amadey | 30f777208be7e3b202c5d36f0db6d882c9b97bfad20fed47fd4c8dc7fcb3090c

Analysis

max time kernel
219s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
Size

1.5MB
MD5

e51db332898f96c123006867309d8ff7
SHA1

5f0766969d31cdc281703bfe21e6f94e9625a039
SHA256

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35
SHA512

3a54dbacec0c202fcbfc9bf963eec06ddd3d0a05158504a389d39c734942fc4e20177a1d4e1700262b8e1da1548d57ce75650f10b100175a560d2891e25b7c10
SSDEEP

49152:gM3XFzwFlHHkXZ2spmEitbxvbmLOBgqRQqWr:zHF8FVHkXZ/pMt9jmLFq2q

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2364-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2364-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2364-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4420-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe5Ff7UI5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5Ff7UI5.exe

Executes dropped EXE 14 IoCs

Processes:

Ne6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe3Yj63sv.exe4YH070YN.exe5Ff7UI5.exeexplothe.exe6cl5ZY4.exe7VP9vi48.exeexplothe.exe

pid	process
2808	Ne6rm96.exe
4968	ad1Pw71.exe
2660	QM8iU38.exe
404	Ke7PS41.exe
2716	ra0xn46.exe
3520	1Kh96ep8.exe
2272	2Lr5170.exe
4824	3Yj63sv.exe
3780	4YH070YN.exe
212	5Ff7UI5.exe
2064	explothe.exe
1868	6cl5ZY4.exe
3960	7VP9vi48.exe
2232	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exeNe6rm96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ad1Pw71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QM8iU38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ke7PS41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ra0xn46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ne6rm96.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Kh96ep8.exe2Lr5170.exe4YH070YN.exe

description	pid	process	target process
PID 3520 set thread context of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 2272 set thread context of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 3780 set thread context of 4420	3780	4YH070YN.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3620 2364 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
3620	2364	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Yj63sv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1408 schtasks.exe

pid	process
1408	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe3Yj63sv.exe

pid	process
2172	AppLaunch.exe
2172	AppLaunch.exe
4824	3Yj63sv.exe
4824	3Yj63sv.exe
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3324
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Yj63sv.exe

pid process

4824 3Yj63sv.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3640 msedge.exe
3640 msedge.exe

pid	process
3324

pid	process
4824	3Yj63sv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2172	AppLaunch.exe
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exeNe6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe4YH070YN.exe5Ff7UI5.exe

description	pid	process	target process
PID 2832 wrote to memory of 2808	2832	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 2832 wrote to memory of 2808	2832	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 2832 wrote to memory of 2808	2832	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 2808 wrote to memory of 4968	2808	Ne6rm96.exe	ad1Pw71.exe
PID 2808 wrote to memory of 4968	2808	Ne6rm96.exe	ad1Pw71.exe
PID 2808 wrote to memory of 4968	2808	Ne6rm96.exe	ad1Pw71.exe
PID 4968 wrote to memory of 2660	4968	ad1Pw71.exe	QM8iU38.exe
PID 4968 wrote to memory of 2660	4968	ad1Pw71.exe	QM8iU38.exe
PID 4968 wrote to memory of 2660	4968	ad1Pw71.exe	QM8iU38.exe
PID 2660 wrote to memory of 404	2660	QM8iU38.exe	Ke7PS41.exe
PID 2660 wrote to memory of 404	2660	QM8iU38.exe	Ke7PS41.exe
PID 2660 wrote to memory of 404	2660	QM8iU38.exe	Ke7PS41.exe
PID 404 wrote to memory of 2716	404	Ke7PS41.exe	ra0xn46.exe
PID 404 wrote to memory of 2716	404	Ke7PS41.exe	ra0xn46.exe
PID 404 wrote to memory of 2716	404	Ke7PS41.exe	ra0xn46.exe
PID 2716 wrote to memory of 3520	2716	ra0xn46.exe	1Kh96ep8.exe
PID 2716 wrote to memory of 3520	2716	ra0xn46.exe	1Kh96ep8.exe
PID 2716 wrote to memory of 3520	2716	ra0xn46.exe	1Kh96ep8.exe
PID 3520 wrote to memory of 316	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 316	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 316	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 3520 wrote to memory of 2172	3520	1Kh96ep8.exe	AppLaunch.exe
PID 2716 wrote to memory of 2272	2716	ra0xn46.exe	2Lr5170.exe
PID 2716 wrote to memory of 2272	2716	ra0xn46.exe	2Lr5170.exe
PID 2716 wrote to memory of 2272	2716	ra0xn46.exe	2Lr5170.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 2272 wrote to memory of 2364	2272	2Lr5170.exe	AppLaunch.exe
PID 404 wrote to memory of 4824	404	Ke7PS41.exe	3Yj63sv.exe
PID 404 wrote to memory of 4824	404	Ke7PS41.exe	3Yj63sv.exe
PID 404 wrote to memory of 4824	404	Ke7PS41.exe	3Yj63sv.exe
PID 2660 wrote to memory of 3780	2660	QM8iU38.exe	4YH070YN.exe
PID 2660 wrote to memory of 3780	2660	QM8iU38.exe	4YH070YN.exe
PID 2660 wrote to memory of 3780	2660	QM8iU38.exe	4YH070YN.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 3780 wrote to memory of 4420	3780	4YH070YN.exe	AppLaunch.exe
PID 4968 wrote to memory of 212	4968	ad1Pw71.exe	5Ff7UI5.exe
PID 4968 wrote to memory of 212	4968	ad1Pw71.exe	5Ff7UI5.exe
PID 4968 wrote to memory of 212	4968	ad1Pw71.exe	5Ff7UI5.exe
PID 212 wrote to memory of 2064	212	5Ff7UI5.exe	explothe.exe
PID 212 wrote to memory of 2064	212	5Ff7UI5.exe	explothe.exe
PID 212 wrote to memory of 2064	212	5Ff7UI5.exe	explothe.exe
PID 2808 wrote to memory of 1868	2808	Ne6rm96.exe	6cl5ZY4.exe
PID 2808 wrote to memory of 1868	2808	Ne6rm96.exe	6cl5ZY4.exe

C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
"C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 540
9⤵
- Program crash
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4824

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1400

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:5064

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2748

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
3⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
2⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3BC2.tmp\3BC3.tmp\3BD4.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe"
3⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5817195023452766145,10241699420128560889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5817195023452766145,10241699420128560889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
5⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5817195023452766145,10241699420128560889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
5⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5817195023452766145,10241699420128560889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
5⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5817195023452766145,10241699420128560889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
5⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6138540927972937748,14322497035050658779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
5⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6138540927972937748,14322497035050658779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
5⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10308806337033887455,6645577762283793577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
5⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10308806337033887455,6645577762283793577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
5⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3650263298125848578,8298107168536797045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
5⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3650263298125848578,8298107168536797045,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
5⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8160749663864881450,8051894092949925621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8160749663864881450,8051894092949925621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
5⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,9432240275982874091,1821033017136171981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
5⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,9432240275982874091,1821033017136171981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
5⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,133479718803431136,12465613263828550362,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
5⤵
PID:6352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,133479718803431136,12465613263828550362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
5⤵
PID:6652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,13071991184914522354,10258180179611437093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
5⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,13071991184914522354,10258180179611437093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
5⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8992746f8,0x7ff899274708,0x7ff899274718
5⤵
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,123467737403796879,4898253284772814681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
5⤵
PID:6404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,123467737403796879,4898253284772814681,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
5⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 2364
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BC2.tmp\3BC3.tmp\3BD4.bat
Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
Filesize
89KB

MD5
3133993a538a99260b5c75dea467b6bd

SHA1
b692d4b36bbe655541d433b6df4c3f6eb3f1c653

SHA256
01dd907a4893609e560a3f454ca46940ca62e1773b7c88832131b13250df657b

SHA512
583abbb3c458e60badb918c822102b23a8f782ce29ae257fa38658801f76d3670f5e3b07ec3246c456ca73a2aa6b9e20610fd8f7921849bab9286ce83aba5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
Filesize
89KB

MD5
3133993a538a99260b5c75dea467b6bd

SHA1
b692d4b36bbe655541d433b6df4c3f6eb3f1c653

SHA256
01dd907a4893609e560a3f454ca46940ca62e1773b7c88832131b13250df657b

SHA512
583abbb3c458e60badb918c822102b23a8f782ce29ae257fa38658801f76d3670f5e3b07ec3246c456ca73a2aa6b9e20610fd8f7921849bab9286ce83aba5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
Filesize
1.4MB

MD5
bb050dbdad09b6bc2f9db25e1a3004c7

SHA1
d1f8a357ce5327c9d57240310e3212e64f3babdc

SHA256
c755956f09922488a6ec4cdff24394c9a62954fa9b811fa93d8122aa3b6671bc

SHA512
15c8bebd1f5153f07d82142f85d4de9662eddd405813100b8f1d00b1893686f94368fa6c64bda805920178511054bffbfcd09a3e0c8ba03d9d375b03615512aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
Filesize
1.4MB

MD5
bb050dbdad09b6bc2f9db25e1a3004c7

SHA1
d1f8a357ce5327c9d57240310e3212e64f3babdc

SHA256
c755956f09922488a6ec4cdff24394c9a62954fa9b811fa93d8122aa3b6671bc

SHA512
15c8bebd1f5153f07d82142f85d4de9662eddd405813100b8f1d00b1893686f94368fa6c64bda805920178511054bffbfcd09a3e0c8ba03d9d375b03615512aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
Filesize
183KB

MD5
88acae707753281487dbc4527670d207

SHA1
7586b5f38a75d254955b41764a9f9a24f0f955b5

SHA256
8acb5f4f5b17179dd329d91b90d3195e179c2073a8262c79f525296163aabbb0

SHA512
77dfb4f601e8f637c5ab7e5cfc08e51a4a384d07f85d56cd87d82e8d4731e877fd841b0369232b5301d3cf8f9a8c001e787af072f798547a106c1175e0f69d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
Filesize
183KB

MD5
88acae707753281487dbc4527670d207

SHA1
7586b5f38a75d254955b41764a9f9a24f0f955b5

SHA256
8acb5f4f5b17179dd329d91b90d3195e179c2073a8262c79f525296163aabbb0

SHA512
77dfb4f601e8f637c5ab7e5cfc08e51a4a384d07f85d56cd87d82e8d4731e877fd841b0369232b5301d3cf8f9a8c001e787af072f798547a106c1175e0f69d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
Filesize
1.2MB

MD5
8e8e91a7197d3732146ad5c3dccff354

SHA1
c676eb26052a0fe2b614dd13db89153b1a859efe

SHA256
087a896f87f3804d36f472b9bd51df25519b800924be524ba493ca987c06fbaf

SHA512
d86710464152555147d7629ba22b1dfb4ad2f9829954d01877e7c635bb3f1fd102f568d00e66bf0ee10a7cadeb57b8361f3631f154d4d726cff8d293f6fbbe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
Filesize
1.2MB

MD5
8e8e91a7197d3732146ad5c3dccff354

SHA1
c676eb26052a0fe2b614dd13db89153b1a859efe

SHA256
087a896f87f3804d36f472b9bd51df25519b800924be524ba493ca987c06fbaf

SHA512
d86710464152555147d7629ba22b1dfb4ad2f9829954d01877e7c635bb3f1fd102f568d00e66bf0ee10a7cadeb57b8361f3631f154d4d726cff8d293f6fbbe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
Filesize
1.0MB

MD5
967017a45c0c287b2ba5ab6f10104124

SHA1
8f0c76f5bccfd14f23849956a71873ea478143c1

SHA256
1b1c8ff3f8b0603d134d080497fabae4b843603676a023b8051e7f204eecaac0

SHA512
c69913a5e85c18d1a4cf989037928cb149b9103b2d1b669141c6264933dac31486c90c0852437806269fdba8fea8dcae7d099ad3acc6fa42a28ae44d55bb1abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
Filesize
1.0MB

MD5
967017a45c0c287b2ba5ab6f10104124

SHA1
8f0c76f5bccfd14f23849956a71873ea478143c1

SHA256
1b1c8ff3f8b0603d134d080497fabae4b843603676a023b8051e7f204eecaac0

SHA512
c69913a5e85c18d1a4cf989037928cb149b9103b2d1b669141c6264933dac31486c90c0852437806269fdba8fea8dcae7d099ad3acc6fa42a28ae44d55bb1abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
Filesize
1.1MB

MD5
cc4365a9c7ecf0318360c45254979e82

SHA1
d608476ab37b1d13ecfc184072ef3a7fe63b1647

SHA256
47fdad2537a470c75542cc2d083feb3e0f3ca88338bb2e5672a800a49eabd2fb

SHA512
69e18695ddcf7e036286d5ec4fe847bbc4162a98d3365ed452a2f7f852d2e10230c4664fa625218a8f56f361ed414940b849940fff2af03b57733c377359da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
Filesize
1.1MB

MD5
cc4365a9c7ecf0318360c45254979e82

SHA1
d608476ab37b1d13ecfc184072ef3a7fe63b1647

SHA256
47fdad2537a470c75542cc2d083feb3e0f3ca88338bb2e5672a800a49eabd2fb

SHA512
69e18695ddcf7e036286d5ec4fe847bbc4162a98d3365ed452a2f7f852d2e10230c4664fa625218a8f56f361ed414940b849940fff2af03b57733c377359da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
Filesize
645KB

MD5
8d634245a812844ec5ae4bee28bcdde2

SHA1
f155caf7c67ace562f56763954532b5846e7c050

SHA256
21dea19875cdd46e800e3036ba9dfdc27a486d3af1d7382eeab09dba4816ad5b

SHA512
1425ce838574ef4fdaa5d505e259aff3dfb99c1200cea749b214c5375f6b7be6e5b8871a3fa22737cbad97a34671f617d315b2c915bf76859adf510f347acbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
Filesize
645KB

MD5
8d634245a812844ec5ae4bee28bcdde2

SHA1
f155caf7c67ace562f56763954532b5846e7c050

SHA256
21dea19875cdd46e800e3036ba9dfdc27a486d3af1d7382eeab09dba4816ad5b

SHA512
1425ce838574ef4fdaa5d505e259aff3dfb99c1200cea749b214c5375f6b7be6e5b8871a3fa22737cbad97a34671f617d315b2c915bf76859adf510f347acbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
Filesize
30KB

MD5
01db0ac394d011fde2a7d7c88dba99ec

SHA1
33157ef71a8e7744a71e9ca1da1be6ac46c84178

SHA256
40288e39d9a0b282ada1fe11dd6ed3f0d8e00fe417356a5969511632f096daee

SHA512
74a5aceb4c653a7c1b5fb6d9a4f8512751531fea719c34bd37e1ab9cf49452d28a9096aa0e6dfbd8a912384fc54594c01c54ee794a3d8dc5f32dbef239f927af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
Filesize
30KB

MD5
01db0ac394d011fde2a7d7c88dba99ec

SHA1
33157ef71a8e7744a71e9ca1da1be6ac46c84178

SHA256
40288e39d9a0b282ada1fe11dd6ed3f0d8e00fe417356a5969511632f096daee

SHA512
74a5aceb4c653a7c1b5fb6d9a4f8512751531fea719c34bd37e1ab9cf49452d28a9096aa0e6dfbd8a912384fc54594c01c54ee794a3d8dc5f32dbef239f927af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
Filesize
521KB

MD5
77a8ab496365178c46a095cb8cb28cd3

SHA1
bd6d15bf014edac87ed66e007b8def58250e40ad

SHA256
4c8ec900c71a459ba62dfa2c5c9041c3056ca6d1af16b60f4bb8b03db498f58b

SHA512
dc4e50a32358d7d5b19c2be0ba54d3ca0d0cfec36250f9042b1d2673b70071e6df2a05e55f387018bee786eb5c3e321825f137d1a642803e10a5bd7a52854f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
Filesize
521KB

MD5
77a8ab496365178c46a095cb8cb28cd3

SHA1
bd6d15bf014edac87ed66e007b8def58250e40ad

SHA256
4c8ec900c71a459ba62dfa2c5c9041c3056ca6d1af16b60f4bb8b03db498f58b

SHA512
dc4e50a32358d7d5b19c2be0ba54d3ca0d0cfec36250f9042b1d2673b70071e6df2a05e55f387018bee786eb5c3e321825f137d1a642803e10a5bd7a52854f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
Filesize
878KB

MD5
3d6052b8fd7dd9c074d3a44a8aa029b3

SHA1
21e53e281b95d3fa17748dee13fec3e06382938e

SHA256
96e449db3e1b1c1ec4102ab96f33c2e4bc564109154cad6f129f47b1b240dfc5

SHA512
9020b107104c45e07545e5183c67b6f44e3a0a83a90bfa0f8c1b1cdb1b9b92aba16508a8095778b9a2f58ffdab5f7bd7067819a3fa34b9c44264f555b62e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
Filesize
878KB

MD5
3d6052b8fd7dd9c074d3a44a8aa029b3

SHA1
21e53e281b95d3fa17748dee13fec3e06382938e

SHA256
96e449db3e1b1c1ec4102ab96f33c2e4bc564109154cad6f129f47b1b240dfc5

SHA512
9020b107104c45e07545e5183c67b6f44e3a0a83a90bfa0f8c1b1cdb1b9b92aba16508a8095778b9a2f58ffdab5f7bd7067819a3fa34b9c44264f555b62e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
Filesize
1.1MB

MD5
af1f39bf6ad69013f0bba4803f391d19

SHA1
f30be3f7bfdf1895a1761dc4d7e5fc6daa5b70bc

SHA256
d5b5a1e8b2730b04854fee843d893b2b35298cc559bc4feb7dbf4fcea2acbe5f

SHA512
3820617eb0018be7f4dca921570fefb8e33bc507b71a468e2ce41e1b6fb4a9036a368e23e17fcbcbc673787e66bac0064f62195dae30f1a5143f267492b6c080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
Filesize
1.1MB

MD5
af1f39bf6ad69013f0bba4803f391d19

SHA1
f30be3f7bfdf1895a1761dc4d7e5fc6daa5b70bc

SHA256
d5b5a1e8b2730b04854fee843d893b2b35298cc559bc4feb7dbf4fcea2acbe5f

SHA512
3820617eb0018be7f4dca921570fefb8e33bc507b71a468e2ce41e1b6fb4a9036a368e23e17fcbcbc673787e66bac0064f62195dae30f1a5143f267492b6c080

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
\??\pipe\LOCAL\crashpad_1812_HDGMLESJKNAHNLXQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2108_YLITKLRUFCYHRVQJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3620_MFPDWRRDAUMGTLAT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5008_WNQCKQGAGTQIPFSN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_772_XGLTATOXAUKTJTSC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2172-73-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-66-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-46-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-56-0x0000000002E70000-0x0000000002E86000-memory.dmp

Filesize
88KB

Download
memory/4420-81-0x00000000086B0000-0x0000000008CC8000-memory.dmp

Filesize
6.1MB

Download
memory/4420-75-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/4420-92-0x00000000079B0000-0x00000000079FC000-memory.dmp

Filesize
304KB

Download
memory/4420-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-68-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-72-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/4420-74-0x0000000007710000-0x00000000077A2000-memory.dmp

Filesize
584KB

Download
memory/4420-91-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-80-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/4420-93-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/4420-82-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/4420-86-0x0000000007900000-0x0000000007912000-memory.dmp

Filesize
72KB

Download
memory/4420-87-0x0000000007970000-0x00000000079AC000-memory.dmp

Filesize
240KB

Download
memory/4824-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4824-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download