amadey | 0e08c5e744329095ebb791b5d1eb4670e22534eb8b23b0080a7b4faa6ada7247

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
Size

1.5MB
MD5

e51db332898f96c123006867309d8ff7
SHA1

5f0766969d31cdc281703bfe21e6f94e9625a039
SHA256

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35
SHA512

3a54dbacec0c202fcbfc9bf963eec06ddd3d0a05158504a389d39c734942fc4e20177a1d4e1700262b8e1da1548d57ce75650f10b100175a560d2891e25b7c10
SSDEEP

49152:gM3XFzwFlHHkXZ2spmEitbxvbmLOBgqRQqWr:zHF8FVHkXZ/pMt9jmLFq2q

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1808-52-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1808-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1808-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1808-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4772-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Ff7UI5.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	5Ff7UI5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

Processes:

Ne6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe3Yj63sv.exe4YH070YN.exe5Ff7UI5.exeexplothe.exe6cl5ZY4.exe7VP9vi48.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
2272	Ne6rm96.exe
1520	ad1Pw71.exe
5096	QM8iU38.exe
3468	Ke7PS41.exe
3040	ra0xn46.exe
3828	1Kh96ep8.exe
3688	2Lr5170.exe
116	3Yj63sv.exe
4552	4YH070YN.exe
944	5Ff7UI5.exe
4888	explothe.exe
4472	6cl5ZY4.exe
400	7VP9vi48.exe
6992	explothe.exe
2300	explothe.exe
4004	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ne6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ne6rm96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ad1Pw71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QM8iU38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ke7PS41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ra0xn46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Kh96ep8.exe2Lr5170.exe4YH070YN.exe

description	pid	process	target process
PID 3828 set thread context of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3688 set thread context of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 4552 set thread context of 4772	4552	4YH070YN.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4632 1808 WerFault.exe

pid	pid_target	process
4632	1808	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Yj63sv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4296 schtasks.exe

pid	process
4296	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Yj63sv.exeAppLaunch.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
116	3Yj63sv.exe
116	3Yj63sv.exe
4716	AppLaunch.exe
4716	AppLaunch.exe
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
448	msedge.exe
448	msedge.exe
3508
3508
3548	msedge.exe
3548	msedge.exe
3508
3508
2856	msedge.exe
2856	msedge.exe
3508
3508
3508
3508
3892	msedge.exe
3892	msedge.exe
4764	msedge.exe
4764	msedge.exe
3508
3508
3508
3508
3508
3508

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Yj63sv.exe

pid process

116 3Yj63sv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4716	AppLaunch.exe
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exeNe6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe4YH070YN.exe5Ff7UI5.exeexplothe.exe

description	pid	process	target process
PID 4120 wrote to memory of 2272	4120	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 4120 wrote to memory of 2272	4120	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 4120 wrote to memory of 2272	4120	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 2272 wrote to memory of 1520	2272	Ne6rm96.exe	ad1Pw71.exe
PID 2272 wrote to memory of 1520	2272	Ne6rm96.exe	ad1Pw71.exe
PID 2272 wrote to memory of 1520	2272	Ne6rm96.exe	ad1Pw71.exe
PID 1520 wrote to memory of 5096	1520	ad1Pw71.exe	QM8iU38.exe
PID 1520 wrote to memory of 5096	1520	ad1Pw71.exe	QM8iU38.exe
PID 1520 wrote to memory of 5096	1520	ad1Pw71.exe	QM8iU38.exe
PID 5096 wrote to memory of 3468	5096	QM8iU38.exe	Ke7PS41.exe
PID 5096 wrote to memory of 3468	5096	QM8iU38.exe	Ke7PS41.exe
PID 5096 wrote to memory of 3468	5096	QM8iU38.exe	Ke7PS41.exe
PID 3468 wrote to memory of 3040	3468	Ke7PS41.exe	ra0xn46.exe
PID 3468 wrote to memory of 3040	3468	Ke7PS41.exe	ra0xn46.exe
PID 3468 wrote to memory of 3040	3468	Ke7PS41.exe	ra0xn46.exe
PID 3040 wrote to memory of 3828	3040	ra0xn46.exe	1Kh96ep8.exe
PID 3040 wrote to memory of 3828	3040	ra0xn46.exe	1Kh96ep8.exe
PID 3040 wrote to memory of 3828	3040	ra0xn46.exe	1Kh96ep8.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3828 wrote to memory of 4716	3828	1Kh96ep8.exe	AppLaunch.exe
PID 3040 wrote to memory of 3688	3040	ra0xn46.exe	2Lr5170.exe
PID 3040 wrote to memory of 3688	3040	ra0xn46.exe	2Lr5170.exe
PID 3040 wrote to memory of 3688	3040	ra0xn46.exe	2Lr5170.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3688 wrote to memory of 1808	3688	2Lr5170.exe	AppLaunch.exe
PID 3468 wrote to memory of 116	3468	Ke7PS41.exe	3Yj63sv.exe
PID 3468 wrote to memory of 116	3468	Ke7PS41.exe	3Yj63sv.exe
PID 3468 wrote to memory of 116	3468	Ke7PS41.exe	3Yj63sv.exe
PID 5096 wrote to memory of 4552	5096	QM8iU38.exe	4YH070YN.exe
PID 5096 wrote to memory of 4552	5096	QM8iU38.exe	4YH070YN.exe
PID 5096 wrote to memory of 4552	5096	QM8iU38.exe	4YH070YN.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 4552 wrote to memory of 4772	4552	4YH070YN.exe	AppLaunch.exe
PID 1520 wrote to memory of 944	1520	ad1Pw71.exe	5Ff7UI5.exe
PID 1520 wrote to memory of 944	1520	ad1Pw71.exe	5Ff7UI5.exe
PID 1520 wrote to memory of 944	1520	ad1Pw71.exe	5Ff7UI5.exe
PID 944 wrote to memory of 4888	944	5Ff7UI5.exe	explothe.exe
PID 944 wrote to memory of 4888	944	5Ff7UI5.exe	explothe.exe
PID 944 wrote to memory of 4888	944	5Ff7UI5.exe	explothe.exe
PID 2272 wrote to memory of 4472	2272	Ne6rm96.exe	msedge.exe
PID 2272 wrote to memory of 4472	2272	Ne6rm96.exe	msedge.exe
PID 2272 wrote to memory of 4472	2272	Ne6rm96.exe	msedge.exe
PID 4888 wrote to memory of 4296	4888	explothe.exe	schtasks.exe
PID 4888 wrote to memory of 4296	4888	explothe.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
"C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 540
9⤵
- Program crash
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:3496

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:392

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:4876

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
3⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
2⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5D33.tmp\5D34.tmp\5D35.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe"
3⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
5⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
5⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
5⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
5⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
5⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
5⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
5⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
5⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
5⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
5⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
5⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
5⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
5⤵
PID:6216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
5⤵
PID:6244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
5⤵
PID:6396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
5⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
5⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7680 /prefetch:8
5⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7680 /prefetch:8
5⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
5⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
5⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
5⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
5⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8220 /prefetch:8
5⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8948 /prefetch:1
5⤵
PID:6808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4798682645392303754,4844584138180171989,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7116 /prefetch:2
5⤵
PID:6600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,741641878275692654,4636160114477219575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
5⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,741641878275692654,4636160114477219575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18112226505841582737,3009725113110912044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
5⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18112226505841582737,3009725113110912044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7978782613534970007,9385358771694672051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x168,0x16c,0x164,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc963146f8,0x7ffc96314708,0x7ffc96314718
5⤵
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1808 -ip 1808
1⤵
PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
220KB

MD5
a2b8f50613120957b728fb63ba3754a7

SHA1
9ba7ba93ef671ce1c7bf227bf52857169622b73f

SHA256
671464fcd75cfaf5b761b3288f2e986cbc9c7376d701bc97161e5d6f07e394c9

SHA512
025446665b3ac1ed7e6497e94628986291ad5c0625bf7d349ea9f74bb9df85c7f2d771fe91520773ff155c95bd2e6cc461bd8f12f5ef54aa0ddc390d123398d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
34KB

MD5
1859aea7dc09d0a9a7aefb9fb25e1a35

SHA1
922d879559f041d25d3b7e07f2ba722346c793de

SHA256
b24b1d9ae581c072d4d5033a3ef0e58b920c42ac8ba161684206c59e0cc19f5d

SHA512
d30d213755b202d7c2a0565513be3d3f20bab599222e8231593370314e52b3ac11c88b65794877db7d3b21d14f3da277886738e5bae0387242cfda4b552a0ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c2ada075d0bfd7ae25c2af6c0df217c2

SHA1
c1c861b74eb54123ba522646604cf317a4c13dd2

SHA256
94cd1b9312ca6927265f1fcebd7e2ffad50e150b2421d71e5f69bf2a7939131a

SHA512
2c680008005a680bcfa52f38c6b0f6c00803fd5531d6e38fa7224d7ef3e0a2b3807b4b9ecf18f1ec5a09446b25b1bc5f8c2d6c193ce9839c46cdc35d6298a760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9abf7481b959d2d17e2c502d30a31b64

SHA1
e7ea1600c2559d1aa333674882821cbe5cd0a1e3

SHA256
8e1d4c9783c001eb7d92af63b20f4ef3bbe6d33c0fa4f4436a2f6965cc9ab2c7

SHA512
173851a71ccf6dc3a899b5d65bc40ced6742572dbeaf8af561301528974c3cd7422c328c70407b44e4d7d6e695cd1aca9d7410a777346f529c02e3d654c6014b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5bc273049229b02b5b6cd01028234b8f

SHA1
8564ebe16b9e677bb1e71154793239aa1e010aec

SHA256
a6713bae879415523a0a7b96f217c9afb7413a1b96b0524d7e873005833db838

SHA512
b32eec9119a365cd921a85dc03acfbe767e3fb136426413cd7fd1d4e7abc5bfc8794c789930f3bf4999de25d8398ddbcf0e3d242910cb4a27f6ffb8adede8f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e8350253ed4f46e1c4453e132fecb918

SHA1
64bc6dd6492ba6e95236b153da6935add1feff31

SHA256
981b2b1a31e7a95e8b521e1aadadef20e295ea1e8d4e19794b6b9084306349a6

SHA512
4b89a0b1ef6c332bb07af172738006dfd1350bc7f213a9b0d7f25261b95065465716102905ddf1520b99d9b03abe573061a8dbb138133b6209221cdbe9dece7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ae586c9fa530bdebffedd3fe1e4758d0

SHA1
f3b9f6450f1bd7548824ca13f8c199660391c1da

SHA256
e873ade18790ef8680d0969465f59413a44019811af25ba99a9591c2be77cb19

SHA512
f6c870c4a8f23aeb8fafe568af8d73540c8a056a2b1c93c5dec9ca45499a4ba492eed24869e4d779a1c36013a3b85c0648e0c2a04887e29c5ed07e5882ab50ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78ce0d092dd28f3c0adeb5a3ad5bd53e

SHA1
6d4b501827efc6ecb1df17596277537271933a3d

SHA256
fba1497f900b9cda37d54e786f55054411f424513cc1e83afe9a7402d6cc2cfc

SHA512
9ed99505979e9a0bbb5dead889df7651c9c03c7d09405937ae99ef39f2d2eade54ef0c596eec49e2b7e72fad3163b63841a16a87a07b1846156480a50b4af0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
081ea718dcba2232f499cb35d550b020

SHA1
e5dd6a4d2b702008d1d0c2cc97e07eab881c1002

SHA256
092eb68cbd3872554219fa5a02669004c9d67a7bc40078cf5461b77a7dea0653

SHA512
43c93d400270119633fa6141b71c21a7cd3a41faa2d4d3ccfc81da5b84c1696604df571c580c4ea647c4692e4136eecf2ea7957dd18e13a69e54fda1acc39563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8978e0c9043961dbca832d6c05a4c488

SHA1
20f093b712dbe8b0a5f04bec88968bb6d91738f2

SHA256
1ff819be1d0d875809cabec141eb346dcbf1de989ef09af8d02a4d7bdfba379d

SHA512
cc96dc469e7b0daa43c775c0bd10b0db2425ee3fbdc4e9ec4505607ee9ccf7a10d3dda37a15ed2f4ee07d6c2bb00802088c95398977e492c54c6f35cec98bf85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
791cfc8b201d50865caa994992974151

SHA1
38c4f099c2643341b694f6bd065ccadfaed7733c

SHA256
d968e1d737e9c90088ed921f06d7593e909236a563c94d446c83922be8c1b8c3

SHA512
e3d63cd77c68fe1d831d0b872e3431c8301e53366463903de13694b25e60b502bec70558a60cf2bcb9c7f51547e0f704977ef3167633c81e40238160731cf95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b204ab1f656190b50ad654a219d7c202

SHA1
b92d8d0fb31dfc3387f66bec121df779ef92c245

SHA256
3635c5676b994dc8a7643c9bf7e96776104682a7c9a6139292577f37bea831c3

SHA512
e30341cc19eaa4af7181d31cb9fb7573eaffe650ff72d7e0ea3b3c02d7a1afd47db2e44a789a5f987d96a6c211dabb98397fa3ccb3cce6d03139641f5bef584b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0b55e365c580d68ba0c501b8dd648a87

SHA1
4a143f7eebef16eeb96d7822dba87a916624f3d2

SHA256
6c746a864ff64a988899d8c429bb00fcd47244c167b14dffe028f89b33f108f2

SHA512
5d5fa1de591644b2af47b0641dfaa27d7130bd2eca5d27cb4d8b9bc08c4740e7c6110537a6b540e6b9be5433502f523d4213e3ba21367a0570cbf75fa4ab332a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
402186b4e51c91f72a4fa58cec8e8566

SHA1
b75c75f4c2e7a967009d89b05d8c0301e467148e

SHA256
19f73b485859c5848db459f5f4068c71d9383f7b26d9f86d5f75a2ace7638148

SHA512
18ed215bd65bad3f131abc308218f6721b8280eda1a1bc71dd1ff10ef8c48cc51f97975a2da47355592422f3a6367e42fb4ac008ef37f9554d36b0001eb86453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f433.TMP

Filesize
48B

MD5
cc0230212dcd226b311de0f676788384

SHA1
805cab71c835854493ae0ad5fd5a3fb87071c7e4

SHA256
aaad0752be89982c27558a5849c2492d9dd18f8c165f8844259e5baefbe5fffb

SHA512
7fd5f543ebfe70ac058d088926cf2a7b35537d03a3116c78b7398a39467a87640f3c941612d4e386f82adbf17841ebd1fbb4386e3e3b7ba3a10c31b09a6ccc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ed08537317b82ed2065eff7505f712fc

SHA1
dd4815fa85c4b3d4f46d3898d4eed963ef161123

SHA256
5ce96501a37e480636b93cb351cb6d48b1519c5af39a2eda2dbe84b9d48a4508

SHA512
c4e890754f307b8eca164dbb6b0ab09a55547881d4b7c3e64f2e523db473cd2565fe156074adb5f2c62227cd1d9f47ebc8d4b59391e8920fa4cb6b55fa3afc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a6783eed45bfe4295f9d8c48007b50f1

SHA1
d7b02bf764e1b76761c7920d18a9321d4e98a936

SHA256
1e89aa462f5c04fb0e032aee10e81026681603930f2e3d5997d3dee281989668

SHA512
54ed04509e2fbf6ffd9c65e88b04cbdc9ba1942178b49a640a0bc946add1b41d979aa5df3e790cd0313d4d0666b5d0b42cc4a6eb93f079a619505cc681e6de04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
fecd5c9dcf84331c669e25470db8a7f5

SHA1
00b03854c3042fac23da19b39907dfe11c5bd5d5

SHA256
1e8d61bd2ea185827bc1b61ea9e63467dc6759ea413dad5f2e91d9be462fbec7

SHA512
4ca1a911e59e1af0f9b9762a770fa95b308a0705b86b72b3249a91717a57d4e767be1768c17da6509a41016b6d18767e91a18ba3245e6df0aebd04b877d8ae08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ee5f73adef07a9d8ad169cd4e1b09177

SHA1
ab6a98f8077ce1f238e5594d08f7945f117e9cb9

SHA256
c2e1d4fbfc646563ca54a7742af92988c047e5c84263f4d7f426652f9855f65c

SHA512
d76b92721ef69aa38d822af0f8bf53d499fb1387ec3ae67b7c70427123e75a908abfb9317fecf0e4595951456950fcd3fa1413cf0f231913c03231a17757c553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b42d.TMP

Filesize
3KB

MD5
0232af1aef184e1068bac1ce2b571f0c

SHA1
6fe0c0a95635d9cd7350c0b7427e56a8bcebb14b

SHA256
2bf3aca5f907a1ba68e2c6e3ed543875f3a73a0694cb8576fc4d368764d271a1

SHA512
c080386fc285868ae781fd02d580dadfe3443d72860c652b8aff2da0adf8f1585898478240ef40fe0c95ab85933c910187dbf34455fc5279b382193ef8aeb453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d7b928b7e8a654fb20d9e37000120386

SHA1
196d500a44b1a57cc3e8f574a2177fabca7134ab

SHA256
def7e095eed40a5ff330f1dfbc74e2dc885afb105186d93a02f9f3c9f59d1c68

SHA512
74d97ed37a93a8e7ec1a512f6cb5a99ff40fc31c2c494a1bc1eebfadc562747f8c4260f4b758e7af2de39745b818adbb078efef03715500207cb0603d2f7daeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
43af8d3417a73bafb99ed89b1acb4fb9

SHA1
043d39515c1bc178b05019ff5397abbbb7c6da6e

SHA256
05673455678f8c8d9877b6d444c399eb19c1cba43e7736db70a65291d29e1f6b

SHA512
a8057138fc465650d8c37c39f817705b3855baace5135f233aea4c961f5a66b38b70f663136f563889fdbf3a50c436b100415ce3248fb27faaaf32a452154e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d506653f907852bf9ba2a5ce83f52f86

SHA1
ad31a246d0aa997c9de566bcf4ad11110b22c8be

SHA256
2810c467890fa774ab56016c82a3d4f44a50c1c86d1fd070c3f706ecfce911aa

SHA512
4468431aadf193f1adde7075d54b1c13a89cd9b43d4dd2554c0c66af46d95aa2ef7fc735671237a61fe1e290eb9a1aeb513b4532156057248efc773f07a0756d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e62a0449aa30cf686a30762fd2a76c5

SHA1
b3aea572bc7dbd434783e90f0ef12c22d2b648f9

SHA256
41acd90f055c863f59d65fc3d683bfb527e2f6492b37aa5d448d31b408c890da

SHA512
0f32332c41c4ff7470bbc26a0826ad5cef32a9d4136266e817b1172cc2ef237b4f3542de184f86dce0d0187b9df63e03a546dde93e7d8beb09c7a80a15060062

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D33.tmp\5D34.tmp\5D35.bat

Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe

Filesize
89KB

MD5
3133993a538a99260b5c75dea467b6bd

SHA1
b692d4b36bbe655541d433b6df4c3f6eb3f1c653

SHA256
01dd907a4893609e560a3f454ca46940ca62e1773b7c88832131b13250df657b

SHA512
583abbb3c458e60badb918c822102b23a8f782ce29ae257fa38658801f76d3670f5e3b07ec3246c456ca73a2aa6b9e20610fd8f7921849bab9286ce83aba5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe

Filesize
1.4MB

MD5
bb050dbdad09b6bc2f9db25e1a3004c7

SHA1
d1f8a357ce5327c9d57240310e3212e64f3babdc

SHA256
c755956f09922488a6ec4cdff24394c9a62954fa9b811fa93d8122aa3b6671bc

SHA512
15c8bebd1f5153f07d82142f85d4de9662eddd405813100b8f1d00b1893686f94368fa6c64bda805920178511054bffbfcd09a3e0c8ba03d9d375b03615512aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe

Filesize
183KB

MD5
88acae707753281487dbc4527670d207

SHA1
7586b5f38a75d254955b41764a9f9a24f0f955b5

SHA256
8acb5f4f5b17179dd329d91b90d3195e179c2073a8262c79f525296163aabbb0

SHA512
77dfb4f601e8f637c5ab7e5cfc08e51a4a384d07f85d56cd87d82e8d4731e877fd841b0369232b5301d3cf8f9a8c001e787af072f798547a106c1175e0f69d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe

Filesize
1.2MB

MD5
8e8e91a7197d3732146ad5c3dccff354

SHA1
c676eb26052a0fe2b614dd13db89153b1a859efe

SHA256
087a896f87f3804d36f472b9bd51df25519b800924be524ba493ca987c06fbaf

SHA512
d86710464152555147d7629ba22b1dfb4ad2f9829954d01877e7c635bb3f1fd102f568d00e66bf0ee10a7cadeb57b8361f3631f154d4d726cff8d293f6fbbe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe

Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe

Filesize
1.0MB

MD5
967017a45c0c287b2ba5ab6f10104124

SHA1
8f0c76f5bccfd14f23849956a71873ea478143c1

SHA256
1b1c8ff3f8b0603d134d080497fabae4b843603676a023b8051e7f204eecaac0

SHA512
c69913a5e85c18d1a4cf989037928cb149b9103b2d1b669141c6264933dac31486c90c0852437806269fdba8fea8dcae7d099ad3acc6fa42a28ae44d55bb1abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe

Filesize
1.1MB

MD5
cc4365a9c7ecf0318360c45254979e82

SHA1
d608476ab37b1d13ecfc184072ef3a7fe63b1647

SHA256
47fdad2537a470c75542cc2d083feb3e0f3ca88338bb2e5672a800a49eabd2fb

SHA512
69e18695ddcf7e036286d5ec4fe847bbc4162a98d3365ed452a2f7f852d2e10230c4664fa625218a8f56f361ed414940b849940fff2af03b57733c377359da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe

Filesize
645KB

MD5
8d634245a812844ec5ae4bee28bcdde2

SHA1
f155caf7c67ace562f56763954532b5846e7c050

SHA256
21dea19875cdd46e800e3036ba9dfdc27a486d3af1d7382eeab09dba4816ad5b

SHA512
1425ce838574ef4fdaa5d505e259aff3dfb99c1200cea749b214c5375f6b7be6e5b8871a3fa22737cbad97a34671f617d315b2c915bf76859adf510f347acbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe

Filesize
30KB

MD5
01db0ac394d011fde2a7d7c88dba99ec

SHA1
33157ef71a8e7744a71e9ca1da1be6ac46c84178

SHA256
40288e39d9a0b282ada1fe11dd6ed3f0d8e00fe417356a5969511632f096daee

SHA512
74a5aceb4c653a7c1b5fb6d9a4f8512751531fea719c34bd37e1ab9cf49452d28a9096aa0e6dfbd8a912384fc54594c01c54ee794a3d8dc5f32dbef239f927af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe

Filesize
521KB

MD5
77a8ab496365178c46a095cb8cb28cd3

SHA1
bd6d15bf014edac87ed66e007b8def58250e40ad

SHA256
4c8ec900c71a459ba62dfa2c5c9041c3056ca6d1af16b60f4bb8b03db498f58b

SHA512
dc4e50a32358d7d5b19c2be0ba54d3ca0d0cfec36250f9042b1d2673b70071e6df2a05e55f387018bee786eb5c3e321825f137d1a642803e10a5bd7a52854f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe

Filesize
878KB

MD5
3d6052b8fd7dd9c074d3a44a8aa029b3

SHA1
21e53e281b95d3fa17748dee13fec3e06382938e

SHA256
96e449db3e1b1c1ec4102ab96f33c2e4bc564109154cad6f129f47b1b240dfc5

SHA512
9020b107104c45e07545e5183c67b6f44e3a0a83a90bfa0f8c1b1cdb1b9b92aba16508a8095778b9a2f58ffdab5f7bd7067819a3fa34b9c44264f555b62e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe

Filesize
1.1MB

MD5
af1f39bf6ad69013f0bba4803f391d19

SHA1
f30be3f7bfdf1895a1761dc4d7e5fc6daa5b70bc

SHA256
d5b5a1e8b2730b04854fee843d893b2b35298cc559bc4feb7dbf4fcea2acbe5f

SHA512
3820617eb0018be7f4dca921570fefb8e33bc507b71a468e2ce41e1b6fb4a9036a368e23e17fcbcbc673787e66bac0064f62195dae30f1a5143f267492b6c080

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\pipe\LOCAL\crashpad_3548_BPERTQUFCFPGYKMO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/116-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1808-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-56-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/4716-223-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4716-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4716-46-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4772-91-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/4772-844-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4772-69-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4772-93-0x0000000007560000-0x00000000075AC000-memory.dmp

Filesize
304KB

Download
memory/4772-92-0x00000000075C0000-0x00000000075FC000-memory.dmp

Filesize
240KB

Download
memory/4772-843-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4772-89-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/4772-87-0x0000000008530000-0x0000000008B48000-memory.dmp

Filesize
6.1MB

Download
memory/4772-70-0x0000000007960000-0x0000000007F04000-memory.dmp

Filesize
5.6MB

Download
memory/4772-80-0x0000000004A90000-0x0000000004A9A000-memory.dmp

Filesize
40KB

Download
memory/4772-71-0x0000000007450000-0x00000000074E2000-memory.dmp

Filesize
584KB

Download
memory/4772-76-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4772-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download