dcrat | cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
Size

149KB
MD5

932c74304b16cf546adfc4c1e7b8908a
SHA1

083698ced09892795e485afcd3182d44734b1c69
SHA256

cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445
SHA512

d2e113596ffe3138b3b7c62e7ba579860a711e876800bc67da88f8c23cb168f6983eb6bfc9962a9fc1e56dfc354f20788709089f44fc5876ac62456704504771
SSDEEP

3072:xFspHvXz3KRBFDE2jyStDq6FmoHhCxLVcxf5SbCcJwiN:4JvXbKR82GKDq6DHhCpCj2C8wi

Score

10^/10

dcrat smokeloader agilenet backdoor microsoft evasion infostealer persistence phishing rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4816-133-0x00000000008F0000-0x00000000008F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/4372-271-0x0000000000400000-0x000000000052A000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6708.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6708.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6708.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6708.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6708.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6708.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

A1C2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation A1C2.exe
Executes dropped EXE 8 IoCs

Processes:

496D.exe6708.exe70FC.exe95EA.exeA1C2.exeA7DE.exeA1C2.exeA1C2.exe

pid process

2264 496D.exe
4728 6708.exe
5060 70FC.exe
4412 95EA.exe
4560 A1C2.exe
2592 A7DE.exe
1752 A1C2.exe
4372 A1C2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	A1C2.exe

pid	process
2264	496D.exe
4728	6708.exe
5060	70FC.exe
4412	95EA.exe
4560	A1C2.exe
2592	A7DE.exe
1752	A1C2.exe
4372	A1C2.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4728-193-0x0000000000700000-0x0000000000F34000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6708.exe	themida
C:\Users\Admin\AppData\Local\Temp\6708.exe	themida
behavioral1/memory/4728-193-0x0000000000700000-0x0000000000F34000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

6708.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6708.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6708.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

70FC.exeA1C2.exe

description	pid	process	target process
PID 5060 set thread context of 2748	5060	70FC.exe	AppLaunch.exe
PID 4560 set thread context of 4372	4560	A1C2.exe	A1C2.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0400bb7b-a6b6-4cb7-b0e7-be134670b37d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230217220348.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

95EA.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityModeType = "843415633"	95EA.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe

pid	process
4816	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
4816	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1076

pid	process
1076

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exeexplorer.exe

pid	process
4816	cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
1076
1076
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
1076
1076
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
1076
1076
5040	explorer.exe
5040	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4316 msedge.exe
4316 msedge.exe
4316 msedge.exe
4316 msedge.exe
4316 msedge.exe
4316 msedge.exe
4316 msedge.exe

pid	process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2748	AppLaunch.exe
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

4316 msedge.exe
1076
1076
1076
4316 msedge.exe
1076
1076
1076
1076
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

95EA.exe

pid process

4412 95EA.exe
4412 95EA.exe

pid	process
4316	msedge.exe
1076
1076
1076
4316	msedge.exe
1076
1076
1076
1076

pid	process
4412	95EA.exe
4412	95EA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6708.exemsedge.exe

description	pid	process	target process
PID 1076 wrote to memory of 2264	1076		496D.exe
PID 1076 wrote to memory of 2264	1076		496D.exe
PID 1076 wrote to memory of 4728	1076		6708.exe
PID 1076 wrote to memory of 4728	1076		6708.exe
PID 1076 wrote to memory of 4728	1076		6708.exe
PID 1076 wrote to memory of 5060	1076		70FC.exe
PID 1076 wrote to memory of 5060	1076		70FC.exe
PID 1076 wrote to memory of 5060	1076		70FC.exe
PID 4728 wrote to memory of 4316	4728	6708.exe	msedge.exe
PID 4728 wrote to memory of 4316	4728	6708.exe	msedge.exe
PID 4316 wrote to memory of 3724	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 3724	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 1652	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 2296	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 2296	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe
PID 4316 wrote to memory of 4876	4316	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
"C:\Users\Admin\AppData\Local\Temp\cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4816

C:\Users\Admin\AppData\Local\Temp\496D.exe
C:\Users\Admin\AppData\Local\Temp\496D.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\6708.exe
C:\Users\Admin\AppData\Local\Temp\6708.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6708.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2e5346f8,0x7ffc2e534708,0x7ffc2e534718
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:4876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x244,0x248,0x24c,0x204,0x250,0x7ff765285460,0x7ff765285470,0x7ff765285480
      4⤵
      PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
    3⤵
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,9080053979110224715,11938054483484069714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6708.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2e5346f8,0x7ffc2e534708,0x7ffc2e534718
    3⤵
    PID:368

C:\Users\Admin\AppData\Local\Temp\70FC.exe
C:\Users\Admin\AppData\Local\Temp\70FC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\95EA.exe
C:\Users\Admin\AppData\Local\Temp\95EA.exe
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Users\Admin\AppData\Local\Temp\A1C2.exe
C:\Users\Admin\AppData\Local\Temp\A1C2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\A1C2.exe
  C:\Users\Admin\AppData\Local\Temp\A1C2.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\A1C2.exe
  C:\Users\Admin\AppData\Local\Temp\A1C2.exe
  2⤵
  - Executes dropped EXE
  PID:4372

C:\Users\Admin\AppData\Local\Temp\A7DE.exe
C:\Users\Admin\AppData\Local\Temp\A7DE.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1868

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1588

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A1C2.exe.log

Filesize
1KB

MD5
9e39b702ddcbdc603ad47b9d318dce62

SHA1
31709fbc20df043f4699fc3b288ce9bccd666b94

SHA256
b91057818a6617ee8e0c725d144403d30226b04d8181fed08cf0e5d634ee6388

SHA512
bab6b606b18f68e775d5a4fc2033adb1f228f66fe7103fe49a58dc7349227769df14d53b665615c7a9fb0cf2bbf679d5aa1ff2e97b0200d0a3603f8aebb9f533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
d35878ee080a16994a0c9d9fba0215c9

SHA1
0cb101c0ea3510005605e9c057b1d85fec1d1bb2

SHA256
a20eb87c18c6c4250521b574660a8ac009ce166891f85e3e8db8e5a9f6fa3f61

SHA512
f3a24b693ca975f7d893ffe6557f5f38f6fadb3209205cbd52cda1aaed4d84d529a2bd14e5cf22224f8434189df860ce28fa92628b4f146364c3dc458c572128

Download Submit
C:\Users\Admin\AppData\Local\Temp\496D.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\496D.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\6708.exe

Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6708.exe

Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70FC.exe

Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\70FC.exe

Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\95EA.exe

Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\95EA.exe

Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1C2.exe

Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1C2.exe

Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1C2.exe

Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1C2.exe

Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7DE.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7DE.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
02f75331d1b058841af534caa2fafd97

SHA1
d06228bccac47209bae6c3694dbec49858876b4e

SHA256
a70620c6d6dbfe87641fadea491944371291bb5109d252f62d045c3ef44d18b5

SHA512
87753da91d64948c11379b5b7a6d10c3e21089ed7d8738d4034704d7bc8da9846446b2b20814a475131559b64e2e645e8e5e5cdfbd1ae9dd58f57169f3a28ee2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
83cc1d07cba3899709cadc3dd77e389c

SHA1
56747ecb0b01960d52b585e82518b74bd76341a4

SHA256
7046b3d8aff1baafbbbb0f083901760e0bf789238ef7c39547d6d318f094fea0

SHA512
a85f3d8dc5583dd119d22129c52e930924be8ba34757c01a6676e2ccc60bf23ec54118d7ae9d783e9dab712d6613f67f9d0ef9aa1ce51a3ee21330a2b654c5ff

Download Submit
\??\pipe\LOCAL\crashpad_4316_PVMAKXRVDXLTWOZP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-190-0x0000000000000000-mapping.dmp

Download
memory/804-203-0x0000000000000000-mapping.dmp

Download
memory/804-206-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/804-259-0x0000000000BD0000-0x0000000000BD7000-memory.dmp

Filesize
28KB

Download
memory/804-205-0x0000000000BD0000-0x0000000000BD7000-memory.dmp

Filesize
28KB

Download
memory/952-277-0x0000000000000000-mapping.dmp

Download
memory/1136-255-0x0000000000000000-mapping.dmp

Download
memory/1252-242-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/1252-264-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/1252-236-0x0000000000000000-mapping.dmp

Download
memory/1252-243-0x0000000001170000-0x0000000001197000-memory.dmp

Filesize
156KB

Download
memory/1276-238-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/1276-235-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/1276-263-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/1276-222-0x0000000000000000-mapping.dmp

Download
memory/1504-233-0x0000000000000000-mapping.dmp

Download
memory/1588-244-0x0000000000000000-mapping.dmp

Download
memory/1588-266-0x0000000001480000-0x0000000001486000-memory.dmp

Filesize
24KB

Download
memory/1588-249-0x0000000001470000-0x000000000147B000-memory.dmp

Filesize
44KB

Download
memory/1588-247-0x0000000001480000-0x0000000001486000-memory.dmp

Filesize
24KB

Download
memory/1652-218-0x0000025B97AB0000-0x0000025B97ABF000-memory.dmp

Filesize
60KB

Download
memory/1652-153-0x0000000000000000-mapping.dmp

Download
memory/1744-201-0x0000000000000000-mapping.dmp

Download
memory/1752-268-0x0000000000000000-mapping.dmp

Download
memory/1856-159-0x0000000000000000-mapping.dmp

Download
memory/1868-215-0x0000000000000000-mapping.dmp

Download
memory/1868-261-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/1868-219-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/1868-220-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/2000-209-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/2000-207-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/2000-239-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/2000-240-0x0000000006560000-0x000000000657A000-memory.dmp

Filesize
104KB

Download
memory/2000-202-0x0000000000000000-mapping.dmp

Download
memory/2000-214-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/2000-204-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/2008-246-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/2008-245-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/2008-241-0x0000000000000000-mapping.dmp

Download
memory/2008-265-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/2264-139-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2264-140-0x00007FFC2D960000-0x00007FFC2E421000-memory.dmp

Filesize
10.8MB

Download
memory/2264-136-0x0000000000000000-mapping.dmp

Download
memory/2296-154-0x0000000000000000-mapping.dmp

Download
memory/2296-262-0x0000024DD7090000-0x0000024DD709F000-memory.dmp

Filesize
60KB

Download
memory/2296-221-0x0000024DD7090000-0x0000024DD709F000-memory.dmp

Filesize
60KB

Download
memory/2460-257-0x0000000000000000-mapping.dmp

Download
memory/2524-199-0x0000000000000000-mapping.dmp

Download
memory/2592-191-0x0000000000000000-mapping.dmp

Download
memory/2592-197-0x00007FFC2AE50000-0x00007FFC2B911000-memory.dmp

Filesize
10.8MB

Download
memory/2748-217-0x0000000005880000-0x000000000589E000-memory.dmp

Filesize
120KB

Download
memory/2748-162-0x0000000000000000-mapping.dmp

Download
memory/2748-163-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2748-188-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/2748-223-0x00000000063B0000-0x0000000006572000-memory.dmp

Filesize
1.8MB

Download
memory/2748-224-0x0000000006AB0000-0x0000000006FDC000-memory.dmp

Filesize
5.2MB

Download
memory/2748-181-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2748-180-0x0000000004A60000-0x0000000004B6A000-memory.dmp

Filesize
1.0MB

Download
memory/2748-179-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/2748-230-0x0000000005CE0000-0x0000000005D30000-memory.dmp

Filesize
320KB

Download
memory/2748-216-0x0000000005B10000-0x0000000005B86000-memory.dmp

Filesize
472KB

Download
memory/2748-178-0x0000000004F30000-0x0000000005548000-memory.dmp

Filesize
6.1MB

Download
memory/2952-172-0x0000000000000000-mapping.dmp

Download
memory/3464-229-0x0000000000000000-mapping.dmp

Download
memory/3644-256-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/3644-251-0x0000000000000000-mapping.dmp

Download
memory/3644-253-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/3684-275-0x0000000000000000-mapping.dmp

Download
memory/3688-174-0x0000000000000000-mapping.dmp

Download
memory/3724-213-0x000002BA213C0000-0x000002BA213CF000-memory.dmp

Filesize
60KB

Download
memory/3724-151-0x0000000000000000-mapping.dmp

Download
memory/3932-254-0x0000000000000000-mapping.dmp

Download
memory/4220-267-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/4220-248-0x0000000000000000-mapping.dmp

Download
memory/4220-250-0x0000000000190000-0x000000000019D000-memory.dmp

Filesize
52KB

Download
memory/4220-252-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/4316-150-0x0000000000000000-mapping.dmp

Download
memory/4316-212-0x00000241CA5B0000-0x00000241CA5BF000-memory.dmp

Filesize
60KB

Download
memory/4372-271-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/4372-270-0x0000000000000000-mapping.dmp

Download
memory/4380-161-0x0000000000000000-mapping.dmp

Download
memory/4412-175-0x0000000000000000-mapping.dmp

Download
memory/4560-186-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4560-182-0x0000000000000000-mapping.dmp

Download
memory/4560-187-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/4560-196-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/4560-185-0x0000000000790000-0x0000000000920000-memory.dmp

Filesize
1.6MB

Download
memory/4592-189-0x0000000000000000-mapping.dmp

Download
memory/4640-237-0x0000000000000000-mapping.dmp

Download
memory/4728-193-0x0000000000700000-0x0000000000F34000-memory.dmp

Filesize
8.2MB

Download
memory/4728-168-0x0000000000700000-0x0000000000F34000-memory.dmp

Filesize
8.2MB

Download
memory/4728-144-0x0000000000700000-0x0000000000F34000-memory.dmp

Filesize
8.2MB

Download
memory/4728-141-0x0000000000000000-mapping.dmp

Download
memory/4816-133-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/4816-134-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4816-135-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4816-132-0x0000000000961000-0x0000000000973000-memory.dmp

Filesize
72KB

Download
memory/4876-232-0x000001EF01910000-0x000001EF0191F000-memory.dmp

Filesize
60KB

Download
memory/4876-157-0x0000000000000000-mapping.dmp

Download
memory/5040-210-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/5040-260-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/5040-211-0x0000000000B10000-0x0000000000B1F000-memory.dmp

Filesize
60KB

Download
memory/5040-208-0x0000000000000000-mapping.dmp

Download
memory/5060-147-0x0000000000000000-mapping.dmp

Download