mystic | 89cf09b0fd8a605cb966adaf3bb1cf0669e7e33a3cf8b3e8a97b9339f86983be

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe
Size

876KB
MD5

d18693c847c0a687ad43dbf77e7bbd86
SHA1

c9eee6ebcf13d30e314750739f3f6bea14c6d08c
SHA256

eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242
SHA512

a590ac6e6eb4dc231ae1196426f1d93586d564b63227f4dae47bac60c797ff2b7ac3f32f2f15c11eca8a141790fdb55321c2032a31341538c39643d04f2fd288
SSDEEP

24576:3yEp8OtG2I1+mTXyvcEiOMc+jx0D8R/tEG:CEpC1+mrT/OT+jxXR/a

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3764-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3764-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3764-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3764-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2076-52-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	5Gc6nD2.exe

Executes dropped EXE 8 IoCs

pid	Process
1664	Iy0US46.exe
3980	df4Ls45.exe
2288	hz4CM94.exe
2688	1nn07Pg6.exe
1736	2OB0917.exe
4692	3rt10dH.exe
1136	4hE267lB.exe
1832	5Gc6nD2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Iy0US46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	df4Ls45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hz4CM94.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 640	2688	1nn07Pg6.exe	93
PID 1736 set thread context of 3764	1736	2OB0917.exe	103
PID 4692 set thread context of 2528	4692	3rt10dH.exe	111
PID 1136 set thread context of 2076	1136	4hE267lB.exe	116

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2916	2688	WerFault.exe	90
4996	1736	WerFault.exe	97
3896	3764	WerFault.exe	103
3452	4692	WerFault.exe	108
4840	1136	WerFault.exe	114

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	AppLaunch.exe
640	AppLaunch.exe
2528	AppLaunch.exe
2528	AppLaunch.exe
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2528	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	AppLaunch.exe
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3376	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1664	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	86
PID 4984 wrote to memory of 1664	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	86
PID 4984 wrote to memory of 1664	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	86
PID 1664 wrote to memory of 3980	1664	Iy0US46.exe	87
PID 1664 wrote to memory of 3980	1664	Iy0US46.exe	87
PID 1664 wrote to memory of 3980	1664	Iy0US46.exe	87
PID 3980 wrote to memory of 2288	3980	df4Ls45.exe	89
PID 3980 wrote to memory of 2288	3980	df4Ls45.exe	89
PID 3980 wrote to memory of 2288	3980	df4Ls45.exe	89
PID 2288 wrote to memory of 2688	2288	hz4CM94.exe	90
PID 2288 wrote to memory of 2688	2288	hz4CM94.exe	90
PID 2288 wrote to memory of 2688	2288	hz4CM94.exe	90
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2688 wrote to memory of 640	2688	1nn07Pg6.exe	93
PID 2288 wrote to memory of 1736	2288	hz4CM94.exe	97
PID 2288 wrote to memory of 1736	2288	hz4CM94.exe	97
PID 2288 wrote to memory of 1736	2288	hz4CM94.exe	97
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 1736 wrote to memory of 3764	1736	2OB0917.exe	103
PID 3980 wrote to memory of 4692	3980	df4Ls45.exe	108
PID 3980 wrote to memory of 4692	3980	df4Ls45.exe	108
PID 3980 wrote to memory of 4692	3980	df4Ls45.exe	108
PID 4692 wrote to memory of 4828	4692	3rt10dH.exe	110
PID 4692 wrote to memory of 4828	4692	3rt10dH.exe	110
PID 4692 wrote to memory of 4828	4692	3rt10dH.exe	110
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 4692 wrote to memory of 2528	4692	3rt10dH.exe	111
PID 1664 wrote to memory of 1136	1664	Iy0US46.exe	114
PID 1664 wrote to memory of 1136	1664	Iy0US46.exe	114
PID 1664 wrote to memory of 1136	1664	Iy0US46.exe	114
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 1136 wrote to memory of 2076	1136	4hE267lB.exe	116
PID 4984 wrote to memory of 1832	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	119
PID 4984 wrote to memory of 1832	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	119
PID 4984 wrote to memory of 1832	4984	eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe	119
PID 1832 wrote to memory of 4412	1832	5Gc6nD2.exe	120
PID 1832 wrote to memory of 4412	1832	5Gc6nD2.exe	120
PID 4412 wrote to memory of 2968	4412	cmd.exe	123
PID 4412 wrote to memory of 2968	4412	cmd.exe	123
PID 4412 wrote to memory of 3944	4412	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe
"C:\Users\Admin\AppData\Local\Temp\eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy0US46.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy0US46.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\df4Ls45.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\df4Ls45.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hz4CM94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hz4CM94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nn07Pg6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nn07Pg6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 556
        6⤵
        Program crash
        
        PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OB0917.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OB0917.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 540
        7⤵
        Program crash
        
        PID:3896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 572
        6⤵
        Program crash
        
        PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rt10dH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rt10dH.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 592
        5⤵
        Program crash
        
        PID:3452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4hE267lB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4hE267lB.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 136
      4⤵
      Program crash
      PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc6nD2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc6nD2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2E5.tmp\B2E6.tmp\B2E7.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc6nD2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd398446f8,0x7ffd39844708,0x7ffd39844718
        5⤵
        
        PID:4800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5706352487239639200,17105973046638973273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:2604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5706352487239639200,17105973046638973273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd398446f8,0x7ffd39844708,0x7ffd39844718
        5⤵
        
        PID:2088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:4132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        
        PID:1736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
        5⤵
        
        PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:5100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
        5⤵
        
        PID:4660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
        5⤵
        
        PID:880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
        5⤵
        
        PID:468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 /prefetch:8
        5⤵
        
        PID:2556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
        5⤵
        
        PID:2624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
        5⤵
        
        PID:2344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        5⤵
        
        PID:1240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
        5⤵
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12291000252422567857,14240938245430983939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 /prefetch:2
        5⤵
        
        PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd398446f8,0x7ffd39844708,0x7ffd39844718
        5⤵
        
        PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2022131875353626175,4690223284166604781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
        5⤵
        
        PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2688 -ip 2688
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1736 -ip 1736
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3764 -ip 3764
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4692 -ip 4692
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1136 -ip 1136
1⤵
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f383501087fa973fb8161b03a4b98cd2

SHA1
ee9a3f1e5470e793b24ca30085ac9e53bd9b7c4d

SHA256
fa8e20e8675d0180396153cac387b4a1c355984e51ced3cdce77ceeeb086421b

SHA512
69788e20d84b08cf559aeed49389e47ad5f3920bf47f039209a75be6561f9caa095e3416a65c1e76c94ebbce88e5ed293fb6ed2cde0036a4c0689139dfc719e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4da365d97c6f81fefbfc72f4eff09dd5

SHA1
dc61d60710df48a7dd8db3881ff5e95d889376ac

SHA256
c0e35f911e42c222dca0975557be2edef79975ddad62594ea7363206e49afb16

SHA512
bf512bc040e6a1c23345024a8a19d2d23ac807505db1a56c9a58a7775a8fdc22e8d5db5ce3f18fbde55b5bbf5b840225d6459c924432544c3f1a2fb30f7bfb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76ab6cf4f19b6b93c6075c763b9e7fa4

SHA1
9aabd3aef2335affb3785fbfa9d1ddde59c2ce9d

SHA256
8c2faf0144ddb8c0b2ffff15968e146fcb5f76c7988f3a32c50d2f016ff61758

SHA512
dd87e5ed6a773fd85b53a848a1fb077c9965daa122760df67dc08687579a89f8a41e701e4e7fedadecb68b7b9a2a2da1e7fcfd5e7208f553b7cf6a6eb0518a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c444d97b5fb60f12dc7ebfa7e6045825

SHA1
7603ff6752cecb658966d9aaabd31649916fedad

SHA256
ab3fda8196a8b85ca75091f5902027db695218176d93ce5cd37dcb667a952e51

SHA512
b86b0b6c48d31473c382c5235a2df5bf196db5e9ae771043e624ec1cfbb111f38233e308bb34f64dceca55287131a9d25d37d05da708f94d16d9714c38575c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
be1cafba98a8741992474f5e3aa14ee4

SHA1
f44c8557daab080dab407d97eee87bac593a29bf

SHA256
b5f05275a68b0c4f74118dc02be45afaddf2b4b715596c6550ac842f97a587b2

SHA512
07712030f26ce3eda12ac2d861564a5b830dad38a96c1510f9f1802f9a9ffd1010337e2eb3e2bb6111e21c79f8b0975ec8bdb780be618906ee00cdf323b908c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a6ee3cdf814579de11e0d6f025dc4b7e

SHA1
524a169bee8077bed8ba10d19f704725346469d6

SHA256
6bc5c0ef9c52ed98c48a85743b00537b1814ce57044535de253175aea270878c

SHA512
5a1c2d8341946c39332bd4d979102099c6288c299543229369af259b27e28b0fdac3ae78094922e6e0f6a7ceec607d018e64765e561a21ef42eda6b6b28066dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1742f6ca3728cba10c74c650f864998e

SHA1
a52ff1dfad11f7fa939c7dce0cec4e2859a6be43

SHA256
872850e06ee14907331a72bbfe2738620f1f8fe9d35e69d66f70e5d1008b56e4

SHA512
4f8bb6230609113d27f28ac96c4506656fd748b1bc1a0964275c5b73500a1f6b1b1ddaacc4f55fba8c9c71aaf9ff01486b33e195877e896eccc4296918959ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
858bf39e7bf2633bd58c04489d957fd2

SHA1
7d7a6d07c1c80e6fd52dbce17178e20676fad17e

SHA256
76efb2ee8f26e30037fb0efae1687d12ce28b73fa31ce6908d9fc00a806e464d

SHA512
6ea6269783e4ea99577510924366f65906284a63dad7ba38d9aa97a15ec7cfc7b4616fbdb25253ff48cb34545f266eb3c0abc3d8d70bd1ae9a18a1f41220e750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581b53.TMP

Filesize
48B

MD5
a57b2ab152d46068bc0a7670d650e6fe

SHA1
770eb8f2c85beb3eec8d5ecfd43d4c1af97f0dc3

SHA256
ce0c3f468d3697fc1ee5384fdcba48322920431dd59a0903d18e3ae348a247d0

SHA512
95b6e383731a37f2b8a23a9c992b757796e826d5e914d4e8c05a98800897551f71284384d373fa0c187131baddf9f75318b46f7b11dabeb44a8a046b4eda2079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48465460f8a5eacb33c4a11325faf3d5

SHA1
ce81e8cdaff5c091a29f40c9bc4b5f9e528c269f

SHA256
3eaccbd46fd4af9de8d39d174fb174c94be13773d8d8310e5bb11d2756ea9499

SHA512
c4c6fa0f394ea09f03699bb125f093918f6f76f75f05922dc2e48e03fc7e69dfa146a9f42e4b1bbb9d859e1e819b1653c0b40ec711bd88ea2e56e0f0023438e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d4aca2fb906255fc1010bf53a9118eb

SHA1
0d14ca67cab99c4019ecda4a8e9f61c733210a8f

SHA256
171286a2b477b8d8f1b73cf63d7e268f199a9cf907611032a1746daa9b4be0ba

SHA512
803aef6df70a0014a30b68460be30d7b13151b26c15b212d12fc3cb38a2982e416eccfc8a9c99d39bf7d3456aedd649c4412974fa43b713dc67621e798c79e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39833f89354ae0e196348afc0d6981c2

SHA1
1560ae35862ee1d8e8abf76e939eb562d3f0d18e

SHA256
737f93f3fac55ff0350f9c9bf6f8cc67a1af6c55eb2fdb6de7101d4c11edbca8

SHA512
76f594fc318b5570c6ea5af641c150ae3ff9a359f56857448e653c73d38cfa51a0a48a9fc5e2c30a5e0bfbdbd982f1e1271787e2c20ce982240ba9af7214ba33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581836.TMP

Filesize
1KB

MD5
8fff13ff678d03d6099d90d4d116783f

SHA1
6a13d8a28c9ada682afc24cb3999d9d1faa95ba3

SHA256
bdc9f920ed5dbf7a7a1d10092c9aaa5ec7116da44815a68b187b15a3cc7c5b5f

SHA512
1718c10ec588dd1e36cb81b31c36ea84e83b3f56c489a550d4f187892e92fe051c0f6f767da5366b0ff8a0081285fc3f5816019c3680a4c203ac4e665d0cbfda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3d2335b0703502f243ec83dc2d03583e

SHA1
c08873abd9990d5164602141f0fc9a6238ae26ea

SHA256
078f1fa2adbd41a8f71fb3a8f64efa3a4045a2f2d5bb7f1460617b0567380749

SHA512
2a662f076f14d3cf9b11b724826a425f286c176e5daa05a34691ddb55e6e7191407332e3837b230a0e43cdfcfbdf4bca2b64907e85dbc1f4f425ed04dc4a308c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c4c63ee28cac69af34ac77fca2a96091

SHA1
8d55c9eb94255450073d3d5e674819c64ea8fd59

SHA256
f436444ae4ec1189d85eda9adcfdad2ce4388045aa89b427a47b55c0d9b960da

SHA512
985d354f52154ff814332b923b2889aa61b6d78e01cbe58870a4b2f3f81e90dfc3bed9d99b7c0e7b35f457b82a3c6154746cf03cfaf53c236796703aca6aed78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4cc2cab2abd61147a0287877946ccbb1

SHA1
fb1399a2a5ff3663b3f1606a367859ad117d1d68

SHA256
35e19b02761f01761941399d250c317680f1c6b8d19b7e0f8ea349b6ac6a7b90

SHA512
140dff6bc133ca336756deed3517aeede0547aba8162d90eca145dd5d646f62f607d385e0195cad22c0ce627a0dfe8554b8581230817288d58822c6b23ceda5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E5.tmp\B2E6.tmp\B2E7.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Gc6nD2.exe

Filesize
87KB

MD5
841376cb5f7af6bed41294de3fde0730

SHA1
a25aea5192905446e2189d7c2a95ee7d9b0cdd72

SHA256
8acc9b97eb5dbfc0133ffe409f57699329c2c20a0342430770897c34310cc838

SHA512
298f9ff0b71987c26dabcee00e9c43b664e3f42927d6e7acdc54bbc9639f7b916660f58a7b1821a9f763a089a21ada9f0bbefa137bac90074397aa89c8c1ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iy0US46.exe

Filesize
738KB

MD5
ad0bd02752f87dfd33607929d1b2558a

SHA1
4f7f5098dbe4658e7fb5dc85b29705d18f0bcf7f

SHA256
5ff91ae6a9740fd11411a520a2c797eec68e04e087501b5962daaddf4d0bce10

SHA512
021d47d5636f7b24063583a645f47378b8bed2a75e75b2de4924e8cccb5f25ffeb2ea7106eb1e535615c41b36312f468e9219349e40c74ccd74736ff89aa2a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4hE267lB.exe

Filesize
339KB

MD5
2408c64a47c99b5f6ab93fb7518b5ad0

SHA1
16cc5133859c865b4e21e421ded218032052d863

SHA256
2b273a8e61ac8ffadda7779ceaae1ea7aeb35ef576dc6f9e17dc397f68b534f7

SHA512
c2943d8d53cdc87b8f6af556821a09ced0a58b21dec401924bd962d35c1cdab589ce99e03a99b6e5422b236e70b14893d023bf63d83dd0f6849ef6ce8dfbb024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\df4Ls45.exe

Filesize
502KB

MD5
7da62989f10087f1b55e5193eb47b757

SHA1
81b01d57875813c53ec8b8a0b3fc80705d51e92d

SHA256
de52ff6c5d04987636214e86dde8ecf21944b91748df64fbf134ac613a3b7fa9

SHA512
e20c25718814726ec8d3853e1a7a49e45cf1781cb89e94757dbf6253c2ee205e1be303fa452ab23958da53795d3fc0464272cbca3c5388e9d1de018f1e42cfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rt10dH.exe

Filesize
148KB

MD5
95dc1a3bbda4741683d400839d86cfe0

SHA1
d7e514373ae8f00e84a299bdcbbf65da6725820e

SHA256
a9ba88eba6e30e888144b4893cdbc0034caaefca9a74afab9a7b7249ea52e358

SHA512
55e7249c142a7bb2760eefd7375a8a748742f047952697edf9ca860de3ddc384d3c83129c793f6da3ba13bfdab1cd9ab7843b3147467b9d78328d4b8033e28e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hz4CM94.exe

Filesize
317KB

MD5
89c72f2ba8d1e8a1452f8892efc8fca1

SHA1
a1c6c15be5d746ba4a2ec641658fa83a31c0f8ab

SHA256
42423a58105a3ee266721ea3499ea7f301c21a6a767787f8eb96e1897a7bc7b8

SHA512
23d6b7b7ee3b12024e5fbd0626c1d266d49f6f5506f2f3980b1d5b3d031c0abad096fd105ca740f5b138e1d290bc3378ca3ffcadb9f13fca9178425d8a40d0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1nn07Pg6.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OB0917.exe

Filesize
298KB

MD5
1bf4eac726c42f2b0cdae339d939a3fe

SHA1
93f84ad35165f0dab27031b6efdd798f0ea22294

SHA256
a1bf2975070a6c9392bc4faf536fef809d80f17e76cb092c9a24a79f5a3a006d

SHA512
4fb116df88d5484210aa87d7626b9ab19517aaa04a0f97d6b3331fd715723b966cc40fc10ff94d525bfaa0f84022000ccf03fe4d48f3661d4f9992606f1c0f9a

Download Submit
memory/640-29-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/640-34-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/640-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2076-63-0x0000000008A80000-0x0000000009098000-memory.dmp

Filesize
6.1MB

Download
memory/2076-359-0x0000000074120000-0x00000000748D0000-memory.dmp

Filesize
7.7MB

Download
memory/2076-64-0x0000000007D50000-0x0000000007E5A000-memory.dmp

Filesize
1.0MB

Download
memory/2076-65-0x0000000007B80000-0x0000000007B92000-memory.dmp

Filesize
72KB

Download
memory/2076-67-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download
memory/2076-66-0x0000000007BE0000-0x0000000007C1C000-memory.dmp

Filesize
240KB

Download
memory/2076-58-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/2076-56-0x00000000079A0000-0x0000000007A32000-memory.dmp

Filesize
584KB

Download
memory/2076-55-0x0000000007EB0000-0x0000000008454000-memory.dmp

Filesize
5.6MB

Download
memory/2076-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-54-0x0000000074120000-0x00000000748D0000-memory.dmp

Filesize
7.7MB

Download
memory/2076-57-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/2076-360-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/2528-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2528-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2528-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3376-48-0x0000000002FB0000-0x0000000002FC6000-memory.dmp

Filesize
88KB

Download
memory/3764-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3764-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3764-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3764-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download