redline | e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

Analysis

max time kernel
177s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rovwer.exe
Size

38.4MB
MD5

7f6bde7964c323190a8e5a54ddfe1646
SHA1

358f7bb03e0d743bf7a900276017c1aa7debcea5
SHA256

e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84
SHA512

2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb
SSDEEP

12288:UkxChSElpRh/Alk2ReyATGdBoSNgFKTkjmhFPry83I3LBemU41REa:UkxChSEfQk6eOozFKXFPL3I3LBvUWRL

Score

10^/10

redline crypt_cryptex microsoft infostealer persistence phishing spyware

Malware Config

Extracted

Family

redline

Botnet

Crypt_Cryptex

194.36.177.60:81

Attributes

auth_value
695fd213fb1982a368936f037db38e54

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2560-170-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4624	rovwer.exe
1496	rovwer.exe
4648	rovwer.exe
1596	vvv.exe
5400	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvv.exe = "C:\\Users\\Admin\\1000008002\\vvv.exe"	rovwer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3320	rovwer.exe
4624	rovwer.exe
1496	rovwer.exe
5400	rovwer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 4648	4624	rovwer.exe	113
PID 1596 set thread context of 2560	1596	vvv.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4132	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3320	rovwer.exe
3320	rovwer.exe
4624	rovwer.exe
4624	rovwer.exe
880	chrome.exe
880	chrome.exe
4828	chrome.exe
4828	chrome.exe
1496	rovwer.exe
1496	rovwer.exe
2288	chrome.exe
2288	chrome.exe
3372	chrome.exe
3372	chrome.exe
5220	msedge.exe
5220	msedge.exe
5236	msedge.exe
5236	msedge.exe
1696	msedge.exe
1696	msedge.exe
5728	chrome.exe
5728	chrome.exe
2560	vbc.exe
2560	vbc.exe
2560	vbc.exe
5448	chrome.exe
5448	chrome.exe
5400	rovwer.exe
5400	rovwer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
1696	msedge.exe
1696	msedge.exe
1696	msedge.exe
1696	msedge.exe
1696	msedge.exe
4828	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	vbc.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
2560	vbc.exe
1696	msedge.exe
1696	msedge.exe
1696	msedge.exe
4828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4624	3320	rovwer.exe	80
PID 3320 wrote to memory of 4624	3320	rovwer.exe	80
PID 3320 wrote to memory of 4624	3320	rovwer.exe	80
PID 4624 wrote to memory of 4132	4624	rovwer.exe	81
PID 4624 wrote to memory of 4132	4624	rovwer.exe	81
PID 4624 wrote to memory of 4132	4624	rovwer.exe	81
PID 4828 wrote to memory of 2072	4828	chrome.exe	94
PID 4828 wrote to memory of 2072	4828	chrome.exe	94
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 2260	4828	chrome.exe	98
PID 4828 wrote to memory of 880	4828	chrome.exe	99
PID 4828 wrote to memory of 880	4828	chrome.exe	99
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100
PID 4828 wrote to memory of 4628	4828	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\rovwer.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
    "C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe"
    3⤵
    - Executes dropped EXE
    PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rovwer.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd9f46f8,0x7fffdd9f4708,0x7fffdd9f4718
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
        5⤵
        
        PID:5508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        
        PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:5628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
        5⤵
        
        PID:5836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 /prefetch:8
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        5⤵
        
        PID:3648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,1463957868634462339,13678125486796234129,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6124 /prefetch:8
        5⤵
        
        PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rovwer.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:4972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffdd9f46f8,0x7fffdd9f4708,0x7fffdd9f4718
        5⤵
        
        PID:1308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7093840541640013587,412204083143379555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7093840541640013587,412204083143379555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5236
- - C:\Users\Admin\1000008002\vvv.exe
    "C:\Users\Admin\1000008002\vvv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd354f50,0x7fffdd354f60,0x7fffdd354f70
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:2
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1420
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x22c,0x230,0x234,0x208,0x1e0,0x7ff737dfa890,0x7ff737dfa8a0,0x7ff737dfa8b0
    3⤵
    PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13161476655613131528,8050813968395053038,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000008002\vvv.exe

Filesize
241KB

MD5
aca124c45a891c1ef397d8f417321b18

SHA1
df65ba744946b458692d3b9e8a7c751f5ce4905d

SHA256
f8d62ab41ce1346a6b65b18bab3b87d35143ccdcf680628738c22817987efd70

SHA512
979ddbe803c338022650aec8c1c9f90dbb0285e1c1cafcd0c2061bbb4e9ea73b01ecae8ee24da109d943d8a935a26281b595d5aa08e8b47133b12f1094f458d8

Download Submit
C:\Users\Admin\1000008002\vvv.exe

Filesize
241KB

MD5
aca124c45a891c1ef397d8f417321b18

SHA1
df65ba744946b458692d3b9e8a7c751f5ce4905d

SHA256
f8d62ab41ce1346a6b65b18bab3b87d35143ccdcf680628738c22817987efd70

SHA512
979ddbe803c338022650aec8c1c9f90dbb0285e1c1cafcd0c2061bbb4e9ea73b01ecae8ee24da109d943d8a935a26281b595d5aa08e8b47133b12f1094f458d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
e2383467d4bc34cd454c36a9213eb657

SHA1
4e8e06a934c3513c64f3093d53678d59275d42fb

SHA256
24372e69dd31ea106f1ba479dcaec5eddcad54d1d2848b5117461ae5d30d5c7e

SHA512
a2604596d187959723ff4755c9db5a58644f5d296220c7172f7b0484eb83c22d45ac1d8c5f110472debbbcb68f799b58a247ebba46f8a9c0e274512eed1851ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
098678cf797deffb1f8895872678f06a

SHA1
a456f5a4720a089df27882b33cf10b6f6ff1f833

SHA256
3014bb8390edcb80e93053542007fb1df7ed7e26c6be0e2929c2dab4935151d4

SHA512
d6acf5be85aa988ba8fc9290e82a0383fd2da9aface4ccf9f037873bf4dfaacc6ae19bf1ca7ac044ccc8a1691fe321a412f76a93c59a7892305737557607b318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
7fef97d652f74e42a48e43391d087fbe

SHA1
66de1b5a12ceed7d0c198eedffbc1112d86cdbc5

SHA256
f7a820ef0c9d3c9c0636f4497e878a180075e91b534570d6832234f44f66a4f2

SHA512
73abe04461e2de2e9428f7b35962e0a4bb4180c20795194ba9ca50ba464e6ff6e1a60a4c066c26eb5ef048645df6207b0df7660844ef1f911fd16b425ebe9cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
fff149cff1defe5fe646da19199bf5e4

SHA1
e8e35aded9c761539f1043a1dd94f1b4d2b697aa

SHA256
0f5626ed1b2d4eb36159380a02eb12360cd7f6a23e8bf7d22a68db64e3c360fb

SHA512
803609c56bb24646fff8fb87cef2fd6358f691c801caa08cec421675a322e6b9d11456a5039ad772cae61704722802239294b1dc7d182bd91ca5797336f0e6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe

Filesize
38.4MB

MD5
7f6bde7964c323190a8e5a54ddfe1646

SHA1
358f7bb03e0d743bf7a900276017c1aa7debcea5

SHA256
e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

SHA512
2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe

Filesize
38.4MB

MD5
7f6bde7964c323190a8e5a54ddfe1646

SHA1
358f7bb03e0d743bf7a900276017c1aa7debcea5

SHA256
e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

SHA512
2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe

Filesize
38.4MB

MD5
7f6bde7964c323190a8e5a54ddfe1646

SHA1
358f7bb03e0d743bf7a900276017c1aa7debcea5

SHA256
e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

SHA512
2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe

Filesize
38.4MB

MD5
7f6bde7964c323190a8e5a54ddfe1646

SHA1
358f7bb03e0d743bf7a900276017c1aa7debcea5

SHA256
e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

SHA512
2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8d97a9c8\rovwer.exe

Filesize
38.4MB

MD5
7f6bde7964c323190a8e5a54ddfe1646

SHA1
358f7bb03e0d743bf7a900276017c1aa7debcea5

SHA256
e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

SHA512
2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

Download Submit
memory/1496-155-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/1496-156-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/1496-157-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/1496-159-0x0000000000B50000-0x0000000000B96000-memory.dmp

Filesize
280KB

Download
memory/1496-158-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/1496-154-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/2560-181-0x0000000008170000-0x00000000081C0000-memory.dmp

Filesize
320KB

Download
memory/2560-177-0x0000000008590000-0x0000000008B34000-memory.dmp

Filesize
5.6MB

Download
memory/2560-211-0x00000000098C0000-0x0000000009A82000-memory.dmp

Filesize
1.8MB

Download
memory/2560-212-0x0000000009FC0000-0x000000000A4EC000-memory.dmp

Filesize
5.2MB

Download
memory/2560-170-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2560-171-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/2560-172-0x00000000072C0000-0x00000000073CA000-memory.dmp

Filesize
1.0MB

Download
memory/2560-173-0x00000000071F0000-0x0000000007202000-memory.dmp

Filesize
72KB

Download
memory/2560-174-0x0000000007250000-0x000000000728C000-memory.dmp

Filesize
240KB

Download
memory/2560-180-0x00000000080F0000-0x0000000008166000-memory.dmp

Filesize
472KB

Download
memory/2560-179-0x0000000008080000-0x00000000080E6000-memory.dmp

Filesize
408KB

Download
memory/2560-178-0x0000000007FE0000-0x0000000008072000-memory.dmp

Filesize
584KB

Download
memory/3320-134-0x0000000000D20000-0x0000000000DF7000-memory.dmp

Filesize
860KB

Download
memory/3320-142-0x0000000001460000-0x00000000014A6000-memory.dmp

Filesize
280KB

Download
memory/3320-136-0x0000000000D20000-0x0000000000DF7000-memory.dmp

Filesize
860KB

Download
memory/3320-133-0x0000000000D20000-0x0000000000DF7000-memory.dmp

Filesize
860KB

Download
memory/3320-132-0x0000000000D20000-0x0000000000DF7000-memory.dmp

Filesize
860KB

Download
memory/3320-135-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/3320-137-0x0000000001460000-0x00000000014A6000-memory.dmp

Filesize
280KB

Download
memory/3320-141-0x0000000000D20000-0x0000000000DF7000-memory.dmp

Filesize
860KB

Download
memory/4624-149-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4624-150-0x0000000000660000-0x00000000006A6000-memory.dmp

Filesize
280KB

Download
memory/4624-144-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4624-143-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4624-151-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4624-148-0x0000000000660000-0x00000000006A6000-memory.dmp

Filesize
280KB

Download
memory/4624-146-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/4624-145-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4648-163-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/4648-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5400-223-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/5400-222-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/5400-221-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download
memory/5400-224-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/5400-226-0x00000000029A0000-0x00000000029E6000-memory.dmp

Filesize
280KB

Download
memory/5400-225-0x0000000000C00000-0x0000000000CD7000-memory.dmp

Filesize
860KB

Download