kinsing | e357135bee468ba798b556dec8ceba0d38db2eaff80055ab6650e7c03c16805c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versa.wtf_robloxtxt.scr
Size

58KB
MD5

0b994f6931e0ae689adc17b8a6650629
SHA1

3ff8e1de8d839a71331fb1d2e6afa0ed29eea609
SHA256

e357135bee468ba798b556dec8ceba0d38db2eaff80055ab6650e7c03c16805c
SHA512

c89e84348a74d2886545e9ca6ffc451a4f2a5134f3e874b2eb9e78f1f2acefb2dec85cbf41bdbf3630d798a6cebf9aa69ad1b46b7ccf747e24462df3205fde4f
SSDEEP

384:Mi38dDnaxg679BwKCcbeuiyOgW+vvRiBDeoww4glQhgLU07kRI0VxdahYMMmncdb:/s9naW+95CcbKv5qvkBDxLc

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeVersa.wtf_robloxtxt.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Versa.wtf_robloxtxt.scr

Executes dropped EXE 4 IoCs

Processes:

ddpxcloq.exexvmb2yup.exechromedriver.exemsedgedriver.exe

pid process

3676 ddpxcloq.exe
1988 xvmb2yup.exe
2512 chromedriver.exe
2444 msedgedriver.exe
Loads dropped DLL 1 IoCs

Processes:

Versa.wtf_robloxtxt.scr

pid process

2072 Versa.wtf_robloxtxt.scr
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
19 raw.githubusercontent.com
23 discord.com
24 discord.com
84 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 checkip.amazonaws.com

pid	process
3676	ddpxcloq.exe
1988	xvmb2yup.exe
2512	chromedriver.exe
2444	msedgedriver.exe

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com
23	discord.com
24	discord.com
84	discord.com

flow	ioc
80	checkip.amazonaws.com

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgedriver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe

Drops file in Program Files directory 64 IoCs

Processes:

msedge.exemsedge.exechromedriver.exechrome.exechrome.exemsedgedriver.exe

description	ioc	process
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Session Storage\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\Preferences~RFe57e791.TMP	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Crashpad\throttle_store.dat	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Site Characteristics Database\CURRENT	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Top Sites-journal	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\First Run	chromedriver.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Site Characteristics Database\LOCK	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Code Cache\wasm\index-dir\temp-index	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\ShaderCache\data_3	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Network\Reporting and NEL	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\shared_proto_db\CURRENT	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Sync Data\LevelDB\000003.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Top Sites-journal	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\GPUCache\data_3	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\metadata\MANIFEST-000001	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Site Characteristics Database\000001.dbtmp	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\ShaderCache\GPUCache\index	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\shared_proto_db\metadata\CURRENT	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\shared_proto_db\LOCK	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\efee6223-edc5-4e71-bace-1cfe4f56cb65.tmp	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\LOCK	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\DevToolsActivePort	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Sync Data\LevelDB\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\MANIFEST-000001	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_1	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\SmartScreen\local\download_cache	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Local Storage\leveldb\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Local Storage\leveldb\000003.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\index	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_0	chrome.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\GPUCache\data_0	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\ShaderCache\GPUCache\data_1	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Sync Data\LevelDB\LOCK	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Session Storage\LOCK	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Last Version	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_1	chrome.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\Preferences	msedgedriver.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\BrowserMetrics\BrowserMetrics-65B28F50-25C.pma	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\SmartScreen\local\warnStateCache	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\DevToolsActivePort	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\GPUCache\data_2	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\Session Storage\000003.log	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\commerce_subscription_db\LOCK	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\CURRENT	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\Top Sites	chrome.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\Sync Data\LevelDB\000003.log	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Login Data-journal	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2512_1428953839\Default\35b85769-16ea-41e2-a235-03e61eccabc3.tmp	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\DawnCache\data_2	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\metadata\000003.log	chrome.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\shared_proto_db\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Local Storage\leveldb\MANIFEST-000001	chrome.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Extension State\LOCK	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Crashpad\throttle_store.dat	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Last Version	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Local Storage\leveldb\CURRENT	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Code Cache\wasm\index-dir\the-real-index	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\shared_proto_db\metadata\MANIFEST-000001	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Web Data	msedge.exe
File opened for modification	C:\Program Files\scoped_dir2444_25633448\Default\Top Sites	msedge.exe
File created	C:\Program Files\scoped_dir2444_25633448\Default\GPUCache\data_2	msedge.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\000001.dbtmp	chrome.exe
File created	C:\Program Files\scoped_dir2512_1428953839\Default\GPUCache\data_1	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1568 schtasks.exe

pid	process
1568	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 11 IoCs

Processes:

reg.exeExplorer.EXEreg.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\consoleemily0931.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Versa.wtf_robloxtxt.scrddpxcloq.exetaskmgr.exexvmb2yup.exe

pid	process
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
3676	ddpxcloq.exe
3676	ddpxcloq.exe
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
4840	taskmgr.exe
4840	taskmgr.exe
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
2072	Versa.wtf_robloxtxt.scr
1988	xvmb2yup.exe
1988	xvmb2yup.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEtaskmgr.exe

pid process

3440 Explorer.EXE
4840 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exemsedge.exe

pid process

508 chrome.exe
508 chrome.exe
604 msedge.exe
604 msedge.exe

pid	process
508	chrome.exe
508	chrome.exe
604	msedge.exe
604	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Versa.wtf_robloxtxt.scrddpxcloq.exeExplorer.EXEtaskmgr.exexvmb2yup.exe

description	pid	process
Token: SeDebugPrivilege	2072	Versa.wtf_robloxtxt.scr
Token: SeDebugPrivilege	3676	ddpxcloq.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeDebugPrivilege	4840	taskmgr.exe
Token: SeSystemProfilePrivilege	4840	taskmgr.exe
Token: SeCreateGlobalPrivilege	4840	taskmgr.exe
Token: SeDebugPrivilege	1988	xvmb2yup.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Explorer.EXEtaskmgr.exechrome.exemsedge.exe

pid	process
3440	Explorer.EXE
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
3440	Explorer.EXE
3440	Explorer.EXE
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
508	chrome.exe
508	chrome.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
604	msedge.exe
3440	Explorer.EXE
604	msedge.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXEtaskmgr.exe

pid	process
3440	Explorer.EXE
3440	Explorer.EXE
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
3440	Explorer.EXE
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe
4840	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Versa.wtf_robloxtxt.scr

pid process

2072 Versa.wtf_robloxtxt.scr
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3440 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Versa.wtf_robloxtxt.scrcmd.exeComputerDefaults.exewscript.execmd.exeddpxcloq.exeExplorer.EXExvmb2yup.exechromedriver.exechrome.exe

description	pid	process	target process
PID 2072 wrote to memory of 2460	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 2460	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 2460	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 548	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 548	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 548	2072	Versa.wtf_robloxtxt.scr	reg.exe
PID 2072 wrote to memory of 4868	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 2072 wrote to memory of 4868	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 2072 wrote to memory of 4868	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 4868 wrote to memory of 2864	4868	cmd.exe	ComputerDefaults.exe
PID 4868 wrote to memory of 2864	4868	cmd.exe	ComputerDefaults.exe
PID 4868 wrote to memory of 2864	4868	cmd.exe	ComputerDefaults.exe
PID 2864 wrote to memory of 1660	2864	ComputerDefaults.exe	wscript.exe
PID 2864 wrote to memory of 1660	2864	ComputerDefaults.exe	wscript.exe
PID 2864 wrote to memory of 1660	2864	ComputerDefaults.exe	wscript.exe
PID 1660 wrote to memory of 1884	1660	wscript.exe	cmd.exe
PID 1660 wrote to memory of 1884	1660	wscript.exe	cmd.exe
PID 1660 wrote to memory of 1884	1660	wscript.exe	cmd.exe
PID 2072 wrote to memory of 3164	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 2072 wrote to memory of 3164	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 2072 wrote to memory of 3164	2072	Versa.wtf_robloxtxt.scr	cmd.exe
PID 3164 wrote to memory of 1568	3164	cmd.exe	schtasks.exe
PID 3164 wrote to memory of 1568	3164	cmd.exe	schtasks.exe
PID 3164 wrote to memory of 1568	3164	cmd.exe	schtasks.exe
PID 2072 wrote to memory of 3676	2072	Versa.wtf_robloxtxt.scr	ddpxcloq.exe
PID 2072 wrote to memory of 3676	2072	Versa.wtf_robloxtxt.scr	ddpxcloq.exe
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3676 wrote to memory of 3440	3676	ddpxcloq.exe	Explorer.EXE
PID 3440 wrote to memory of 4840	3440	Explorer.EXE	taskmgr.exe
PID 3440 wrote to memory of 4840	3440	Explorer.EXE	taskmgr.exe
PID 2072 wrote to memory of 1988	2072	Versa.wtf_robloxtxt.scr	xvmb2yup.exe
PID 2072 wrote to memory of 1988	2072	Versa.wtf_robloxtxt.scr	xvmb2yup.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 1988 wrote to memory of 4840	1988	xvmb2yup.exe	taskmgr.exe
PID 2072 wrote to memory of 2512	2072	Versa.wtf_robloxtxt.scr	chromedriver.exe
PID 2072 wrote to memory of 2512	2072	Versa.wtf_robloxtxt.scr	chromedriver.exe
PID 2512 wrote to memory of 508	2512	chromedriver.exe	chrome.exe
PID 2512 wrote to memory of 508	2512	chromedriver.exe	chrome.exe
PID 508 wrote to memory of 3472	508	chrome.exe	chrome.exe
PID 508 wrote to memory of 3472	508	chrome.exe	chrome.exe
PID 508 wrote to memory of 1756	508	chrome.exe	chrome.exe
PID 508 wrote to memory of 1756	508	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Versa.wtf_robloxtxt.scr
"C:\Users\Admin\AppData\Local\Temp\Versa.wtf_robloxtxt.scr" /S
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\consoleemily0931.vbs
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
5⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
2⤵
- Modifies registry class
PID:548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\consoleemily0931.vbs" /f
2⤵
- Modifies registry class
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_KFlFibnYASKBpAEEzZQh040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\KFlFibnYASKBpAEEzZQh040MX.exe" /RL HIGHEST /IT
2⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_KFlFibnYASKBpAEEzZQh040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\KFlFibnYASKBpAEEzZQh040MX.exe" /RL HIGHEST /IT
3⤵
- Creates scheduled task(s)
PID:1568

C:\Users\Admin\AppData\Local\Temp\ddpxcloq.exe
"C:\Users\Admin\AppData\Local\Temp\ddpxcloq.exe" explorer.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\xvmb2yup.exe
"C:\Users\Admin\AppData\Local\Temp\xvmb2yup.exe" Taskmgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe" --port=55628
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --window-position=-32000,-32000 data:,
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=1720 --field-trial-handle=1968,i,9781350852211486293,13155314223830646291,131072 /prefetch:2
4⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --enable-logging --log-level=0 --mojo-platform-channel-handle=2148 --field-trial-handle=1968,i,9781350852211486293,13155314223830646291,131072 /prefetch:8
4⤵
- Drops file in Program Files directory
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --display-capture-permissions-policy-allowed --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1968,i,9781350852211486293,13155314223830646291,131072 /prefetch:1
4⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --display-capture-permissions-policy-allowed --first-renderer-process --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1968,i,9781350852211486293,13155314223830646291,131072 /prefetch:1
4⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2512_1428953839" --enable-logging --log-level=0 --mojo-platform-channel-handle=2204 --field-trial-handle=1968,i,9781350852211486293,13155314223830646291,131072 /prefetch:8
4⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe
"C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe" --port=55798
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in Program Files directory
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --window-position=-32000,-32000 data:,
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13198525570195185954,11364071401023731380,131072 --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13198525570195185954,11364071401023731380,131072 --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --enable-logging --log-level=0 --mojo-platform-channel-handle=2500 /prefetch:3
4⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13198525570195185954,11364071401023731380,131072 --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --enable-logging --log-level=0 --mojo-platform-channel-handle=2872 /prefetch:8
4⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=2168,13198525570195185954,11364071401023731380,131072 --lang=en-US --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
4⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=2168,13198525570195185954,11364071401023731380,131072 --lang=en-US --user-data-dir="C:\Program Files\scoped_dir2444_25633448" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
4⤵
PID:60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Program Files\scoped_dir2512_1428953839" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\scoped_dir2512_1428953839\Crashpad" "--metrics-dir=C:\Program Files\scoped_dir2512_1428953839" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe08ab9758,0x7ffe08ab9768,0x7ffe08ab9778
1⤵
PID:3472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Program Files\scoped_dir2444_25633448" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\scoped_dir2444_25633448\Crashpad" "--metrics-dir=C:\Program Files\scoped_dir2444_25633448" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe086f46f8,0x7ffe086f4708,0x7ffe086f4718
1⤵
- Drops file in Program Files directory
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\scoped_dir2444_25633448\Crashpad\settings.dat
Filesize
152B

MD5
00a5c767cb80ecb8d7fa37d866af534c

SHA1
45e8a8d8502ff8a8b6a81a7b03da4ee546d31b00

SHA256
054431b52074b38e1d1a97a9d0442a2ff7957ec554dcb58508b464f3db386c71

SHA512
03ddf8b0b8f7c99db3cc68e43c4b30ee5453995b104b46d9aeb2359cde4f9370fce5dbd71298005d66108a03852fe0a814118bbeb12ad126d86f932e8dbe30e9

Download Submit
C:\Program Files\scoped_dir2444_25633448\Crashpad\settings.dat
Filesize
152B

MD5
0608fbc5c1d231a83f2d6219efd0f416

SHA1
f45adbe1c6c7f4649588637573d20d69ab78c995

SHA256
fb7a92e028303874252433b270df565f49897ca5b281208704529df4ca9808bd

SHA512
7dd1caab423efc8c3a5c8f235f6d36a189da23539d36ed028743d0f23360c4423be8c5eb8d73d819d5519adb17b941c39a922f8583b62180c78bc67b320f6655

Download Submit
C:\Program Files\scoped_dir2444_25633448\Default\Microsoft Edge.lnk
Filesize
1KB

MD5
f85d316ea94d71ec58d3ef5fa1aa300d

SHA1
4e33d3458d037d1ee5348d6b8216acbb71e93893

SHA256
4b3adaf424176117b8f7ded599a7e5e916b97d319df890e59248d022b4a75eb4

SHA512
dcc02b4fd946242491d0afa3965a04716f00b732c703f888d8a9b0b26e7e4ba0620d606b72e3c876a7ac84096e8035b66bb80dd774279aa6009abbf17c463a4f

Download Submit
C:\Program Files\scoped_dir2444_25633448\Default\Preferences
Filesize
4KB

MD5
70de66f9403401192fad36265d78d97a

SHA1
cd8963bc9dfbc0109bdedb85fa54b7a1920c3a2b

SHA256
666e013ea5af804066a32b355de8bc7e3f1dbcc0761a29b42777cad8705bcf0a

SHA512
c0a913c95f076784302f6b4f8a21236fdc5d1cc27e1fa0e8d3a4187dfeb1a97f456e3a51159c1ce1e8e4d8f186eb3de565a42d6bf0e4a8cfc61ef798fe9a58b7

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Crashpad\settings.dat
Filesize
40B

MD5
e9f069f01ec74354d9494f1d2229ea5c

SHA1
16d8437f93494247985006d50b9dcdd7cf914630

SHA256
6aa18809f15fbe8818388d52e0f5301a8af2cad7cf6fc92add5758cbd6787e1b

SHA512
2b955cbade2ad6f4fc18f4345d6e5d3d009d14b284e87f4516d59e085cef0d18071fe118c68171f172294c792c4586329048d88bdd57dbb04c3c4c8a32f16f6d

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Affiliation Database
Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_1
Filesize
248KB

MD5
57b58b6ba011a0cc06749ba41623906e

SHA1
016a95ac68cf8d3c3c7b5c981e7aaf055f43319a

SHA256
7e5b72ca779ae64991f87cab1a27213f9cf257d456dafe0d0f2191e87e6e11ae

SHA512
b88f951b845048359d9c5c6f1e2a76bcdab14de4f2c77edbe8bba053f3e99d3b87982db5f4c675dcce3ca5de4e93035a5906ab58ff0f697c374a2b2eca1d9b40

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_1
Filesize
236KB

MD5
308e8068116fcf63018ec0505c26ba78

SHA1
c1176ea09aa4f36b642a314bf6a1923cd02fff56

SHA256
3f9b8111337c7c2f72b9757c933ef36cbab3a8df2e2b4ac93fd0417b1ef835cf

SHA512
0b02237c2b0ec354873e1812642a8e80c41b149309c7f0df3e2887905db44877e8ab2e77afd299c5e93a77c11ca5b1165cda2b86a14a15f2ae7fca3fbf12fdf6

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Cache\Cache_Data\index
Filesize
167KB

MD5
8c398c9c0d2ebfb4e88910f4295ab81a

SHA1
f781620b4e1df34e9a42c8e6006c4d3f92dc3708

SHA256
80b89eb9dbaac5dfda2bcc5305460b4ada8682fe6f1ee383cc6a704114d4e5c6

SHA512
85e6e134750df29a88fb7e85752522566b1a71baa7096c14466a834f96e216f625d3bd2a488a24f451c114fe15d13efb409e69edaa13e2262094eb0987da8f37

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Code Cache\wasm\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
444c95eab14715cba92ffd00017fdf82

SHA1
f865cb549776e5977011b49d17c93379d7e89c9e

SHA256
4079b998017a44d431fff36e392167ba284d5a21e785b24e7167ebda5dec97f1

SHA512
dbaf1499ad4d5267b66b317d09498c2cb9e187577c1f18c3559df83903bc89da0c0c38fb7d79312c2c9c4b6aacfe9ce77ce52cecf3fb301139aecb955bb5e5d9

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\DawnCache\data_1
Filesize
189KB

MD5
f86c02ca8c92017a478c69661b49c8cd

SHA1
d64bad1b3f65abf95aa1f060921240113e488662

SHA256
2c5fc32630dfbc0d4c3be3203a1982f566d1c7f10fad2e9fbfd12a3a6842ac3b

SHA512
f6ab2e9372ae1b3910530eef1cc23f589054b12109f3269b56d1dee676f979efa8145065089d43ee91a46a8727c0619b7a834d88f2e7777019e3b57414309bdd

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\DawnCache\index
Filesize
256KB

MD5
1aa1fd0a9246880f7914f41a0c0d9455

SHA1
3175e243b555cb600a2fad0999a0693e98275d1b

SHA256
3241ee13505e86127bf3c689d83c458fa88c501c941f12d809c3a37b3735d3cb

SHA512
30613be75135c8be1236fb2b16b2c15dbd37a9233cb45c657edb2b0a707690c2af718ed656107b4c07650c3f30b1d2f1651038eefe8775f16647c9e8ebe3b01a

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\000003.log
Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\LOG
Filesize
261B

MD5
5b27226d938fe37237df5386bf8d39df

SHA1
15fe92f2be5ca291359ef0f6c80430b008b7f77e

SHA256
bb67739a9478e0a8598500c155427a5ab1fbecfda8185ea280119168251c2aa8

SHA512
ea0f11662213090fb46c4f2cd7c17ced5b685be72ae748d3fe27eedc697a73d5b5353223ca9b54ed62bb018fcf022c7cea009ef8b64d11789b51e87db484d119

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Extension Scripts\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Extension State\000003.log
Filesize
114B

MD5
891a884b9fa2bff4519f5f56d2a25d62

SHA1
b54a3c12ee78510cb269fb1d863047dd8f571dea

SHA256
e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e

SHA512
cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Extension State\LOG
Filesize
257B

MD5
f367c50ac672fdd0b8fd65f036953d88

SHA1
c46b7d8f0b9123c2eb027d84df66ad02aafea7d8

SHA256
c605f10048d3709f6c9cd306b4605358a57f6c30c4c1564ca0031b81084ea0fd

SHA512
a9c3e5d7e21ff94610a682e5ddfd1fac81888c198e4404affdea55da38840933faf9d06c3cd348a5586776ebccc3cc718ac9dceac008bc5ce754ed02bcf776aa

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Favicons
Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\GPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\GPUCache\index
Filesize
180KB

MD5
a51f55c042db702f21b5cdf021d4bdbc

SHA1
a35202e1f2a1282b20d366269074de289b872391

SHA256
d2a0b5bcf588960b13c71264958559a7046cee3adba000cbce33227337fdb568

SHA512
cdab28d3da562d4c0d6458d4293e2d5b066711898d06e6dca4a230fb1d10a4b86a6a3a4d3199cb44ec0e30232f9b5320ebebac40aea7140d37450c49ab4d4c25

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\History
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\History-journal
Filesize
36KB

MD5
098e2c62cb9ae54df10b527f98f2d4b3

SHA1
efba213f153a0dc145f4f694bc5e8d084ad1a0ec

SHA256
653bb8b1765b1b42d2fbac5226330d2e801156919938b8c2329993b30a4fd0ac

SHA512
ca421b5587d39111eef9257c8e1aa896eab9d7afdfdd4df0672c2122443b5e30e8cafbc7e2e8a2651117c17090e22bf64ff9b1d1bd71088298161a0b0a254509

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Login Data For Account
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Preferences
Filesize
713B

MD5
e048a8596409adadfe3ff10db8e5efbb

SHA1
332d79dfb5c30c125c8b030caaf0b007b1b1af31

SHA256
e19cd56e347efca1cadfc1fd6875ef82b35631e5cb7f9b54aa4bb9ea71ff66b0

SHA512
1758879d426dcd224c06dfc32ba2930f453e52bf8b9a85c3149cab82ba4c19a6637d6a27ce605e8925c17352ba7eb93223fb7d1441cbfec8252569a08cb11f5e

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Site Characteristics Database\000003.log
Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\000003.log
Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\LOG
Filesize
257B

MD5
a5d25bce4446263bb4862373738ca9cc

SHA1
dcab5d665b95ce7e38d44429a1cd6a0c8858a42a

SHA256
b555fc915e2578882854a15d177d0bbae891cf25684fff0458393010a1071d15

SHA512
7b2675ab06f8086458a60b5d81787847c9ab56ceee4b9b687af7dee9c3cff90056c0d2dc49f9b14854c6523a78a6f09433600da336c4cdad6c7905e88434998a

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\metadata\000003.log
Filesize
184B

MD5
99719aea8af279d7105c631520316e5b

SHA1
6423469d1bcfdb6acc8b6de575bdbbc0b21f8762

SHA256
6a3c45244c1fe06a4d5e5c277efafaa2a344e6580700a6abf6c1b29e460e399c

SHA512
4f2285ccd4179f7d8368279bd4cf65357b8a13c79816cafb31742a05ea4e4a5a474458641d50fcaa1b0bcedffc11a858b9ad512b16e8765d98acecb592a7b997

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Default\shared_proto_db\metadata\LOG
Filesize
275B

MD5
b754b45041a096999a230491edc9c833

SHA1
7610c614159596a338f539913a2b247ba1083785

SHA256
68403325d39eb27146dd586ad3017e34244cab7f22bd394ae8878f84f502c2e4

SHA512
3a3de4eb17ab231ec41e71a7f98b412be211199b6a2edef53076e2154137d945e6bbb2d1af7a9b7ca03ddf4dbaa43442499a789ea37d376fcc5a7fd349e41d38

Download Submit
C:\Program Files\scoped_dir2512_1428953839\DevToolsActivePort
Filesize
60B

MD5
f3a5b070f7e98493aae4552232d40e6e

SHA1
89d256497537ac7a9d36c1d42cee8e71bc553fab

SHA256
983cf4b8210c7ddf8aaa95039fdbb94a3bd4fd19593f2bc07e06ca303543e20d

SHA512
2db023750416ca52a2af36005e0423ef43e997556b81718cc7cfdb461c659ff661a5e277e485a73a83a50b6d8563cee489ca09c5cd65b187fcc2eba4c399bbf6

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Local State
Filesize
78B

MD5
8b61e917846ffa930e0cb308c1f1a026

SHA1
3d9e507a7a41e36a1c25659ad72a448368134fad

SHA256
bfe95ecd1ff945712f2697925858b4a50834f6b96d90ab230b448317fc602aeb

SHA512
244ceef0649f72c7371c96667cc829bfbf6c853d173d89a3f206b3384ca95f48f5d5a4defec7897d84a876336942308a9d3357db3ff56cb80c6d9aa1ce5b5fe9

Download Submit
C:\Program Files\scoped_dir2512_1428953839\Local State
Filesize
902B

MD5
ca2d940cdcc4a7d8b50c72fc96795563

SHA1
ae009c882cabb95f5cb6eab25896a049db38b769

SHA256
fe2f5dd3dbd531b9327c81ae6fbba11d044261bcf67a2b6f2f1356091fd50a7c

SHA512
a851100189ab5708d189454a52ad61ac87b040646ce3310b1fddad459aebf4bc67e3092640ac53e8ab02c990af5829920f88cff218a04cf35df933277de0bd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\89146bac87434f5a907fe5c7b83c5996
Filesize
114KB

MD5
31e2156efc6142cd6ed9e20a55a5ba8b

SHA1
fe1f8362527e57c28e3c47173f8bf4d6b6da7bf2

SHA256
da8ddd1009dd2f81ced187150c408904d760dc998e3f77f6e3ca3810e8ded2b2

SHA512
1bfb0cacc9fbef726e6c034f268f4a4b467ba972301287c3d4565a1d77fd3d8d7e0675c59ff4878b2a7b978a281ae8da3b6818092a9e71358fa4e73007414568

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\14AB1F611E6F230882BCE5B215C3F3AB\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
Filesize
1.1MB

MD5
7b31c2c379238271e76a7185b67af381

SHA1
705df46c8ed0e88e4647884754fc060518b791c2

SHA256
b73ba63da13387faf8de37587f33a0fa9134790377902fa23ab370ba11382912

SHA512
690159bcf2ae6ac38bf6eb87df77a7523ba5c3af813f2b9b9acb8369ffe60df721455d2f8e49e17655bac24160aab71162c25f2873cd669150b56749f86e1522

Download Submit
C:\Users\Admin\AppData\Local\Temp\consoleemily0931.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddpxcloq.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCL803UZ45\LOG
Filesize
329B

MD5
5472fb7aab0e7c15e63ab5863cd6f769

SHA1
582ed75af46cfdd60c549ab10c09dbeabea199d8

SHA256
b529b2db33938a147458887e65faa9b00c44856567c3d0f7dad217537b1a0c45

SHA512
651627ab9e9fe0fa635305548e0682917f7e129073cc6f45726568406de780e4cff1411e4d213b0206808878614e8b57fd1bc6d3edd954f19c7ef03aae342ce8

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCL803UZ45\LOG.old
Filesize
291B

MD5
be3a37bf1e19e266fd10afd12b740966

SHA1
27b2633ab40413f34578cb0777c61b41257b97a3

SHA256
ac4d570fac95fa94b403dd5a6c99f5608b6821dfb1f398cc611a225a974503d6

SHA512
8250413ddbbfd5ecda13c379f24c9148fb0393ff8bf6c3fcb9aa1d93364dd40d497c8f117c99bb6115d624ba9e069fddfdcc2c14ee2bb261b97a59ef3e5b889c

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aPYJ989XDC\LOG
Filesize
334B

MD5
b5d141003a5162bcc6f659a2ef843f52

SHA1
06514fde42bf7a8a3eea26efacb5d97f005883ce

SHA256
411c3d3e97437f79731bc55ad3eabcecb8bfc252c835dbf694edd40844b40dd3

SHA512
949a0e8f65e77500fe10956c859829124057c4ec7382ffaede2d712ed61f16219f8db82be72ebcad4708f5fd72aa675ef4213fc83f1cc513b3c73fd11d6db9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aPYJ989XDC\LOG.old
Filesize
293B

MD5
3e84cb9de882912c6fe517571cac9386

SHA1
e6d9542b72c4a46ec09bd891fc8e7c791866ab9c

SHA256
e20515729da525d13f1db33166f06615ac83677d002bc1c954570812cd6a20f8

SHA512
7fea39de492bf22d20f5c7305bc809a0f9a7b8ef4af027be44a3c6a376f34eec42c78d1df744c63ffc180e4ddf37f18aa74a889ce7a037577dfa18f9133f3b89

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aTTJB5VYDN\92qyi9k9.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
31c3c068d5ab2ea81a0ad4feb0a033ea

SHA1
0da67772866dfd9e65e6d384c58455f8e37b8e51

SHA256
d075218a0eda76681143abc59aa74bec3788df5fc5385007565b2d7c9b1353fd

SHA512
4f3c5d0293aa387f1a225dda4063f84afce5b913e40a671c8d87332573248ecb6889ec2367f31ca91ecc4680800f3d4521f3c0d7ed3396d9d1fd2ee9ab8735a3

Download Submit
\??\c:\users\admin\appdata\local\temp\chromedriver-win64\chromedriver.exe
Filesize
355KB

MD5
6616612ee7f9ede60f2e4ecaab208c11

SHA1
b69ea813b800464b545f0a0eefaee16a2a577a6c

SHA256
e23e4dc3a0199341a8d8d149810ef9260f7f8c00ef7dc12199e328261400bdcf

SHA512
7e7d234165f4257f2f6e668afad291c24f7a22f1b2b9879fa054ba5417256387168b0e113361b5dbeee6d3660145d4b2a3932e806b8b811d168f031738ad1724

Download Submit
\??\pipe\crashpad_508_MVUDITTWJLGZQEZY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2072-76-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2072-506-0x000000000AE50000-0x000000000AEBA000-memory.dmp

Filesize
424KB

Download
memory/2072-6-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/2072-86-0x00000000083A0000-0x00000000086F4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-511-0x000000000AF30000-0x000000000AF6C000-memory.dmp

Filesize
240KB

Download
memory/2072-528-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2072-10-0x000000000E7E0000-0x000000000F88C000-memory.dmp

Filesize
16.7MB

Download
memory/2072-85-0x0000000007DE0000-0x0000000007E02000-memory.dmp

Filesize
136KB

Download
memory/2072-82-0x00000000073C0000-0x0000000007C98000-memory.dmp

Filesize
8.8MB

Download
memory/2072-75-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/2072-73-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2072-72-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2072-526-0x000000000C710000-0x000000000C71A000-memory.dmp

Filesize
40KB

Download
memory/2072-512-0x000000000AEF0000-0x000000000AF11000-memory.dmp

Filesize
132KB

Download
memory/2072-507-0x000000000ADB0000-0x000000000ADFC000-memory.dmp

Filesize
304KB

Download
memory/2072-372-0x000000000ABC0000-0x000000000ABCA000-memory.dmp

Filesize
40KB

Download
memory/2072-505-0x000000000AE00000-0x000000000AE50000-memory.dmp

Filesize
320KB

Download
memory/2072-504-0x000000000ACC0000-0x000000000ACDE000-memory.dmp

Filesize
120KB

Download
memory/2072-503-0x000000000AD20000-0x000000000AD96000-memory.dmp

Filesize
472KB

Download
memory/2072-502-0x000000000ABF0000-0x000000000ACA2000-memory.dmp

Filesize
712KB

Download
memory/2072-0-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/2072-36-0x0000000006F40000-0x0000000006F52000-memory.dmp

Filesize
72KB

Download
memory/2072-374-0x000000000ABE0000-0x000000000ABE8000-memory.dmp

Filesize
32KB

Download
memory/2072-373-0x0000000008F70000-0x0000000008F7C000-memory.dmp

Filesize
48KB

Download
memory/2072-4-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2072-371-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2072-5-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/2072-3-0x00000000015E0000-0x00000000015EA000-memory.dmp

Filesize
40KB

Download
memory/2072-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2072-2-0x0000000005500000-0x000000000551A000-memory.dmp

Filesize
104KB

Download
memory/2072-368-0x0000000001410000-0x0000000001476000-memory.dmp

Filesize
408KB

Download
memory/2072-370-0x0000000001500000-0x000000000150A000-memory.dmp

Filesize
40KB

Download
memory/3440-30-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/3440-25-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/3440-26-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/3440-27-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/3440-235-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/3440-29-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/4840-53-0x000002C5CA7B0000-0x000002C5CA7B8000-memory.dmp

Filesize
32KB

Download
memory/4840-68-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-55-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-48-0x000002C5CA7B0000-0x000002C5CA7B8000-memory.dmp

Filesize
32KB

Download
memory/4840-52-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-65-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-67-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-57-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-69-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-51-0x00007FFE24010000-0x00007FFE247A0000-memory.dmp

Filesize
7.6MB

Download
memory/4840-70-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-50-0x00007FF7348E0000-0x00007FF734A10000-memory.dmp

Filesize
1.2MB

Download
memory/4840-71-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download
memory/4840-64-0x000002C5CD850000-0x000002C5CD851000-memory.dmp

Filesize
4KB

Download