healer | 106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

max time kernel
621s
max time network
627s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
Size

1.2MB
MD5

5b3b6822964b4151c6200ecd89722a86
SHA1

ce7a11dae532b2ade1c96619bbdc8a8325582049
SHA256

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34
SHA512

2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0
SSDEEP

24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score

10^/10

healer redline ronur dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe	healer
behavioral1/memory/4012-35-0x0000000000C60000-0x0000000000C6A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

iwN36Rn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iwN36Rn.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4740-93-0x0000000002660000-0x00000000026A6000-memory.dmp	family_redline
behavioral1/memory/4740-99-0x0000000004BF0000-0x0000000004C34000-memory.dmp	family_redline
behavioral1/memory/4740-100-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-101-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-103-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-105-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-107-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-109-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-111-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-113-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-115-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-119-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-121-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-123-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-125-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-127-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-129-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-131-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-133-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-135-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-137-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-139-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-141-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-143-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-145-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-147-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-149-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-151-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-153-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-155-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-157-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-160-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-162-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-164-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4740-166-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

sbO31En07.exesmS09II74.exeslc39Ad82.exesko86jV13.exeiwN36Rn.exekLG98Ei.exe

pid process

3740 sbO31En07.exe
2820 smS09II74.exe
2360 slc39Ad82.exe
4720 sko86jV13.exe
4012 iwN36Rn.exe
4740 kLG98Ei.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

iwN36Rn.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iwN36Rn.exe

pid	process
3740	sbO31En07.exe
2820	smS09II74.exe
2360	slc39Ad82.exe
4720	sko86jV13.exe
4012	iwN36Rn.exe
4740	kLG98Ei.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iwN36Rn.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

slc39Ad82.exesko86jV13.exe106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exesbO31En07.exesmS09II74.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	slc39Ad82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sko86jV13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sbO31En07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	smS09II74.exe

Drops file in System32 directory 12 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT	svchost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Clipup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1114462139-3090196418-29517368-1000\{A7701AE2-FA56-4EB4-BFFA-83A568CB3CF5}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

iwN36Rn.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4012	iwN36Rn.exe
4012	iwN36Rn.exe
3956	msedge.exe
3956	msedge.exe
1616	msedge.exe
1616	msedge.exe
696	identity_helper.exe
696	identity_helper.exe
5272	msedge.exe
5272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

iwN36Rn.exekLG98Ei.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4012 iwN36Rn.exe
Token: SeDebugPrivilege 4740 kLG98Ei.exe
Token: SeShutdownPrivilege 5272 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4012	iwN36Rn.exe
Token: SeDebugPrivilege	4740	kLG98Ei.exe
Token: SeShutdownPrivilege	5272	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

SystemSettingsAdminFlows.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exeCredentialUIBroker.exe

pid	process
5744	SystemSettingsAdminFlows.exe
2200	CredentialUIBroker.exe
2120	CredentialUIBroker.exe
4504	CredentialUIBroker.exe
6012	CredentialUIBroker.exe
2540	CredentialUIBroker.exe
5204	CredentialUIBroker.exe
2428	CredentialUIBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exesbO31En07.exesmS09II74.exeslc39Ad82.exesko86jV13.exemsedge.exe

description	pid	process	target process
PID 4624 wrote to memory of 3740	4624	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 4624 wrote to memory of 3740	4624	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 4624 wrote to memory of 3740	4624	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 3740 wrote to memory of 2820	3740	sbO31En07.exe	smS09II74.exe
PID 3740 wrote to memory of 2820	3740	sbO31En07.exe	smS09II74.exe
PID 3740 wrote to memory of 2820	3740	sbO31En07.exe	smS09II74.exe
PID 2820 wrote to memory of 2360	2820	smS09II74.exe	slc39Ad82.exe
PID 2820 wrote to memory of 2360	2820	smS09II74.exe	slc39Ad82.exe
PID 2820 wrote to memory of 2360	2820	smS09II74.exe	slc39Ad82.exe
PID 2360 wrote to memory of 4720	2360	slc39Ad82.exe	sko86jV13.exe
PID 2360 wrote to memory of 4720	2360	slc39Ad82.exe	sko86jV13.exe
PID 2360 wrote to memory of 4720	2360	slc39Ad82.exe	sko86jV13.exe
PID 4720 wrote to memory of 4012	4720	sko86jV13.exe	iwN36Rn.exe
PID 4720 wrote to memory of 4012	4720	sko86jV13.exe	iwN36Rn.exe
PID 1616 wrote to memory of 4420	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 4420	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 1788	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 3956	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 3956	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 368	1616	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
"C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc18d46f8,0x7ffcc18d4708,0x7ffcc18d4718
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9667998458443870193,9768507936734243622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
1⤵
- Suspicious use of SetWindowsHookEx
PID:5744
- C:\Windows\system32\Clipup.exe
  C:\Windows\system32\Clipup.exe -d -k VK7JG-NPHTM-C97JM-9MPGT-3V66T %PROGRAMDATA%\Microsoft\Windows\ClipSvc\Install
  2⤵
  PID:5880
- - C:\Windows\system32\Clipup.exe
    C:\Windows\system32\Clipup.exe -d -k VK7JG-NPHTM-C97JM-9MPGT-3V66T %PROGRAMDATA%\Microsoft\Windows\ClipSvc\Install -ppl C:\Users\Admin\AppData\Local\Temp\tem70A7.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:4528

C:\Windows\system32\slidetoshutdown.exe
"C:\Windows\system32\slidetoshutdown.exe"
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4868

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6012

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9ebd6170f27c17731cadac8075951e53

SHA1
fff0169c0398a8fe195e27e5964c21f8837bab93

SHA256
604b0407ed65aabf8e62fb525b0eabc33945c7a30fb05236a3f98a0b23f6c41e

SHA512
f498cd5d19c686ce85528a3847874c373caab08f24bf1f261d0bbf32928bb3fe789b398dec6e40afefc938f43e1a6b0037b4d0133b8555920d716f3d25455d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
396B

MD5
022e2ea4f3ad8922c2cf2a9aa95cc7fc

SHA1
ad8bdeadd8dc7931b8e4702ae6525f5c52f53960

SHA256
efd7c8585c0741c6d63ff4e5ee7d40e327ab22792945be4c3815414ce878c912

SHA512
b4610ea6ae58a7838d8cb290746061954f4bd6ed0765f9579ac58892af5ee41857ccb3851718d09847a5114022a2a7187c10d90d9baa16e1eb825a9ccd8bb3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a68eaa8ad09021e2427736619f66bd7

SHA1
d849275314290758634d3d4017dc0cde6c8ecef1

SHA256
601ce19ba4aecb3e63c271fcefdbee53edccb3948ac527c6637d52c2948587d6

SHA512
75d46401bf33a39cfeee3c9f162250b5bcd941fc33df7b99ace9178e4daee37fadc8468175686a244d2c28828866761f59c1b301259897e1b1a4ef54e0d41ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0d273760c491e3a274dd26eb5aa51b4

SHA1
edf3ab324e1a27359720f2c3e2db801933590547

SHA256
5b87d70e366573e82637a0b32a54c3f04d1682f903a3965277747e502ab4c4cf

SHA512
774689634567c79dc6ef71df2cf48fb35a3d917de5ad7d092ffc69737fb2d97e76ac26610ac3278d590a4595dfe56b6f979cf83ce1e1390445c4fc4055bd2cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe9bd5601f8629e69512fab882bbb1eb

SHA1
520cde75a8d099cad63db3c9709ba4df67659f1a

SHA256
c27eb59469d4bd07f9d0172ba09e40e59dc57f4bb7b6c23c4db9fd4da1f353c6

SHA512
940d584ff7c7e2b3bc4649d0e9ee3289929d5080ce3cdd794ab683797e6cba7125944ebadc170c0cf722599e7c73a9c5e97512437c0bce25ea0f211c8faa91a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a31d59ca4a80ada37cffc60aa6c81068

SHA1
490c52e6330c05fa205a4af27d22ab6ad00dacd4

SHA256
6245cc0eea2f4f0d3a08ff57efba5e512fce0e471770677b53ed7871409820fa

SHA512
4fbe88924aa8fe6b81d432c7df7d1cbf59fab9551cf8ec4b983cd57c0452686cb0f2cb875c0f5dccc9f08c3e0e633b01e38978f56feffbd769b10c67b3619f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
17f1bc829d50b72a543c659eeb74cfbb

SHA1
7e3d98bb4817be689caf0525d4f05cf47c337149

SHA256
27ea2f2a7bd819ffefcd3e97bca9e52b6e1534fb7d25a212e400bef275edb5cc

SHA512
5d1045cd857a9ffe7ffe29ab322a2bdac63d9edc1738d6e99e039d8fc9e9463ff508539715d7bb63de5ca0871e016814bed8aef8bfd8b1ad343e23fca7b29512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
512a665a7e9d639511d1952e7a129e45

SHA1
f150e16e38838c65c2163e3b10eb28b4878569ee

SHA256
0d8c247f790dd2a617ddf065074bb4f1322aae6026923b2e8bde97778f78d1de

SHA512
940870b527df4cdcd99eb5cb1bcc28b1fef352d0908195104d1244d971263791db27ba50b844a3c6a02c9dc1430bd63d33af1e43a1ae098e8b7b66cbdbe72e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9d615dc64d2b731dc63b970a31d107b0

SHA1
ed646c4ac9f0da1d6ff7d4ac3c3e0f06dcea8e92

SHA256
10bc431bd3ca8018715b5278b7a391b688b98ef52cf8c4023e6904290a89a200

SHA512
b6d78324d2834a60978eed2554ab33a4e9f9871bf9e23bf40a8ee20a3ed3ad90f85b3ebde53e9828fb17c7c406ea9b1237569b669a72980dcc5b1eb896e6874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe

Filesize
1010KB

MD5
f8d3a0a73fbee1e94dcd0fedf9a31c4e

SHA1
71ef31102516e25e3b3aa347b5c697a85d237b16

SHA256
ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

SHA512
81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe

Filesize
1010KB

MD5
f8d3a0a73fbee1e94dcd0fedf9a31c4e

SHA1
71ef31102516e25e3b3aa347b5c697a85d237b16

SHA256
ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

SHA512
81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe

Filesize
869KB

MD5
5739bc2cafd62977daa950a317be8d14

SHA1
f7f582e1863642c4d5a8341e2005c06c0f3d9e74

SHA256
b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

SHA512
f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe

Filesize
869KB

MD5
5739bc2cafd62977daa950a317be8d14

SHA1
f7f582e1863642c4d5a8341e2005c06c0f3d9e74

SHA256
b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

SHA512
f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe

Filesize
651KB

MD5
e12e7b53183d3b1c6cd53ef42aa815f8

SHA1
9dedb739590a02e37c82e54cc8eb3e0ce57248ee

SHA256
63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

SHA512
5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe

Filesize
651KB

MD5
e12e7b53183d3b1c6cd53ef42aa815f8

SHA1
9dedb739590a02e37c82e54cc8eb3e0ce57248ee

SHA256
63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

SHA512
5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe

Filesize
383KB

MD5
7c29db2ac66b846cc00ca802838c116b

SHA1
23f9d79f7cf7d5fb41111bf4896645d3989b4f11

SHA256
e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

SHA512
a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe

Filesize
383KB

MD5
7c29db2ac66b846cc00ca802838c116b

SHA1
23f9d79f7cf7d5fb41111bf4896645d3989b4f11

SHA256
e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

SHA512
a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe

Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe

Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe

Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem70A7.tmp

Filesize
206B

MD5
b13af738aa8be55154b2752979d76827

SHA1
64a5f927720af02a367c105c65c1f5da639b7a93

SHA256
663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

SHA512
cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

Download Submit
\??\pipe\LOCAL\crashpad_1616_HWGGCHSYXMTIHCKN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4012-35-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/4012-78-0x00007FFCC4D50000-0x00007FFCC5811000-memory.dmp

Filesize
10.8MB

Download
memory/4012-36-0x00007FFCC4D50000-0x00007FFCC5811000-memory.dmp

Filesize
10.8MB

Download
memory/4528-1235-0x000001A225460000-0x000001A225470000-memory.dmp

Filesize
64KB

Download
memory/4528-1231-0x000001A225460000-0x000001A225470000-memory.dmp

Filesize
64KB

Download
memory/4528-1229-0x000001A225450000-0x000001A225460000-memory.dmp

Filesize
64KB

Download
memory/4528-1228-0x000001A225450000-0x000001A225460000-memory.dmp

Filesize
64KB

Download
memory/4528-1237-0x000001A225460000-0x000001A225470000-memory.dmp

Filesize
64KB

Download
memory/4528-1239-0x000001A225460000-0x000001A225470000-memory.dmp

Filesize
64KB

Download
memory/4528-1241-0x000001A225460000-0x000001A225470000-memory.dmp

Filesize
64KB

Download
memory/4528-1244-0x000001A2255F0000-0x000001A225600000-memory.dmp

Filesize
64KB

Download
memory/4528-1250-0x000001A225450000-0x000001A225460000-memory.dmp

Filesize
64KB

Download
memory/4740-145-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-109-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-125-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-127-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-129-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-131-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-133-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-135-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-137-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-139-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-141-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-143-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-121-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-147-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-149-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-151-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-153-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-155-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-157-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-160-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-162-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-164-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-166-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-119-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-115-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-113-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-111-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-1036-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/4740-1037-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4740-1038-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-1039-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/4740-1040-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/4740-1041-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4740-123-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-1180-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/4740-1181-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-1182-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/4740-1183-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-1194-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-107-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-105-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-1209-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-90-0x00000000007B0000-0x00000000007FB000-memory.dmp

Filesize
300KB

Download
memory/4740-89-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/4740-92-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4740-93-0x0000000002660000-0x00000000026A6000-memory.dmp

Filesize
280KB

Download
memory/4740-94-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-95-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/4740-96-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-103-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-101-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-100-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4740-99-0x0000000004BF0000-0x0000000004C34000-memory.dmp

Filesize
272KB

Download
memory/4740-98-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4740-97-0x0000000004C40000-0x00000000051E4000-memory.dmp

Filesize
5.6MB

Download
memory/5744-1221-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1219-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1254-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1257-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1218-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1213-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5744-1212-0x000001800A1C0000-0x000001800A1D0000-memory.dmp

Filesize
64KB

Download
memory/5880-1225-0x000001A994EF0000-0x000001A994F00000-memory.dmp

Filesize
64KB

Download
memory/5880-1224-0x000001A994EF0000-0x000001A994F00000-memory.dmp

Filesize
64KB

Download
memory/5880-1253-0x000001A994EF0000-0x000001A994F00000-memory.dmp

Filesize
64KB

Download