mystic | 270f93d55dc5666aae0c62c0ed23b6ce1f747ef57863d0adf577e20b2b180b48

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe
Size

931KB
MD5

d534bccd65f4d7cb7e7a00809fec8732
SHA1

bd88bd428b8f9f5fb6ecb7e76b8323b94faa745d
SHA256

04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f
SHA512

317581f76534d28b40095f49beb6a8fa42734da6cf939ecfd4363f24d94da782a08bcd64869adae11dec46003a5c3b46e23dc1c1c6708e621f250f13aa7c7e52
SSDEEP

24576:ryvJJkCTQHmXNqP2T1YrBicnyBaG6+IyM1fAIv7Eo:eYmdqP2irBicX+IL1ftv

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1564-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1564-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1564-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1564-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3676-55-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	5fa9qh2.exe

Executes dropped EXE 8 IoCs

pid	Process
3516	jk1is72.exe
2160	Lb6PE59.exe
5112	ez6Jm58.exe
2816	1RY34cI5.exe
2264	2ZJ1417.exe
3600	3kR33Sp.exe
3948	4gV764uL.exe
3944	5fa9qh2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ez6Jm58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jk1is72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Lb6PE59.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 400	2816	1RY34cI5.exe	92
PID 2264 set thread context of 1564	2264	2ZJ1417.exe	102
PID 3600 set thread context of 4380	3600	3kR33Sp.exe	107
PID 3948 set thread context of 3676	3948	4gV764uL.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	1564	WerFault.exe	102

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	AppLaunch.exe
400	AppLaunch.exe
4380	AppLaunch.exe
4380	AppLaunch.exe
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4380	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	AppLaunch.exe
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found
Token: SeShutdownPrivilege	3364	Process not Found
Token: SeCreatePagefilePrivilege	3364	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3364	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3516	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	86
PID 908 wrote to memory of 3516	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	86
PID 908 wrote to memory of 3516	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	86
PID 3516 wrote to memory of 2160	3516	jk1is72.exe	88
PID 3516 wrote to memory of 2160	3516	jk1is72.exe	88
PID 3516 wrote to memory of 2160	3516	jk1is72.exe	88
PID 2160 wrote to memory of 5112	2160	Lb6PE59.exe	89
PID 2160 wrote to memory of 5112	2160	Lb6PE59.exe	89
PID 2160 wrote to memory of 5112	2160	Lb6PE59.exe	89
PID 5112 wrote to memory of 2816	5112	ez6Jm58.exe	90
PID 5112 wrote to memory of 2816	5112	ez6Jm58.exe	90
PID 5112 wrote to memory of 2816	5112	ez6Jm58.exe	90
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 2816 wrote to memory of 400	2816	1RY34cI5.exe	92
PID 5112 wrote to memory of 2264	5112	ez6Jm58.exe	93
PID 5112 wrote to memory of 2264	5112	ez6Jm58.exe	93
PID 5112 wrote to memory of 2264	5112	ez6Jm58.exe	93
PID 2264 wrote to memory of 3620	2264	2ZJ1417.exe	101
PID 2264 wrote to memory of 3620	2264	2ZJ1417.exe	101
PID 2264 wrote to memory of 3620	2264	2ZJ1417.exe	101
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2264 wrote to memory of 1564	2264	2ZJ1417.exe	102
PID 2160 wrote to memory of 3600	2160	Lb6PE59.exe	103
PID 2160 wrote to memory of 3600	2160	Lb6PE59.exe	103
PID 2160 wrote to memory of 3600	2160	Lb6PE59.exe	103
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3600 wrote to memory of 4380	3600	3kR33Sp.exe	107
PID 3516 wrote to memory of 3948	3516	jk1is72.exe	108
PID 3516 wrote to memory of 3948	3516	jk1is72.exe	108
PID 3516 wrote to memory of 3948	3516	jk1is72.exe	108
PID 3948 wrote to memory of 1236	3948	4gV764uL.exe	111
PID 3948 wrote to memory of 1236	3948	4gV764uL.exe	111
PID 3948 wrote to memory of 1236	3948	4gV764uL.exe	111
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 3948 wrote to memory of 3676	3948	4gV764uL.exe	112
PID 908 wrote to memory of 3944	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	113
PID 908 wrote to memory of 3944	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	113
PID 908 wrote to memory of 3944	908	04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe	113
PID 3944 wrote to memory of 3680	3944	5fa9qh2.exe	114
PID 3944 wrote to memory of 3680	3944	5fa9qh2.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe
"C:\Users\Admin\AppData\Local\Temp\04140a07f858242aea2e5060fd52668d03619185d20f6c8b2c6debfe4a5f7b6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk1is72.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk1is72.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb6PE59.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb6PE59.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ez6Jm58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ez6Jm58.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RY34cI5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RY34cI5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ZJ1417.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ZJ1417.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3620
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 208
        7⤵
        Program crash
        
        PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kR33Sp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kR33Sp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gV764uL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gV764uL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fa9qh2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fa9qh2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2621.tmp\2622.tmp\2623.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fa9qh2.exe"
    3⤵
    PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffade9046f8,0x7ffade904708,0x7ffade904718
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1655889843380283762,1686622951237920583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:3652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1655889843380283762,1686622951237920583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        
        PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffade9046f8,0x7ffade904708,0x7ffade904718
        5⤵
        
        PID:552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:2348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:2620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        5⤵
        
        PID:1896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        
        PID:3120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
        5⤵
        
        PID:4704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        5⤵
        
        PID:1036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
        5⤵
        
        PID:6116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
        5⤵
        
        PID:6124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
        5⤵
        
        PID:4272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
        5⤵
        
        PID:4256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
        5⤵
        
        PID:4844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5788328399270332043,15070460938269561330,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5244 /prefetch:8
        5⤵
        
        PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:5088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffade9046f8,0x7ffade904708,0x7ffade904718
        5⤵
        
        PID:3980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17259376393962661729,16478908885593870497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        5⤵
        
        PID:2512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17259376393962661729,16478908885593870497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1564 -ip 1564
1⤵
PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe4fe65341e9f7f42e5f25b232eedcfc

SHA1
8be2464aa52187cdb913ba0f62789ec5af922b09

SHA256
1bd924c87d18773689d4e0d07f2fce6f8f904598e70fe4894bd6ea4afa83abee

SHA512
d40a75f6ad30edc1aa2ba15157c076a2683120f3f908162fe3446fbeb64c7ea088c9c6cc38db56c425afa7d545b4b10c750ca8b83da1ffcc189beb2bbb762a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b3047d636e415012901a29a8ac9aeb28

SHA1
47ce1cbfc0c94223e9fc24b99ec551162a2d20e0

SHA256
befe143e97268e30d6ba7943f111f9608842040c96ea3019ba04c050eee23943

SHA512
b5576975f95424ee20065b1cb67459b6fbb16350794f6a6c330fa4a9418065853097dd2b0652079d3d957e857d3b80f922c3b7fd31d5c654d51f965f515a0398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b684da03f438c8e70945a2fbf1429646

SHA1
a2cdcf7aa3404a11153e4815cca188a45e5ba468

SHA256
4cf1323ca9ddd1163ef56238e3f12cd23ace8d162eecc559b72cdf65a68a8243

SHA512
2adf1d1d061d101bf5aad8888effd325379cbdf1d0a8ab9bdaa090398088a65b4004b9a58eeeb3113487b11c079c6ecbac16f95fc7e3c2f8ca2aa352f243c8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9863f21540086400dfe1d0f4969677b

SHA1
bfb76d78c11834b431ffdd57dce60749ab6bac39

SHA256
3a0222b574fe4a059c5638f6f0c1f1a9f1c131f95dacdd605b0aa5252b845e62

SHA512
542b16780e3f9c5c1539b163c8536b8b270363f55596cac11eb5ec695826f6b8ac4cdb03591f589640e6e2498688d74e4eefadd8b3a31070ddf6579e267c6892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
24bd854eb51c79a0b66ff9b010933af5

SHA1
e80316b636524277f3347b0b92f31cfeb26a9637

SHA256
127677c62c4b231684f4994b86d0c93793e4e901cd09ca045bfe7e0d7887ae62

SHA512
5590e85e1d59d16a8f46a6be143e173d249badfddf18f13b3e9a09271750bc5d36a85ea875cd57bd23b40c5cb5bf1a22e65fe0fb036b1d916f80198d5da87d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc9baf60230f4774dd308d2086caa4da

SHA1
53ff9a6a15230ce82b045088284c0cfaa7c6697d

SHA256
0220866d91516a71c50280b46e61a7f7c7038d6601c7dd5caf5f3a4b2b153be4

SHA512
5736456beab9eb1d4930ab4eaf17dee0f66483fee57d1ecef545b2d7075ab5ac1ad4ca1cac77ca55592f5c5f985fec139865ce4a1f72c0d50131a3f8b07b6150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1f0e39f0662fa7f8820d3abd83d37258

SHA1
ed673e9f52253af36fa4b68b7198e52a2c96b611

SHA256
710a503ae329555ceb354c485514350c3c3af7a8e4b37a51fccdef5bcd3741a6

SHA512
fcbce74313d56a262fb86f75c99b96922c34a8389f39a765fccaab5ef024a71e2367ae413e243a8079a97eee01cc319f2d10de9dfbccfa7de80ae5bb58955a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
d19e675a9dc57e9189510f065c788b52

SHA1
21de3d2ce26b27080ed2093c524d3c413cc1a299

SHA256
6177fa96aaa28f6a1e6088de1cc1f3eeadeccaf7cb5f22c65b8bbf254a88666b

SHA512
a7733624ee1fae90769158a143d7cc1f8363a3db3601ae6062777efde4245f21a43d3eba626f09e3809efba5f9b10869dcee9d5a037a7f5e94a3f7ad3ac0e991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58c5db.TMP

Filesize
89B

MD5
6ee83daa4e60087087e888570342f848

SHA1
40c3b139ead9073e7310af88e65439093444d9db

SHA256
22081851241a521eaae16d1b6108a205dd2b9ca1b8d29a5482c0299a6bce1e2f

SHA512
b9c9be0966b18eb8dfba50dd2846938c6134ab986304ff73b26f283d9378e5bef36755683b70b4eb6079ca3a0a18e549b81399468b66750672fd9be748222e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f4523ba5a565c8040e859c5dd6b6b2f0

SHA1
7eb311600abb0cdd9e33425604c00e405c9aa3f6

SHA256
905ab3d3cab0b423785013cd5c5c2acbcb3dfb3469aabaaedb30b9438264f5f4

SHA512
a4d88bd7c7f496cd9cb3606181453b40835cb4cca36e2d807addc4bdedbb35830aea3dbcfc42244d9310793fcfdbc47b81f2e3b44bd3aea2e9a8be732fb84122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592011.TMP

Filesize
48B

MD5
ea51da28489e00824b1cf7263c386367

SHA1
86f9fa2ddc4a9465c78e0a84d59b179db7350e01

SHA256
c2ff5b2d5ff50196e75bb55fde4aacc1c63a343055d0007f3a6e8d32cef06195

SHA512
7a30d18778508127c2d670f8d03d056957f321b8bb8f819ab929c8ff0d0acff117bfc906e54f9b9a8f496068a2bc2c3d33da4a3a57a3428d7df5d7b974441592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
806bbff8ac370bc8b0ea12dd752bbbfb

SHA1
df13a32d3269c2b4901018f5f2e0c54924e609fb

SHA256
3383a83dd6cac50c91b0d5fe1c3811f16bd9788167c04f3b04211cf793ebe1c7

SHA512
ae387c1f46c4bd89ceb57600104e105d97ad7b463ea9fd1f058ae62ee67734ecba6daa39182dd69053ce0b12d085faf29c00d5c4b1610c83da6e4b1b4d3177c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3f4e3fd874c7ba862098e79049a2904

SHA1
7869f97397bfe927f1025f5343fb4889b024e70a

SHA256
9a1c2e6b65946cc50da81c33548fa1dcc359598307f80fd02183c532d4a1e576

SHA512
7f6df12ee9f1df6268bbc7c77020557c19a95f5a73fb87208563053ef75b7bf60eec25068dc5ec2fc99a8f5fa098af965e4ee187b268e62a49e7e5fde713d182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcc3bb7dcc38a9f94ad6808a0dc9866d

SHA1
4a578df87538fa75494efe65ccb242adae804714

SHA256
f70ffe47ff14cd474a2dbb079db97532bf46702fc67272941baf1a429e3f87c9

SHA512
b3499d92a6f2bb5b29300659190db5b8a06550c2acf155168c63c9bdd5c28b6229642bf1ea06b0edaeb4b006bf64618a398351e514721039614ea91d1fbad4c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6dc1dee5a36f2ef7dc9943584ac9e137

SHA1
db31aaa7830e38cf55ed817566c4cea7bd4af134

SHA256
68daf885b0bee4c1084da0b5a3ca96bd75d198f624378d34b57325ffb131d22d

SHA512
9beec938f8534709b0697f7d529cdea5ad0189dda1256297587529b7948170aac029ff8c43a0f2e0bb1a06d803deac642d7707cd7222deb184e1508ee03dec05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58eb84.TMP

Filesize
874B

MD5
bbd145b5a90ed0787eb257a6b194b6c5

SHA1
365ff898b7a9b4fdee8cd77ce165c8544118439a

SHA256
190d7fa4bdaf8eafb82de138f08db8abe537ed44fa1c19e297d2f447d1bd9410

SHA512
671fe258f1c4ba4bf9859b8db9d81e5a6443e4e91bf2a3bc8dcb18c15bfece96d34eb97f38214c4ae4471c93e869a684526dd86e03f43f1e870d9f630485f727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
137d6a1e67d8c468a07d51e644890ff6

SHA1
ce699492c86d88991d5358e6ab627a16f7ca615d

SHA256
10fa58247f0498f2505f30529d0577a2b6d346253da2058beb92eb070916dab2

SHA512
0b8c8181dc9e3e6c13aec93368425a8536b9f5edf6871fc4a88d01e73f099130e5db47165be6714066c0b31de2d4aad102e6c99005637760339c7ac22b889a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c28ff850b97d3bd542a9be55ad3e9442

SHA1
2000459ceca101b3370b1ba1959ea66be2546466

SHA256
287ec0e5cdc57a85407e3367c83e4d3af28b32d14aa6b2d3eee365d0372b6f17

SHA512
217d83d7b2a6fae26a04108d53ce02f1585b57670a1e3cbb6b817f522c66b3ac6a3239b42a3cc0b20b4e689edcdf124bb044f47d5ca3fa9f59f3898f67fbe5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
68d7b334ce944017a7c1e243adce7fd2

SHA1
e74744263883e140fb56714e80374a03d6d7a0f0

SHA256
d277462093ba05177bce8f4e4f01476d421bed112953178007f1eca1c332c130

SHA512
6281907b194ce9e73263be8afef329ab8bbb4b9bcb73bfd2ff54b6555b960c9b44a82873ad54b2771205950e42714800ed420b79117343f33e0f52dec9ec5d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2621.tmp\2622.tmp\2623.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fa9qh2.exe

Filesize
88KB

MD5
9ffd7f1e94dbf2c9668d10e98f013e5a

SHA1
2f3b6da51a39cda2232340ae74a23ae9930693ab

SHA256
c471b27ea27a33fdfce952ace6f87bf7fef061815ab542d6c23cc85c20579157

SHA512
2a26833d408837975cf45bc4c57229a3a3f34941c6daa7fd7e0f156c45b2bf82e26679a1988e4f90135c825d4b9fc2612e970dc329fa1452a7087526720ec101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jk1is72.exe

Filesize
793KB

MD5
faa3c0366d9b0807823a4a8fd6852d0b

SHA1
9b3c006fd9cc3683db21683021cf6a02a0699d27

SHA256
31900606c83415ec9d77e89eeaa9ddea7a41b044fc6ee6f7ea6924016c52c437

SHA512
423c2153f5a9e2b7ab0f69e494449e77ad3da381bbf93758dc1879db299d1d0d4d85588eb647f8a77a1a6a12f72ecec97d9d3e20b18cb89966ebfe07fde1a650

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gV764uL.exe

Filesize
353KB

MD5
35edff71b2b5021ae4064264d01f25a4

SHA1
33d4a4b67f3dde45c3327d877b242bb6c767041a

SHA256
1ef24be692d22d09c4e52b2c806d475454879f40adc851d1e919f7be8a3ccb72

SHA512
5236109251ed9bdf368375b38b16be4054e863d9f6f6fd56b7981db742ed17e02bf619c9232cc0c991f985de957916ad6de32a0228b5e11fcf9361eb0159a71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lb6PE59.exe

Filesize
547KB

MD5
444a145fd1b89c0094b0e2e46450f9f8

SHA1
8b77a0812ecd505fe9776db0e8c9df3fd3b7df7a

SHA256
89d482b0fb5c3cb6a614b54e46627ab83c1ce41c290c29dfc35e64727ae13484

SHA512
f6dae43f6907457ad18e83f0baed460be12544a565001f37c464577b22b4b7baf57dd88b2e27d3f95b0f3680bf8b3c406346947f13e0eba3646dd8599f5bab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kR33Sp.exe

Filesize
162KB

MD5
c878572ef44e3a783dc80695946df744

SHA1
24b1d793562d110df7a641344c7fc4e30899ce0b

SHA256
0f9d879ae42b745fa7e43dbb4bc10ded0c69697ccae4fe83b0454ff4276c67e3

SHA512
901db72ccd8ad7d5b807d36f3bc25372e2a3d8ceca4275cd59a6c61cddb791894dccedb9a42a0e18fee131decd4920442410d6b8777cec06058d48c8d1cd6070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ez6Jm58.exe

Filesize
353KB

MD5
91d05918c39560937c6bf0bdf4c36fbb

SHA1
f9c15693bb7ab95f1852433f8e0e66bc971f2982

SHA256
27d3bb794f18d9f46dbf9ce66fef5f709c28a6a9ed2e50e926b56afeefd0cd03

SHA512
66097791ce661376f2c81be5f00b46c4519a4a6f54c71d2220938142f0757108cca2cdf9a13b84a7dc90bbc55a8cb299e2f2712c5c5056ed363d8edfe34330d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RY34cI5.exe

Filesize
154KB

MD5
098478afedb77e3ad162dcb60ba1079e

SHA1
aae5fd48aaf7d271c23130197dcfdd8791307d6f

SHA256
9ec13c3b726ec3ca9cf66364b6db9f252c3eaaf124b53d032564aec8e9ee8541

SHA512
145ab134ea391792a91c746b865ac48f2cafc8cec71664b6ca7b8cfc28fe508a953a095bb26f6a69d2066b8489ce02c7b0e82eae6ae5adc0e6b03435de86b14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ZJ1417.exe

Filesize
312KB

MD5
8aecab35e6dc29179150b76203ebfdc8

SHA1
4a834ca856af99863001e349556c73dc95bbc4dd

SHA256
b7c2a49c3abf99089b9012f68371a84068bff32d123d28a126f8f75a4a987b5c

SHA512
78a6d0f28e98a5249b943a0862ad9a3eb608d36f0deb0e054200127d98c385849b4ce46ce06990c2a899b807d811bce06af376b93bc1c7df54f22a1b822005a0

Download Submit
memory/400-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/400-32-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/400-34-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1564-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3364-48-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/3676-68-0x0000000007C60000-0x0000000007D6A000-memory.dmp

Filesize
1.0MB

Download
memory/3676-227-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/3676-222-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/3676-75-0x0000000007BD0000-0x0000000007C1C000-memory.dmp

Filesize
304KB

Download
memory/3676-70-0x0000000007B90000-0x0000000007BCC000-memory.dmp

Filesize
240KB

Download
memory/3676-69-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/3676-67-0x00000000089C0000-0x0000000008FD8000-memory.dmp

Filesize
6.1MB

Download
memory/3676-65-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/3676-64-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/3676-63-0x00000000078E0000-0x0000000007972000-memory.dmp

Filesize
584KB

Download
memory/3676-62-0x0000000007DF0000-0x0000000008394000-memory.dmp

Filesize
5.6MB

Download
memory/3676-61-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/3676-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4380-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4380-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download