amadey | ddffc9fc273359b6ea769b21f775ec4f99fd76e53f34e37988592b3428ba7f76

Analysis

max time kernel
5s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe
Size

1.5MB
MD5

12382062c6abc23ebdf6aec25f383fa4
SHA1

9834dc9a4fd1f037c574c27a932c96d68409c882
SHA256

24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
SHA512

6cd21a5803f7a90d3ea2b1c6a05def58e337773378c0aced7ac9d3538fa1f9a539b4c992bbe7655aa052abd88cde1bc8475a3a780187ac25edba89ba5806f55c
SSDEEP

49152:/I4a/fuUWyY2dhl3pmcmVFSD2TDi+SyEU/6QB4:wx/GUxmVoJvyR/6R

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/3480-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/3480-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/3480-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/3480-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/files/0x0006000000023203-83.dat	mystic_family
behavioral2/files/0x0006000000023203-82.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1980-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 8 IoCs

pid	Process
1956	Rw4YT03.exe
324	nf4rn60.exe
2544	FJ4OU94.exe
448	kK0yG24.exe
2308	qP5Qb44.exe
4544	1rs14bk1.exe
1944	2Ro9432.exe
4364	3Hm09Ej.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kK0yG24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	qP5Qb44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rw4YT03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nf4rn60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FJ4OU94.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 4860	4544	1rs14bk1.exe	31
PID 1944 set thread context of 3480	1944	2Ro9432.exe	44

Program crash 1 IoCs

pid	pid_target	Process
1032	3480	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Hm09Ej.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	3Hm09Ej.exe
4364	3Hm09Ej.exe
4860	AppLaunch.exe
4860	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1956	1128	24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe	27
PID 1128 wrote to memory of 1956	1128	24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe	27
PID 1128 wrote to memory of 1956	1128	24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe	27
PID 1956 wrote to memory of 324	1956	Rw4YT03.exe	37
PID 1956 wrote to memory of 324	1956	Rw4YT03.exe	37
PID 1956 wrote to memory of 324	1956	Rw4YT03.exe	37
PID 324 wrote to memory of 2544	324	nf4rn60.exe	36
PID 324 wrote to memory of 2544	324	nf4rn60.exe	36
PID 324 wrote to memory of 2544	324	nf4rn60.exe	36
PID 2544 wrote to memory of 448	2544	FJ4OU94.exe	30
PID 2544 wrote to memory of 448	2544	FJ4OU94.exe	30
PID 2544 wrote to memory of 448	2544	FJ4OU94.exe	30
PID 448 wrote to memory of 2308	448	kK0yG24.exe	35
PID 448 wrote to memory of 2308	448	kK0yG24.exe	35
PID 448 wrote to memory of 2308	448	kK0yG24.exe	35
PID 2308 wrote to memory of 4544	2308	qP5Qb44.exe	33
PID 2308 wrote to memory of 4544	2308	qP5Qb44.exe	33
PID 2308 wrote to memory of 4544	2308	qP5Qb44.exe	33
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 4544 wrote to memory of 4860	4544	1rs14bk1.exe	31
PID 2308 wrote to memory of 1944	2308	qP5Qb44.exe	32
PID 2308 wrote to memory of 1944	2308	qP5Qb44.exe	32
PID 2308 wrote to memory of 1944	2308	qP5Qb44.exe	32
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 1944 wrote to memory of 3480	1944	2Ro9432.exe	44
PID 448 wrote to memory of 4364	448	kK0yG24.exe	42
PID 448 wrote to memory of 4364	448	kK0yG24.exe	42
PID 448 wrote to memory of 4364	448	kK0yG24.exe	42

C:\Users\Admin\AppData\Local\Temp\24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe
"C:\Users\Admin\AppData\Local\Temp\24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe
      4⤵
      PID:1428
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        
        PID:2056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe
    3⤵
    PID:4572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe
  2⤵
  PID:2792
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\67F1.tmp\67F2.tmp\67F3.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe"
    3⤵
    PID:2172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
        5⤵
        
        PID:2180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        5⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        5⤵
        
        PID:3264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        5⤵
        
        PID:2872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        5⤵
        
        PID:5452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
        5⤵
        
        PID:5780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
        5⤵
        
        PID:5976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:5804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        5⤵
        
        PID:5252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
        5⤵
        
        PID:6232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
        5⤵
        
        PID:6496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
        5⤵
        
        PID:6536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
        5⤵
        
        PID:6688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        5⤵
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        5⤵
        
        PID:2752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
        5⤵
        
        PID:6224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
        5⤵
        
        PID:6796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
        5⤵
        
        PID:7076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7660 /prefetch:8
        5⤵
        
        PID:6044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7660 /prefetch:8
        5⤵
        
        PID:6256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
        5⤵
        
        PID:6712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
        5⤵
        
        PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
        5⤵
        
        PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7912 /prefetch:8
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
        5⤵
        
        PID:6648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
        5⤵
        
        PID:5312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15270248119085033824,10195225948364288601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6080 /prefetch:2
        5⤵
        
        PID:7704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
        5⤵
        
        PID:3980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5672080935402933667,3281700741927978252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        
        PID:5376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5672080935402933667,3281700741927978252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        5⤵
        
        PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3206595173017319090,6487211616396131630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
        5⤵
        
        PID:3744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3206595173017319090,6487211616396131630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:2208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      PID:4212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8871782374794659364,18396165768572328150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
        5⤵
        
        PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      PID:5996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
        5⤵
        
        PID:6104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      PID:5704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x140,0x174,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
        5⤵
        
        PID:1508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x108,0x16c,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
        5⤵
        
        PID:6436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:6356

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3480

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe
  2⤵
  PID:5084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 540
1⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
1⤵
PID:4812

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
1⤵
PID:2452

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
1⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
1⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
1⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
1⤵
PID:6372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc3aec46f8,0x7ffc3aec4708,0x7ffc3aec4718
1⤵
PID:6564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:1144

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
1⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
1⤵
PID:4792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
1⤵
- Creates scheduled task(s)
PID:3652

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:7280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
8KB

MD5
1d57330dfc2927ebee956464c4aebd27

SHA1
8bf8d9370bc4bf420e9f88d032e5916beec87c46

SHA256
de0a79e4711e3a5fabedb429d63d00810c637e6bb81fad85fc8905aa88c06a59

SHA512
2928781b786b7c4af8b84198f66be86bb4c3f1e3c8119ebc2bb7ab879f09d7712ac29699a91b0c831080bb133013d96e7767f47d52c82632130d0cf8a2331279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
70KB

MD5
6cfb29074ce2460310df97fd4d07912d

SHA1
729513c74c2e166ff4ed00e2676dadbcb949d5bd

SHA256
d4831fe6fdbdc868f0ddc9506522d4e2cb547ebe87b75683db93d208e2b893ad

SHA512
69fd2085256f4c82d44924e89f3805300bb8f67e42cbcf57bf7c211e571ca020d49c4d1d131b9a7415bd6810ce017866ed44def8a73b7b4b8167d5081b978043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
6ca81c5da7de2b814cabfaead50f42bb

SHA1
9fef9935a7b4117ab6fa86988deab3aef369d61a

SHA256
3003ae495f8d977ec57ea3a28dfb6fda4147d4e71fe0b7fc8d310a8c8542ce8a

SHA512
71aecbb918ef83f028d27573d8b1cbe383d49383095959e527a2b1a27016bbe31d73b7828ad3163084f40b56bb5f42d3bd6321086b7dc1242018aebf915a11ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a8b8a2797f4bbaf45cbe040b3ef6e201

SHA1
4c2828fa8abdcb26b50bdc10299d77306575889c

SHA256
70cb12616266f0686058ddfda32c4a9d2435ed9aec1e9845db5d38332691918c

SHA512
f0f3c7dcadd2fa5c7aa97b86dfb9d109b435e159c32c44a44d2286f365def7f1a5e29830e21d85f73052a63efb8e39cb0515c7fe37533332ec37edd2f9721873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2507df21955c92830326f7bd94b5ece2

SHA1
4b1e59d2ae746b4b50a2d7da83f95185b743d417

SHA256
aebff6f60ab460357f2a5acbf08ba2e852ee2a8ab5261a8cccf20fc6bd4715e1

SHA512
4014138d406a37a4ecf6a934db951933804cd6a028886948a990daca5f408c8b59faa1fdf10a85a284ede0659ee9437515f5d7f5bfad9e237ff1a59467f2b210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b9b10fc6ebf32e67349c0bbc3f69a5c6

SHA1
9fac1a5a73415702e2b7191dd809095468e328b4

SHA256
ffe1391fdc3a7e8868f9703f558b29a0b9469e42144f0ba4b6cf808d2a53f0ef

SHA512
d83acd2eafd1d412d41961cbe562a978d86adff92fbcd19b7de212649675693ee3dadef70bfc0a22809f30ddb71c00b086c8ec023041b6d722c0742306d389ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
17466dfe36a85f8b29cc3b4b1c08ee72

SHA1
1ee49df038eaff55d116f1aad5509ca7bc618f6e

SHA256
292095044e2add7e1e1d2b4280e20c0043c76926c5d8ce2730ec349e170d2ae0

SHA512
9982b275fff8923a0c3d8c069b79573e7497b473054e9fa1484216cd51464e9eeea35cfa59552428c18a8d5cc236b94ca5dc2b547a7814b026e16ec8d4618b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99ca5d0dfc7b40e841d95b0ccecde73d

SHA1
fb89862a786eebc0b112cc3437cd31755e64a926

SHA256
65a4c830d951550df59f02e1fdb205188ea9561c5fd510ab88a566b50f1441d1

SHA512
e4c525bdb62b5ac308f799b93573fdc0f6f55412299933e8c047ffe7def2ab6caed99e9e1b1fdfe0bd6f08abb2c71ef49d1b06950e4659cacc96f0982a8cccdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
741085c80d99eb1d6b9c56dfd97c41b8

SHA1
e4f0a2e85b934f5c3723bcb62399c887c88c3e53

SHA256
0c3a9205b8b1ab5596587674d48c9c8d85f63ae4b8a37a786afc6d2091ca9ab8

SHA512
505f2cf58ef2abbfd7008275f9c40f8333fc354dd631be51b1c339032a33190349b03f0bcf38db579d009719264a250c4536070593a957865445a8587ecd3662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b3a71f0b26e62c5cc39deb47e6c590b

SHA1
e95aa5dcb7f99073c3af819fa7278a3d7aee0ddb

SHA256
543b99023a8c272009083b661eda2ad53081065439573cefb95c6a255200e017

SHA512
fe82d3f8608de058a2f0089ee3f31c6aba29327d4ba42a51317daa07052cc1805b96685b6b52fe95299873807590128e56b141082b129c8d8af5f7fc08d1fd2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
864c8de99b591e8914aa58bdbc5ed584

SHA1
16fe766723b1d599bf9454f81480d21432f7ac9b

SHA256
3c0ac8939b95a169115764986852c83642b1ec18f70c08d23caf366f891ecfe8

SHA512
94b312e54a4af1af2805f128677bffb1cea1fd7128e5c22f7ede41111342697363089ac5d2ba078e91d670f93bcddf15746c44ab4ca29d8e42fce8cda01b3d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
9KB

MD5
d132568e83d2faaf388046cd71b2246c

SHA1
bc50ab2942a1a9d3f817175def720771a209bf03

SHA256
0bf9e922cff1ee3ea73d8e9d57f8058a5e7485edc7a93dedf4bfcc43608e896b

SHA512
365e11738cd0530f4043973dc969cd11bd0017df1d55e9086cb35d0cb583e909d68225217de7b39d2718f695df8c66c31986af01d39b53de449da753318850f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
e802fc786e8eef63ad55bac7631f39d2

SHA1
c4fd5812ee1d685f007bfb6d6512aea8449f03b6

SHA256
4135778f92f75ecf97807321be66920d10265d831483f379ccf6a709825fe832

SHA512
46c1b9d33b073881af772783c92d17ac6f58cf14297d3e872081aacbcaf467ac2af7d7a8607e48e98afa833d3d25d9c0fa7b0308636ca377254480b991dcba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
70c419c4d262e0df402c8af63d4d907a

SHA1
508e57121eb060327064d7440b385750dfa699b5

SHA256
f0496e8a7177c01009a9bc0d94ee1b12bd5fdd5cd4b78577f6bdff7538891003

SHA512
0578754a8ea76a4894708205001c37c6d8b968d3692a5a036f0c535996eda3555bc0d3c56e0345f128249fc0d507ccb8318a1f205fe36113240002c7b560bf3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c2e1936bf00cbff09797682402e43524

SHA1
de5facc9736d1a588063b3ab242718fe2c3b9dcf

SHA256
c3a0775fc2f2dcf544638a68881acc4c29b602712307520d3ca4dbbf1bdc3f96

SHA512
9c696828c1ed2d54df4d7a52989bd82a09604c3018eb473a04b8843beda5c32f03ec5b56c1419f22cbbe7d46f9af8d3247e164edf108343d2d1f0d26f23b36ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\457c74c0-5dcb-4a21-a84b-a90ca383cce0\index-dir\the-real-index

Filesize
6KB

MD5
62c37c9b8c8aea4604f7221d433e8f67

SHA1
51add5f6660ef0e400da516b319394ac522a7bdf

SHA256
6c8c659c64ac8b8f39705faf962d76b6e52ec3787b6586c166f84d6ecf5c67b5

SHA512
e075461b0c26f491218e40bd02032d241c340087d649ea91dfb68a679d381032c0a09477f56674af214a3fef2124d6f31d43918cdaae9b957f3650da9831ebe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\457c74c0-5dcb-4a21-a84b-a90ca383cce0\index-dir\the-real-index~RFe587f8b.TMP

Filesize
48B

MD5
95bec759d8f3336539c31d8db61118e0

SHA1
70e9e26c14e3f3fdc17939d2efb930c485b973ed

SHA256
e3667373445450e8e80c3e6fdf2ded5cb56f41388b539e0dd7739ba5a723c0f5

SHA512
8b06f00b7045a9d98c9231c56e05b7286233c62e4796f66d77c25131a2f841342fc6150683328e5d6614a35ba97c4c4d6a15eef9267386eeac610ab7a14f00b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
83B

MD5
3a02826a707e2bac609d5878a0bf0cb3

SHA1
804e377aba34f9887f9492653a60a8fa90810e45

SHA256
ccbe318e8bccf5f90b9e997df0fcfa064317b742a9a53b6a66bcb82360abaa7c

SHA512
a38ecb464ab5b95723ccf677e283d621dbdb866db935a51cde21608507f0260e2c89b480cb3b78b3d847ea1902f32e44cf8d777db74e53fbc1bcdd91af9929a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
79B

MD5
de7e2be5b9d95c4eaeffb2725aaaf974

SHA1
e2d2ec9540f1cd9859f359c0f2c73804b66e60ec

SHA256
eee7ed3028a305147d756239cc0174b2f2bd1ed02e4ce10cc9d72015965fb311

SHA512
59648b0969a25e8a1d68a62f45afc0ddb18511b1b92b3a5e41720a1d08741c2f191424c1a9ba31770ff120015ede031d1553669f3ec045d8a84c6906a3566422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
4aa179090cde30047f6ee33ece31eee4

SHA1
3e47fbfd7e205f2f183a9e94b31a0748ba2578a7

SHA256
fd15bf43d4c033644fab647b070cb10734d52bffeb9e6018b9541f72921110b8

SHA512
a7afc862f5b07eb94f7d368c48838398e89078fe5e6f3306f38493632089bce1c449bbdde05e59309914ea20803dee7de7ec9bd276ed54e70d201c3eb9a4331e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f1de49971d4e053df46cf12ba3fe1655

SHA1
654a7523d81450e9fc396b860cff628af1c84c3c

SHA256
2b9197edd5477c8a94ccbb370cedfb80861c6cf89f6bcc685b12bc1d8a7e7e80

SHA512
deee29377b8dbaf695a88263875a5a974dfbcd202e1f09a068db6f69e9bc6cea9bf85da0500f24c7145caef5869d7246810cdfba3995611f9076a3abd3f9b706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2ea49fb8d9ebbd9e321cd15cbcde94f0

SHA1
a6afff6a338990202ed4a16bead0b2339d3f1edc

SHA256
05f186dc82081db1ee07e84949c57a29cf3d6fde6e20ecf6f4ea1d7396e4e6f1

SHA512
0902f2e32853b39c6c7b46393eabfa9ab4cb65ac720aceb3f50ea81cd2a1ade85e8b52137eed5e13555f99e7ed4206adc345b75f95527fc64a3346de5fb88f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
17197758d691d5ac2b7646d4e5da94d2

SHA1
cc7ce303d414c998246db908982d7ac9cf42a913

SHA256
fa6d1e9c4223a47d75aaac284b4e4b76f72c28501a241806077e8425203e137a

SHA512
6a6550e61d18cb90bb20ab66c656c7ad0f80d4fe8dbe8864101788242ea8ea7daaf7a12cc8f1eb26b713fcf815e64fb991589428b417d7c23325186da979521a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3bb2d41a771142d2bf26fee39609fad6

SHA1
5f8c956684302d24d6c2d1d926b1fb43ed8ab13a

SHA256
d59026313cce9673629debd1ba18c9997933201d1df2ee4d45f6322af5586b2b

SHA512
444f8a619653894a7ed0a97230fae371426e6c9ac0872eacaa604886fe1d7c1cedcd537babd959fe777d8ee55e9a96186f090733bbaf8f516275ad1817414cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c2b4.TMP

Filesize
2KB

MD5
ae57114a726df9218e1e774df3d9ccd6

SHA1
62a94ce7987c22374c52e680027049670eefbde9

SHA256
6da7472e341f1df7c64347ddc214ffef6dbbad2919287560e2c4b115428bbd27

SHA512
d1951d48b4b6c29bf30595d2f72ba91c5ad8be010a56e983c734199ed3c4b16ae91701b34a6c46140743fe41372c58355fc9eda2cba6692d9825250528935924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
de3a41ddca69a65be8d73da22c12eb39

SHA1
91a1c2abeaec2a2a6d0434e6fe51688780de461d

SHA256
2cc170aa9766462e10edc6b5cba0d3dfebdaf4d586e5e72d8d756e9b217f2eb4

SHA512
8be41e42de17aea7776f1735a014c85405e63949eb0bbeba274fc2e85275432155286cdca6bb278ff6fbdcdac7218a8f4b33f74020ecd9e6af7622f0d39d7aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
16fff64f37b4cdad8ad88b5909877e1f

SHA1
1ca4d24818a98d8cbb92872005ed05db0214637a

SHA256
cc41cba96b0188302f41a8f718db0911f93f6a01fc509c2b935164fe20db2210

SHA512
22375f39a3bc8c1114f38ac441ff57cd9ac1c789f10079a38dc1a66802e74a31dbebaa3a798ac3b3b3393e1f58801a7fa64d0de4fb0c799fef77941e3c84bc57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
1930bac61cafbcfb3c30507826992a43

SHA1
1c38c630a5e3f32011d60029f0fda63302a5ba65

SHA256
626e9bf404da2d9c0eae902a35e7f3516221dd9c1c532cf5db75b807b36e9048

SHA512
10b5157a9ba4cb988a9e6fd43521e39288795c1eab5047d2c1214fbb6e7d02da455dd40b91b45bbbf2596319100d1a44d5e8acfe169eac2b54178b3ad2b189f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b0522cf89847a9d9494b4ca25c79f10

SHA1
e7b05862e774c9333d9549aa59a9149cf1694470

SHA256
a9df4da35675f7ddc805b1e4dd8d222d421576a60885b7edd307f18169b5b55c

SHA512
346910562fd76b45392f1ade29d223ab0f570b53eeb973aa350ff0ad4b3d84604bb531b842fe95b869f44a40bfa4fc4a8fa98168d3384be022d480d313538657

Download Submit
C:\Users\Admin\AppData\Local\Temp\67F1.tmp\67F2.tmp\67F3.bat

Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe

Filesize
9KB

MD5
60ad82fc08d4e71d6fcd0bd5a75ed3c1

SHA1
460e30c4114b308f0594f004c0f3a5e0f45949fe

SHA256
9ea0eef1575b7ecc7b153cc6028d6749939338a0e3164591c1d899e0ed3cbf04

SHA512
a6cd25317eb8d0f7030d924596b961ddaf7d3b183f3942d82d8a45be79f19b5b14193596e93dc89fc4b88c71cd733ba20f8c42ec81b89d74cb56ba032f7328bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe

Filesize
89KB

MD5
ee1300a5dd8b53671d572ab4fba80990

SHA1
8e43b74b5ce61359414ffe2bd19a427a668fb99d

SHA256
306246151c2aaa6c9136b1e5cbb778fe8fefa79b0b6f6052a9d93654455748f2

SHA512
e0d26d26ec10b76cf7c17c07ad6ea5339fd205035c540721f1e0d5244f4a08df734d2a656a1fde9b0184ace2919b8e84cb6acc64a95cb09a0de9ad66cb2118c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe

Filesize
119KB

MD5
fef0df92688a4d5b783449d2d349fa7d

SHA1
66e01d7e800cb9eb55463d68144ded76933de70e

SHA256
003ef49f93a63fed4f36544965c6a4f61bbf66eb8217ac4ddc0cc9039bfbd37b

SHA512
a94b56607dc0b4381d59c0f0d77c643d7b010b60b463fee47a4f141bd58cd1351925c2afc66bbfea7fa0e8721f4941999daf0245a5978c8e59984ec26e2a7a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe

Filesize
47KB

MD5
1ee4826a98fef665dfe5f6f9f46eb890

SHA1
342d4d7bab4ce6457a09fe2ea71c4c1885a1f030

SHA256
4e58fbbcb5fbb96541dde10a9e0be4f49e646f8779f8063ed84db182f6c8e522

SHA512
da23c3317b6a7812f9cd3ce15fc1bff004b623204f10a61e19ed239e63110ef9936368bfbaaed275bc8e99fb1749e3705cde20ce3273001f0600dd927ec497a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe

Filesize
129KB

MD5
412956ec4eb568ef6d19ddbe88b9dab4

SHA1
4965c300008ba0d2a782c90f34ffc19a7940e825

SHA256
a36bc5744459c885ea5ba7ab9dfd04c755df1a38970e3f16a45e2d92071f94f9

SHA512
499ffb7eb6179eb821ec6b36472b65ffe6a78c6afa816bdd618312fc9a41bb05510d996da1f93256326dd215912f450c8c089a792279df5a0fc49e0db7947ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe

Filesize
9KB

MD5
8c4120c219a1a59f707f17163f1cf72b

SHA1
88a6149a47197a237d000ec5cc211f7603f04b69

SHA256
9c150e62f06f150b8ebf8edd1b2d5f2ab5322f5fc10da824d01a07e048767b55

SHA512
8d402b5db200a7772276d717e2af62ab91fcace426ad5e85f2093845e65bdccf81a1ec09a55f1b12a7c51532473ccda7fb454785754b68a6ba8b3a8b64b1046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe

Filesize
88KB

MD5
16caad84be05a178a70de0cdfe9cf091

SHA1
984f332e2f580166d939cb3f8949adc67d57a9c6

SHA256
cff6fe18da43d264a78169ba2960d8a1cd365b2630d1a95381a273825386ca13

SHA512
561ad42704df6163e9711240247df1d01aa10972eed6573155cc2428c610b7b5890069b800b25e6ad1a09373f90c602d15f6f7dd8b4cb983210be756d0100d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe

Filesize
17KB

MD5
67a3ebb264ec8aa1ac8ab37ba8d2e897

SHA1
ffdc5c41976c8cf395e26092eea48185c1554022

SHA256
b18bd550b0bac6d33b813a310682228f816dea09d32e5be75b43a4d6ad073c92

SHA512
c7c4744e11cddf15f1fc0fe75acf738b037ca62bbb3d52b5cefd5a7279add2083eef68d7564bbaa016d61f2c18f161fd708ebefe3f630f2f4853809edad32d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe

Filesize
11KB

MD5
31592c82f3fe5304a411e3783a885e3a

SHA1
3fa48a09c307f864d87a1500c14a14a39b736b56

SHA256
1b8ea98c098f3a858c088879b07e9d8fe0b138a7cf0176791539c1827c81095f

SHA512
6422a2c3d637e133571e9bbedae25c2f6bbb9d561c10bd0d73f92157d62fdb8aea5ae1b340d3569bc33be0d1d0a68e74c77edf5bcfb11eea65be3ded70722eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe

Filesize
7KB

MD5
f3a5b5ef4d40637a2b770f783538d717

SHA1
6367993a996e1a1ef16a08b3bf08529c6e9552c1

SHA256
c5670dfbe358cdb4712543674b6d78b28bcfde9a692065016d2a304920277277

SHA512
6055afe68c4ff0998df29b37ab405b4ee1b06c8ec2f0876b63605400e8fed5075d5414d10329519ab1739ecbfd01dfc25701094f822e677db353e870b31ead35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe

Filesize
92KB

MD5
87a9e5b75bc75af48c9d32d777644558

SHA1
056159e70cfa9e28ee267c38c9b9567fc10f6ae2

SHA256
510ac8683c4dee8d5c9ce4a94a1acaed9b56ab8d84c01e32eea23101ef3c3d45

SHA512
163208039e739e1a0a479c0bd11619a5edc3f7e7e97580cf98965609c091f268e3765802ab0d1e312444e1d96c1a285ea9e8b2ed9295078a3331f61213a5a5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe

Filesize
52KB

MD5
b9e3450a2e0ce6cc963d7c56cdc9d4e9

SHA1
3306ddb29a743f72a7a578dcbc5d46b50a0d482f

SHA256
4bf8cc06a4fb1d5102ad18d9456778e9b51b1bf7ebd25e048ef2bbdef157f05f

SHA512
12430a7ae3bddec29cf201d26e4f0db76f3aa8d314b9fe705394c760f67bca1d1bb9fd3c71de14f0b93f4ed5fb28f8ad325190aaa4906325052e1de4370518a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe

Filesize
26KB

MD5
b076b7ecc57be0c027353ddde9e4c363

SHA1
4350fb26e888906f7d9493d47408f9d4df57bad2

SHA256
c6f6d9ef006d8ac805315d9f98a805fb5577ce0ba6f9080e5403e86289f731ee

SHA512
845fdafda47feb36a16c9e0e3eeae9b7c32b7ed7e824b548a47ae3d229cc2339b277fcc07ccb72e30406ba35c1dc1b0d1a72cc89c9e5fe332425fdd491a2ed2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe

Filesize
1KB

MD5
06f01a571b941db1133c4f9b014f947d

SHA1
5b8c81a2d481a34c49aac9cc9839c3385a28c0e3

SHA256
c2f92bcad67276cc6ecdb367933607d7fa1a923c0832742ba945fec5c9ece7d8

SHA512
db4f701143b9c62ee47eae963c35c0bf0f14474a8fec61566ab9f25d58006a089cc39988e2696e24e76caaed04f27a7eacd4b14c57d7ba2d241c66d0f204e05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe

Filesize
63KB

MD5
faa56f1b7dae5e0296ddcdcbfdbe0c93

SHA1
13494039d7a27449522564efe9495191933fc52f

SHA256
2d8c3b805cc084b92922d9a4b2998ee3d0201fc6a60189967e562447e07b61d6

SHA512
62b59d0d1affca02c56edeee49546d6f5af95fb0048eef0677efa82d1d6914914631c88b2fc7ca0c017050feca03a160b0adb78b1c92daf4bbaa686cd6057f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe

Filesize
17KB

MD5
1bcd079d240dc8c1537c8cf8b0d45cbf

SHA1
d3401e77ead94ac2d10be6b66b10b36013afd527

SHA256
cf19ebb3fd2a96fc2adea033a0823819ed74a35c8ef7f3c4afce0d1a614a1f77

SHA512
5fe5934ec1180ec8614b9c0069e79c4a872e762d6ccfb3a6a507e8d0b1c4508fd503119da72173aa4a269fd987f10ae9091835e9c82bd027f2da7cfd56e846d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe

Filesize
30KB

MD5
29a026f2a8fb2fd9926fd148daec38c5

SHA1
d2dbd72c0880bc77aea1674b0d9628fcf5484139

SHA256
424b5c218c2a54ebbb25395711bf85924aad37c675fe964859744b3e9abdc1cd

SHA512
4b48e3a0f7d8d2476933028ae2a532d8191a71f7b89347db446e47d02ac0cbd0eb462e6ebf71e7ca02d7626242c4868af097662c59fc8697a42c1faca4514189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe

Filesize
84KB

MD5
16eeffa7b19679a8f7951574709729c1

SHA1
2605f088240354a5231f32dbeab78ddb98d99c43

SHA256
8129309bfa83fd8a75446e8acc3611c314460539f110e7b478d5f7a7402d3f47

SHA512
40731d54677bbd1ef5d213c43ce8398c733d84188ce1742cdf5ec65d8d3537d47c7b976e86b8bb082aba84a2244dbebf54cc8c30993d2b4586341ed07b72275b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe

Filesize
52KB

MD5
f36debca8e0c79b3935aa4c79de64d7f

SHA1
22a513f996ab80c35f805dfdd5657e2bf350c5c9

SHA256
7b47a7803b8899da62c26ea58ffd3dd7a06fbb8271a422487cbb92e4f63dd0cb

SHA512
71d4352601ab1081f9d97a69a8000f41b217e4f59065f60a7893b479ecaeeee422179524d97c78e68f1b22b0455b8505fc9ae30a95298c27162f5d44b21acaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe

Filesize
25KB

MD5
e14fe8c07ad5818ce15aff15bfbd8a3b

SHA1
065feef5b349fb128981bdc9f7c55969b54f2502

SHA256
bba10145e8b93ab11e0b3e5ae52c98a3c89f196c6b2396b252ed29b1feb397a5

SHA512
ef06a5bf8ec74a07c38e4ef46b2143bdcc13f01b6349cfad4a182c958192caaca024f8307d36b4117840d4f2796e49f78eecf56d7123678ec8e5a38c7013240e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe

Filesize
76KB

MD5
38dc9936a081542a0e60bf261029a592

SHA1
8bb8d6a6412c36246ed7277180d1c6ed759e384b

SHA256
8ebb056d95a7a50f14896d1330b37bf2f82a000c172c6123c9411a64303a1f6a

SHA512
8f1d0db5e3cfaea5fc9bb9bc4647e329b4e3d0ea09261b35ae9eb66e100a4551bccf2e628eee9b5930bb564ba9b69767d8fc5ca66544c42a7c2a3568c3543255

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe

Filesize
61KB

MD5
864176e2c61f906c8d173f1e4459ffbf

SHA1
f22031766ca0f2630a2e9c8b011ef7ed23dbfe61

SHA256
ffc4560fbd934fa280e19648d916c2444cca72f29b47b001b480ef1265797e10

SHA512
06d4961e62afc9ee8ce82d9a5561aa442dba24a4203376ab8af82c5606a96a3b194b282abd50da1580a60a53c9531a9aa358c334ea4ca7b945faa5c94f7addd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe

Filesize
141KB

MD5
11e51b5d07718cf8662c74e2f457a496

SHA1
86fed1f6d27df34700bbf6cf0727b6ce87d6b22f

SHA256
de45b9275500b2e3a01719d1897f420ea9d46cd789639a21300ab0199ab1a16e

SHA512
65da9b025dcccd0e491bab8c1e87da56bf698bb948efc0680b522ae2c0d7a6a9eb2b21901161fff14bc5975422f498216ae21337ed8992a255d6aaf48305f1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
6KB

MD5
46183b50cff0d19d561e4eb81bb5b1e9

SHA1
30988a9cee8a15a5db060f35b23e96af3ee6082e

SHA256
34c10c8d8db379881459d4c2e494ceae82b707826d808e4a2cf47da122e22e5e

SHA512
689a16231dc2f2eec4e8878a43629a18626a04bba06186203d03217e96a6be3e54bc8a2dc267ce78967fc49841ce6279fc88d87e30db31656673e51c31a04d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
35KB

MD5
652c6fb9277cee0dab822b67c649d0c3

SHA1
cdf1d1a64ed7c91807d2f735f79c2123d81c71f4

SHA256
883defe9eb402890c00daae5eb2800b76bae7500e21d8826a4776aa255509779

SHA512
a2b2934e2da52f1d00287b71f8651d4cd6a71db4cd97704f8eaa2c19b0e9e115b4ab829babb38453a15c52df0e261d80ffd90fe6f656f23cdd7d35c1e710660b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
91dd120c48de1c13c0adb40c898eeadd

SHA1
2f81abac3bc154c1b23ef9c64eaa26d283bf96d7

SHA256
2af9ac83822ebf1c70e13069485566a8c6de06b49fd8b1328d624e18f182baa6

SHA512
aa76db91b1b4d78191d15572de98fd1d6c062bc77c7a04f8c9ad5a2f3b953f991312a4ec6fb185dfe80360fb0d62faa42ab4fbaf3e8938c5dc9f75959c46ab92

Download Submit
memory/1980-91-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/1980-92-0x0000000007B50000-0x0000000007B8C000-memory.dmp

Filesize
240KB

Download
memory/1980-88-0x0000000008910000-0x0000000008F28000-memory.dmp

Filesize
6.1MB

Download
memory/1980-93-0x0000000007B90000-0x0000000007BDC000-memory.dmp

Filesize
304KB

Download
memory/1980-70-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/1980-69-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/1980-71-0x0000000007850000-0x00000000078E2000-memory.dmp

Filesize
584KB

Download
memory/1980-1056-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/1980-90-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-1092-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

Filesize
64KB

Download
memory/1980-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-76-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

Filesize
64KB

Download
memory/1980-80-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3480-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-56-0x0000000001FF0000-0x0000000002006000-memory.dmp

Filesize
88KB

Download
memory/4364-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4364-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4860-46-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/4860-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4860-184-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download