec4a5eeb62431dd79b3c20f7b3d9422963b2914017f88dd8b03f438ec1ed87239e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
38622f38883f44c032ce887a25a20da3

SHA1
0236fe37c965b53c4e2e29afa61ee633ba26b1d0

SHA256
53d1c290d8a48f7c8d47beb3da5e3077fff755dffe7ee6271021179318115717

SHA512
8a1c0e7f301a4a9cabfeabd05d4d4fab3e50d6402f9afe7b60cdc97baca0c08e95a5c503eabda91f85917ad6a3037ee1280f0a7e53a14e5597a24c013fc1b70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
167c85e382f5b4ae322094ec09df1876

SHA1
714212ab9970b0cef87f1f3245f09447e18803f1

SHA256
8137cb20c70ec4ee6954b16f64df6f47ac6f1cdc2552e6e17463e75f0940caa0

SHA512
7e7e9c4af4877619bf5f84a09115dd326572068511a03ec683ed280ac6a3e429ffb63708fc2acd8e3c3d81d1d83d41560c581f2d0bb38902250e0250081cc351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
2KB

MD5
726f5b83c479d18ab69690e60333de2e

SHA1
c44247c785ea4f985a73a56245772b2291d2d6cf

SHA256
22ee4f0fc5dbcf397225ce97be2a0abbd627361537836285ccd0c7555930449f

SHA512
eed8588b5d9e770ed55a0fa880a6168fb11fd4e725dab029a10e705b51a37ec3c13d60977be8c9eb9f1d011bef62971131e8f82ea272150578da14c2aedc8a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
648B

MD5
6df20a22c901ef4f66a73e3d1e644c9f

SHA1
8a938e107fdcdad3656795e85ab4fd482e5a79a9

SHA256
1d3999d5f50c2f317b916cb01a962866f0a10e5fff4f7db907d8d65fee8380da

SHA512
6715d7ae4a073164d5f48d64101f1bda316166b8c947481880958c8a28573179fde436007d2adf4c4b8d987a2bb220f9daec7229da8990b875000466c7eaea13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe58a69b.TMP

Filesize
648B

MD5
9129b039895258330a369ea64ac6871c

SHA1
be13ac191dc0e935e4e71b82249717314c0fbb3b

SHA256
cf8dc86166b7b5aa9c840649d90dede0aeb2eecacbc04cb21e3307824558cea3

SHA512
d768ad31136c10f096598864a26f107fd2ac83f8d8d857020320a5abf285a263d3c07c34451535a4b0212ef4c6777ed1c7ec9068b67000220f99deb8177b67b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9dfd6465-7c0f-4139-9ac0-1c7dcd3710fc\index-dir\the-real-index

Filesize
72B

MD5
f6d66e2d85114dc8d1ac7ce3125da786

SHA1
38a93b82db42e9842ee80de476e4d9a217fe8262

SHA256
92c40b4b436b276a56c37cf5a8c76e726703deaee83daa2c97e5d8a553a69800

SHA512
c4c10f76fba8f783ac80b22960ec6c33adfd8987ed8fb8abb811b5a26c1392aea1dc33ece32dcc12589838aa57762571349cbd7270e3a3f95bbedffcd2e00cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9dfd6465-7c0f-4139-9ac0-1c7dcd3710fc\index-dir\the-real-index

Filesize
72B

MD5
058c7a55c56674c4cdc60d4af274d864

SHA1
2ea94be75f7fee2f6f0fd094eb49d91a1fc0cede

SHA256
a452ce7678e3fb462af1b4ad413bcac2442dd255fbe76d86c2926a98fee98eaf

SHA512
f7aca6acb754afcbd2753b237097959bca56413b407d41aba3bfa2a5814e8ad3351d41a602a04d02185b50b86ac94050f28350e8f291bdde2d8f039054bb0a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
c2562aad692f9960551ace1ff72d2fe0

SHA1
a80bf13b304af064da9b9e0951e72531db696f0c

SHA256
0b878938bfaca6387a6a5f0fa30b6c2dfdb3636890db8c9d802a7c6de993fba0

SHA512
056e8fe34b6c6e3239d23da185a4562d727e03fd96e4222c99bf2ccde6e95ecdcd69d06319f450e8686e042c9bcbf7e456956e4fbe4c58a2d7e593a96eaf6540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0fe095f81439a9b9d67d0083d94d8f93

SHA1
1798c66e35bab21a343ba1aa526573ce23200e43

SHA256
019c268486f5c1252bcdd11d283d56484e56664016693ce263a68d0762e8e379

SHA512
c86856261f71a2a314fc68bfcbd49d04ab0a7b7a01fdc21642c30cd7730c365f58e2ed6e9b3481fdf2812d6882a2fa737e9068a5558123e3c9dd3833fbc0da61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58faf5.TMP

Filesize
48B

MD5
e467b5601d72adda500551570be6824a

SHA1
ae40c800baf5aa4e253f7df546298b323ba68aca

SHA256
73555084f88adf0e0c65b05902668c480d2cbab8a63b6115ed446e970a93e83b

SHA512
880f965307a046621060941f58c4f4b28f1460105247e04916d069b2a691bcfd036a83d834a29f8f17df9d15e4feb0ebab3ce1337188e70e436fc69c555d1994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1021B

MD5
3a75e90ac736062ca21faf84b2442c20

SHA1
c924920e4a114db9811ed7d7d16e0850a87bf5b1

SHA256
5ed322c76f4e00625dbc07bd2a2406120d45a270a4fb5c3671c46e78961c5710

SHA512
d9ad9e260b6675927d7dd669196b80aaec3d1302ccd467f257b12f98bbaed8daede7bdb43508e85144b538e5514438b31e357eaecb09b41d870571de0116771f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
e90adcc84af35558520e8abb856d94fb

SHA1
c93e3c43723184deb656cf9948d9bbecdc9b4b3e

SHA256
7a066ceb485a8080a922a4fb6507af4ab2736e516d7ee4047c594f47681683c4

SHA512
803bf65234cd543b746b44080eca6fc7e00eadca11234eb893a80f7769156eeead5acc9f2462b5218723ef97ecf1df0e3d03077f4ed78ef696a36e136559a9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\966b2a15-b3ed-4990-a2a2-63f56c90384e.tmp

Filesize
23KB

MD5
0cbc5d8de99344f95c616995e41792b4

SHA1
5704cfc9aea50e7e5fdcc7707f4d18654befb657

SHA256
f5c3414011f84c21cc51d9712b5a5993ea3be73725904cea18d4ac7470afcfd1

SHA512
cb0c13f92d14221c81bf9d90f50449e96c61e0f4c0a69e0f8dfcd85fb3448a166ee1f33db4efc7e50ecc2b0b013b05e753a7cec1089866abc306f411d55d5366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
876B

MD5
74d8aed5154ac7510b45089233c01f48

SHA1
01962f702061d4e7ee510420f4b922f57923b62b

SHA256
ff30d1987438fa119d55e45304e63d37d1f8c4319f3a7a2b2d745c6e7d008836

SHA512
9b667fc58af84f373790adfe2077363d1f7056e38414f65252edf449450642d347f1a91e883b85a6361b33c449938a9ad907b551c16a897782f8d4b3cdf22f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58d934.TMP

Filesize
467B

MD5
36e4988ced4837afc7cc102c39663a4d

SHA1
1c9e5bb000a0e16204906fb9a63af90118e71585

SHA256
6f983e444c961967e05a5f8415977515842e5f2273868374bb3f7fa7926fd969

SHA512
8b11c9b173f90072ff1c3aac20d0bc245bdee16c5948a0fceadc95ab65c382b7e3f5284f6b045d5cc4fad5b8f507f00a0365508ccbb933e947f2f54a8ce3fa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
21KB

MD5
97ffbea42e9a0795865f12dedaa14292

SHA1
82b1a9a09d849ca8e55914ceb05677991729de10

SHA256
84db83a7515ea99283ea322d6ae8a7e806287e7e98771a53a5d0e3ff362ecd16

SHA512
884e56e3e7419a5ce22725d8b39b6d9424c882185762fe6ebb3a5c67d65e87b846ecce8a26491019acd3ba79641f489a32e20e2c7b99576315352cca1f5a13a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58db38.TMP

Filesize
3KB

MD5
c7569efb2fa9fe93c0ea2f0896f54036

SHA1
e231c700b778b624f6065b035e5803fdd8b4db4b

SHA256
2422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f

SHA512
c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
ef1af61998175f78806567af1265cc52

SHA1
d1c9784621b435ceb186ea07540629527b6ebe90

SHA256
6e5a8abbe33b1af169b6cf47b99d0c2ce84e7a96f22a4ac40dafea0a7c82b952

SHA512
51f279ca752d3c0cabbdf283fccbee8d97d42d3d177123b3fbf7fc3ec305ef83c9794f12729d03e93816e18a07d35f7dd386986bf73c4d977b3f406c84df1b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
edf9154f33a0720634480f5b408de63c

SHA1
434d402ba74e2f4f7ac680cc1d08faccc948a810

SHA256
b8ae4c17fa05754f4bd98694241d1e02342437be895345f0ec2e005d0d74d21d

SHA512
df39045713cd218e0bbf6122e0e05a98c264c4a389859a3d7faea5734e7dc840cb864761db2b46521d0c37cc1adb6d96f8a8488367bd25b687049f2683b338ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
d1681592266f39c9544a3d07e3125261

SHA1
4c9e7569dba81da5f5af29f3be3314c1f710014b

SHA256
c3be84617e2953e8649ede9e7a3446e55df2475fa1c79e023fe39ad689b33edb

SHA512
dcf5be6b83d3a6a7e38349bc14d941e7df502a45648e585e3670a4bd7eb1636048d0d354a3a60f74fcbb6ff349669e5c6908da17702303e8f736f177c4b27dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
560fc9f191e5145c3465611d34999d28

SHA1
fcea25b2f15df5ee93899bc99e15bc9daf379276

SHA256
e5160e08fa4d6c4af91f094357b7829476a13f7718fa38175ad334005003c359

SHA512
4c41de0455490b97b6a3d0d981b714c78b7f1f45bc61499dd1d791ceff6af3b41a598f83f3c0b2d813708c0a220c5ba0db6450642e5ad28573b5f0d7819c8d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
194d7718600a88fc94e787452cdd1a5f

SHA1
5d1d94142d6b8278e1b715008ea9122a2303fa22

SHA256
5783525ea2c140bfa6a76ff80f54e6249c48370988ccb8904d4380b6c46aeb6a

SHA512
19363d07ef675a9814615eb4da00b8b8af82fdd19cbaa311da86f6fc074aaf861c41be92f17445e0bcdd9c7a1178d4a0c1ea8008a6281148317c77a17d1e6678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b7b125d547a3df94a70901863e2c9281

SHA1
09a21376424771f2c97a70535a0234aa9391ac39

SHA256
c1d42bd423ef94ede6462264d5e558d06e80e5de2a7548d40377ae6c690dd085

SHA512
a4c5853052e94d2be3cadd7b873e29b152f3ca499f9f73246d2a3f1b99c6bb4023c56af01759cf8e553fe5ed63ee9cfd25b647ea64e83a08d0e361eb5642716c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
5fc7099c15939c32a78e8100d84511eb

SHA1
69a793a67e857baaedec17a971e7d54f316a52b6

SHA256
0dad7da3c63540557a1f2e1c25664aefdb05669b5c5962d9d69e4fb1096438a6

SHA512
b539c6196be807d4f6ffc96f263e2e5b9f06bc0c874200f4c4543becd53ea0b01b54c5a034aa844b616ae7ae55a2cb2eb48f72532b33b9562d09f99f61cf8224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
c61bf25a4a96feaaa4f2d8ca18e9617d

SHA1
a6b049746c0483c812050a3c392977c074e5ed5b

SHA256
a68e84d69b1bbfb830f7aa2e218431ed9a09694b042e3625694c46c8e1292b3f

SHA512
107dd9d9a234ef4d14e6eaadc6e6988e8336b476a5e0bd6196b254076317f6a973afbe18e9ab9bd5bd46e19090eca6939671984d7c4cd8d32bed7cc687720a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
48067dcb89308f632ba9d79dac016181

SHA1
7d867cadc600a7f5321c7340dc8bd55627a62049

SHA256
cb4bf9072ca7ad1a96f4c0dfc194ac719a2317218f9a3566824142fbaff9226f

SHA512
85c58f648bcd19b391dda9ef256b098ce9919f834db827d874b426f88a280ab3b2b56fdc6a0ee21cb605f678397e796a37b256459030b3bc14705a2078d856d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
2d02f8817508d2bba06b8f77be2c9ccc

SHA1
5e0fcb2df5cbbafe553436fae70a0fcf52846dfd

SHA256
bffa3bf3a93b27542ef93443f741d7e7789f676e61f22e741799d804c901816e

SHA512
7096198f231bad74415d7f83dd082f3ce211d7d7f4c9a600b9d89140a121fdb9c61bdf77c439aaf0f7a1617f9b899301ab3ce0f6187d88649630c2bdee1f54b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
39533a3c8aa309df2bfbb2ef8accccea

SHA1
fd4a5898fd8604f093a1d63aa5beb8f3d21a4bde

SHA256
59b0fcfa39bdaefbbab0fe20a77e23fd34425a32af49a396d532c377b334ab1c

SHA512
7a02521f5ffc5a477b29d475b30bef130e11b6ef9f907883c6b1efab93f55b013919d59511d3035134bec31d01f82bc5e394fcd37a3c0c976ec567d4a7e507c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3d285d9dcd877bc0e3aba0405899ed23

SHA1
64f0d1991d2a2ebb596b01887a3809877418bfb7

SHA256
6f143595dcea11140dbdeb0419bd6db8dab487c48ee1c89ec08d1966ff15833e

SHA512
57dfb599442dfd02e59aa7d9936c39d6ac1515f923e16e5a27b10aae6291725e1c250b0901f11510e9a0281bf9dbca44bbf2a2bdc64bbea4f154a32361b7e492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58b774.TMP

Filesize
392B

MD5
9f4b35dd8accf868c0ba5090aa7aa715

SHA1
26914c6e9217f3fa1619811f0a6e751ee8c5810e

SHA256
361d185fce15df4dc185b5691f9145d5ac1c9db4ee5cf3b85b6bc1a85356ae5f

SHA512
09dc123d193a60fb7cb4d20291416bf8e916b711717db23f0bfcb9a8ea5162c20db5af0089c190d4bc8fa579106ac0f0d91eb2314eece65cfad6359a8180bdb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a330fbe-9c39-40fa-8ab5-e9063531be6d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba4af035-8a32-4f46-8665-8fd28bf892ce.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
135B

MD5
90022f82afe48963cc42547209f18f96

SHA1
e60698c77e7df4cccc493f2cfa6d76f7553d71e2

SHA256
046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

SHA512
6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4240_1937734363\571505ee-abec-46e2-891a-c2ff961f769a.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
c937cff173f74aea0813054023e8cd88

SHA1
848ee70c059c25c89d452809f22aa17fc95c3f31

SHA256
3b36c9348c3a898e06818fe651ac7dc7ac676fc7dc6b44e30c2860c0c725e726

SHA512
9de967cdb5f8c5eaa8c5904a7b737d0500857a6baabb5e6e6bf97f13a3e1ac3e06bf41c37f542c11f834d6dfe95345d69fa91a211e2169e7cd45190c671bf89b

Download Submit
C:\Users\Admin\Downloads\BabylonToolbar.txt

Filesize
57B

MD5
2ab0eb54f6e9388131e13a53d2c2af6c

SHA1
f64663b25c9141b54fe4fad4ee39e148f6d7f50a

SHA256
d24eee3b220c71fced3227906b0feed755d2e2b39958dd8cd378123dde692426

SHA512
6b5048eeff122ae33194f3f6089418e3492118288038007d62cdd30a384c79874c0728a2098a29d8ce1a9f2b4ba5f9683b3f440f85196d50dc8bc1275a909260

Download Submit
C:\Users\Admin\Downloads\BabylonToolbar.txt:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Blackkomet.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\NetWire.exe

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1259966991\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_189463441\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_1984217215\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_439278916\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_854024333\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4240_890304218\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
memory/412-2116-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/412-2115-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1424-2114-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2764-2024-0x0000020470250000-0x0000020470B64000-memory.dmp

Filesize
9.1MB

Download
memory/5216-1991-0x0000021195870000-0x000002119588E000-memory.dmp

Filesize
120KB

Download