dcrat | 66118f9e36f34b03dd9e57de222e2572d488761866351c66ada09b455e017681

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe
Size

1.4MB
MD5

0bc27a2491501ac1f8d8010d8af1071a
SHA1

0e8cc9986c76a986593044e44c2489d675518295
SHA256

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5
SHA512

e97d2d29eb673ef93db84ec41429917830d4d16d4fef919c3258daac1365b2e7ab75fefa2100ee9586a55cb70f0f85e72e6fe07211b45932d04db1761d3efc7d
SSDEEP

24576:5ye7KjbVGqBXh1pu9+rCDFZTSOO58v2yODPbNbOlcSGO6EC3gf/7qYP2mChCu4hP:szZh+am9eyWPhmtDC3eFP2quI

Score

10^/10

dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4496-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Qb5Lp1.exeexplothe.exe6Qc9be5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	5Qb5Lp1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	6Qc9be5.exe

Executes dropped EXE 14 IoCs

Processes:

ue6rA29.exeGt2Af11.exeZA4hP56.exemF1MZ63.exe1pg75EY7.exe2FN2831.exe3oQ78Qa.exe4Ri687QR.exe5Qb5Lp1.exeexplothe.exe6Qc9be5.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4920	ue6rA29.exe
888	Gt2Af11.exe
1376	ZA4hP56.exe
2776	mF1MZ63.exe
1528	1pg75EY7.exe
2252	2FN2831.exe
1804	3oQ78Qa.exe
4284	4Ri687QR.exe
1516	5Qb5Lp1.exe
1628	explothe.exe
1908	6Qc9be5.exe
5600	explothe.exe
4400	explothe.exe
5888	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exeue6rA29.exeGt2Af11.exeZA4hP56.exemF1MZ63.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ue6rA29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Gt2Af11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZA4hP56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	mF1MZ63.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1pg75EY7.exe4Ri687QR.exe

description	pid	process	target process
PID 1528 set thread context of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 4284 set thread context of 4496	4284	4Ri687QR.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5708 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5708	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3oQ78Qa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oQ78Qa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oQ78Qa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oQ78Qa.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5092 schtasks.exe

pid	process
5092	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3oQ78Qa.exeAppLaunch.exemsedge.exemsedge.exemsedge.exe

pid	process
1804	3oQ78Qa.exe
1804	3oQ78Qa.exe
5088	AppLaunch.exe
5088	AppLaunch.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
2360	msedge.exe
2360	msedge.exe
4616	msedge.exe
4616	msedge.exe
3448
3448
2244	msedge.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3oQ78Qa.exe

pid process

1804 3oQ78Qa.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe
2244 msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5088	AppLaunch.exe
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3448

pid	process
3448

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exeue6rA29.exeGt2Af11.exeZA4hP56.exemF1MZ63.exe1pg75EY7.exe4Ri687QR.exe5Qb5Lp1.exeexplothe.exe6Qc9be5.execmd.exe

description	pid	process	target process
PID 3884 wrote to memory of 4920	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	ue6rA29.exe
PID 3884 wrote to memory of 4920	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	ue6rA29.exe
PID 3884 wrote to memory of 4920	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	ue6rA29.exe
PID 4920 wrote to memory of 888	4920	ue6rA29.exe	Gt2Af11.exe
PID 4920 wrote to memory of 888	4920	ue6rA29.exe	Gt2Af11.exe
PID 4920 wrote to memory of 888	4920	ue6rA29.exe	Gt2Af11.exe
PID 888 wrote to memory of 1376	888	Gt2Af11.exe	ZA4hP56.exe
PID 888 wrote to memory of 1376	888	Gt2Af11.exe	ZA4hP56.exe
PID 888 wrote to memory of 1376	888	Gt2Af11.exe	ZA4hP56.exe
PID 1376 wrote to memory of 2776	1376	ZA4hP56.exe	mF1MZ63.exe
PID 1376 wrote to memory of 2776	1376	ZA4hP56.exe	mF1MZ63.exe
PID 1376 wrote to memory of 2776	1376	ZA4hP56.exe	mF1MZ63.exe
PID 2776 wrote to memory of 1528	2776	mF1MZ63.exe	1pg75EY7.exe
PID 2776 wrote to memory of 1528	2776	mF1MZ63.exe	1pg75EY7.exe
PID 2776 wrote to memory of 1528	2776	mF1MZ63.exe	1pg75EY7.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 1528 wrote to memory of 5088	1528	1pg75EY7.exe	AppLaunch.exe
PID 2776 wrote to memory of 2252	2776	mF1MZ63.exe	2FN2831.exe
PID 2776 wrote to memory of 2252	2776	mF1MZ63.exe	2FN2831.exe
PID 2776 wrote to memory of 2252	2776	mF1MZ63.exe	2FN2831.exe
PID 1376 wrote to memory of 1804	1376	ZA4hP56.exe	3oQ78Qa.exe
PID 1376 wrote to memory of 1804	1376	ZA4hP56.exe	3oQ78Qa.exe
PID 1376 wrote to memory of 1804	1376	ZA4hP56.exe	3oQ78Qa.exe
PID 888 wrote to memory of 4284	888	Gt2Af11.exe	4Ri687QR.exe
PID 888 wrote to memory of 4284	888	Gt2Af11.exe	4Ri687QR.exe
PID 888 wrote to memory of 4284	888	Gt2Af11.exe	4Ri687QR.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4284 wrote to memory of 4496	4284	4Ri687QR.exe	AppLaunch.exe
PID 4920 wrote to memory of 1516	4920	ue6rA29.exe	5Qb5Lp1.exe
PID 4920 wrote to memory of 1516	4920	ue6rA29.exe	5Qb5Lp1.exe
PID 4920 wrote to memory of 1516	4920	ue6rA29.exe	5Qb5Lp1.exe
PID 1516 wrote to memory of 1628	1516	5Qb5Lp1.exe	explothe.exe
PID 1516 wrote to memory of 1628	1516	5Qb5Lp1.exe	explothe.exe
PID 1516 wrote to memory of 1628	1516	5Qb5Lp1.exe	explothe.exe
PID 3884 wrote to memory of 1908	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	6Qc9be5.exe
PID 3884 wrote to memory of 1908	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	6Qc9be5.exe
PID 3884 wrote to memory of 1908	3884	ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe	6Qc9be5.exe
PID 1628 wrote to memory of 5092	1628	explothe.exe	schtasks.exe
PID 1628 wrote to memory of 5092	1628	explothe.exe	schtasks.exe
PID 1628 wrote to memory of 5092	1628	explothe.exe	schtasks.exe
PID 1628 wrote to memory of 4724	1628	explothe.exe	cmd.exe
PID 1628 wrote to memory of 4724	1628	explothe.exe	cmd.exe
PID 1628 wrote to memory of 4724	1628	explothe.exe	cmd.exe
PID 1908 wrote to memory of 404	1908	6Qc9be5.exe	cmd.exe
PID 1908 wrote to memory of 404	1908	6Qc9be5.exe	cmd.exe
PID 4724 wrote to memory of 3912	4724	cmd.exe	cmd.exe
PID 4724 wrote to memory of 3912	4724	cmd.exe	cmd.exe
PID 4724 wrote to memory of 3912	4724	cmd.exe	cmd.exe
PID 4724 wrote to memory of 3920	4724	cmd.exe	cacls.exe
PID 4724 wrote to memory of 3920	4724	cmd.exe	cacls.exe
PID 4724 wrote to memory of 3920	4724	cmd.exe	cacls.exe
PID 4724 wrote to memory of 3536	4724	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe
"C:\Users\Admin\AppData\Local\Temp\ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ue6rA29.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ue6rA29.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gt2Af11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gt2Af11.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZA4hP56.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZA4hP56.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mF1MZ63.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mF1MZ63.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pg75EY7.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pg75EY7.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exe
6⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3oQ78Qa.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3oQ78Qa.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ri687QR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ri687QR.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Qb5Lp1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Qb5Lp1.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:3920

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6939.tmp\693A.tmp\693B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe"
3⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff631246f8,0x7fff63124708,0x7fff63124718
5⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16358514498052917647,10148476090250097227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
5⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16358514498052917647,10148476090250097227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff631246f8,0x7fff63124708,0x7fff63124718
5⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
5⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
5⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
5⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
5⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
5⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
5⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
5⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:8
5⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
5⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
5⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
5⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
5⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
5⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
5⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 /prefetch:2
5⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff631246f8,0x7fff63124708,0x7fff63124718
5⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,739497807603802566,11775804353189723274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
5⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,739497807603802566,11775804353189723274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
5⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5216

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5600

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5708

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4a02b53d-edad-45df-abc0-5185a014267f.tmp
Filesize
1KB

MD5
f0ad033579801f19db1491adab17fa62

SHA1
a35230902b76ae8e96174bd1a3c72d2bd90b8ce9

SHA256
fa126b8a55de49ef66258ad8b2ba1af4d65c9e176e4bf681e114a0617c4c797a

SHA512
bffd73a2fb9222d01067172497eff0fbe4296d95b9b46eea859762da000c99dc91757449981fb5dce68e88407d5278ace6455133a7c984e2b80dde84dab112ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e4480e7-039a-49da-99f9-049064d645aa.tmp
Filesize
7KB

MD5
a189f62f777d7287bdf29789cae9c40e

SHA1
e17667d60e59536f804e7c4098518c18c648988a

SHA256
34fa2d84fc64067704930e4656c4eed65c7ab205e8d79ab6fc1e94ae8aa16cc1

SHA512
16863f85f1264e6c978dd73d6a5a4bb7af2db249c24732c7ea512168fad9f5ba4f25961f64405c206f7f4ebe3bb15fb6539b2188825de590ed01b572d8c42485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
fdb484921dc87a5993b0f626e6db2dd7

SHA1
c140a5afc74d59925699ef3bcbd6b79d3218cbe2

SHA256
a5191fbf254ce08f00154a1211cfa21e42f770d516761d2c1157feb5bd9be3bc

SHA512
df3bdcb9fefcb471ecb482c599ffe1c35727d7b6370c8905b63f5bb25662788ad1079d8ac8fe0bd0f565b2d4a8b5cd8a7649286564d54252656b4a49d88194f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
9dd3a32cbf9fbb7db183972632af7850

SHA1
75773dbd92d03455d48a41a1d39db22c9f534173

SHA256
3628a86b72f6ca84e68239c761b3443013ac67c6fd1e9650311f96d8b1bb1cf6

SHA512
34bd10743241f94ebd6dad1533f0e734e556ec2b12dc0b0b4a8f1377148ef576f950662d67fccc760b7bf7162c160410fa8379aa5106ea3d0a484b23c05fdd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
64c3b8b18b6040c14019ba2e9f294ce3

SHA1
feca933c8baa8ef1551d609e38a0c70bd91edf04

SHA256
e629ed4c94e2e52ff367584fbe006a869972493420fd84b0e1b7744af389dd70

SHA512
79a9ce550080452c4a57fe70cb04686892717dad45f2b6b3d9b488338c31cba7979396199431ec94ae4b62621334e897dfd08efc0d5fd2714b02b1f4c86e83d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bad15138762b07cd6e7be362ca33ae78

SHA1
e5c5fbc18fdb9e8b7289d994c1f35a813f7e6627

SHA256
d5219e3552f9fa230150af72cec1c00c17cc025bc8bedeb1b5a36e326bdadf57

SHA512
9176a854f3977f14261e1c48affa9fa48f0df7e20db76172627b79383e4338917d6a8d1d3ee2598a860e894bfc8b8b9b81bf8cc42a10f61c7b013293d0554d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
b916c10ebc9d9c5f19096c5127979403

SHA1
3de1af73d14c5a8759413089bd10f80ffd77b112

SHA256
a0e0fbdfac6fcfef4711bbf731c60bb79521765716130f820881409d8d0fe825

SHA512
2f997288b2f8ac5cd7da5f668c212baf623abc2f955aa71ec17c5135b5aea91deacbc033cb5f79dbaf454ebeb8d2bab232878c9a751b4dca5a5fabceb2a9edcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
e4f1726dfd947fa76a8c6a535fb8bbd3

SHA1
d1897dcfb0546c8b4169eef9724e6e2a38dee3a4

SHA256
46ecfccd9517bd7dbbcc267b4b449762dd283f33475d5ad5fc596ae3f6bae0c9

SHA512
f474902b8b10e9a21e8549f65eac094bc802057c6d8cb17e4070360470f0f4b78b4592b7f30274890ea1ec68e496dfca8f824f897b1860936c0e9d487c31b012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
0ccfa9471c2ad5ef3045701fab651396

SHA1
6f8f2599444806bb496e8261c599613165f4815a

SHA256
efa839dddb1a2a51fbd1a79bc57867c3fbd8c7c0c3fdd93f4bc91a05f1f1fd83

SHA512
628f29c94603fbcbac554696c3a56b971fa114528bf8d298af5a73152b45776cc5986825d295e6e8266c90a7069ba198265c25870db995cc5acb71f2ec6da98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
c9c3033c09444d95bf9b846a50e252e1

SHA1
f417bc615206209a1d529a765b0fa03b39f95eac

SHA256
79a63f06fe16c5464b3438b06e32f5c7d4419ce659384deda81611eece586fb9

SHA512
e9c0eb9e1b321720adad2e937184d9b59d7811128ff60fb4970a436d5325301da73fb44adb1a76b456c5cd99c84096b6d57e82c9c642d490ef5de0516495821d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d12b.TMP
Filesize
48B

MD5
5551a7cb03056c90a6f852f8c0f1c7d5

SHA1
47aeb839e1b4767de1221d8d7598633304ceae9b

SHA256
c486874eb9bf9b3a3c260ff5f3f0ff457d78fed8a1bbd409a336348dbf768861

SHA512
f2b2fe5528945acbf4fe21dda47eca8d8dd41e997b314a9d797fc1f649280611a948327e567ab4884e74deb855fe5655d363fa68732c437843358add8ccf8523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b08e4a4a3fced077c8ccc35e4b86d27a

SHA1
c2fbd0d7afff62c0be7bd464b03bf79fa9658d7a

SHA256
e61a0cd151611df50b746bc0cbec7e722fd08da662f2d9df30b02a7aa4de7523

SHA512
e64b3a7be55e22530b03205dbca11303b0b5caa44ed3790aab52ac1168c3b7463b5d830bdea1a7cb392fd800df17658003c2cae240f4226e872c50988072e7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
63d9f6d0f71da9f49dc81e9e16fed6b2

SHA1
c065942cee752eac60d0b097f40737d5e26957b0

SHA256
8d69a0573c2027b4361e6b95cdcf7e22b46cc4bc8cd68de37be9e7c7bcae7e67

SHA512
b14b53fc4e22f9d5759415c0936951a1a31fe8b8bc5d66feb3d5d2b5f99bce6a747f7e91416e6bf8391d6b53f456b59931c8f08ab7afc37de9d44b4ca2896fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c92c.TMP
Filesize
1KB

MD5
ef58b3c8ef373e10f9ee904c0395bf86

SHA1
03f74ef387397aabf342d9f0eb6a9561e383b280

SHA256
9e312886c7d684599edb97b9ecc5df79f90064e81ac569059304e685f09489c2

SHA512
c8b4feceea989c2db994b1f9a8ef4ac25682cb880f8703414d57f9c62e9f1f92090326eba1ac2de3680b06a646e9fc067a8abfedfe0defd5b04e1ef26e8d70b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
0e912ccc39ccb43b40d2ef9b978380dc

SHA1
42a11032505f099931cb06e5d3f3b5a2824c2a8f

SHA256
7e2936c53ee934ef16d8dd24b686ebb72af9b2ca3d8d0d729078b6fb0cb97d3e

SHA512
f8c4a10b62ee0cbfc6d6ecbc2ad63683db9b233bcf5363585be1e849c78478d131cb2dcc28895d7b1ed0200b13b24441be5bcea00689e54fe97ae2c82270a1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9c0eb54d8d4b3b125398ebb8826dc3e1

SHA1
ae3421b53abb3703d482b603f1aff67acbd26971

SHA256
7634700c2ba106f272a7f6ba7e49d7d980b2b8c863fd8ef140b031c4029316c6

SHA512
b44aedf96370ce0163cf91709241c242867291f3bc19716492a9f129357829201ac26750fb55c6fa3c4c18b6f01b24e0c961a40a7de290ee2f188810a9f7abb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
98194fc608087ce6dcda353882ca8007

SHA1
420813098d7b28aa2c8f959a336741872e8272c3

SHA256
d70edac4f08cf16e79eead31194db093d016e7845d65f3ce4bc2259fd784e1c3

SHA512
5c189915f1d40f9526dc55e69554c42ffc2094aad001be66e9e8e6c4113aab1cc725f39bc350779df18c21478147a20c34fa3bcdaf5b542a1b4ddf8f73563d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6939.tmp\693A.tmp\693B.bat
Filesize
568B

MD5
bcbb9cb105a5466367c5f6ceb38e614a

SHA1
be7f3382e1a4a78428c8285e961c65cefb98affb

SHA256
878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d

SHA512
efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe
Filesize
87KB

MD5
4d758d7dd4253618b3750dbc02e9ba8f

SHA1
d25c25ed9d0d72199f81690c145a6586136b7a16

SHA256
b4402966b9ecd41ac74a5e6e9632bccc9790d47fadb30e303054be0ed75b05ac

SHA512
76c72f9f4122d5430f6858485573930aea32709570a5b223abf9d1251bbeeff691dbd76e4b32a302c869793598537e57dc8a25a9fb4ce94a6ae0365a73c46bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ue6rA29.exe
Filesize
1.3MB

MD5
07d5a4981604d6c3bcd5a9f7b1f6f4ef

SHA1
a12e9e83a98483bab36e881c5512012c5e848af8

SHA256
7b994d3b12efb064f84f8784324d612c913b1d52446556fd2f564c4e4fed4227

SHA512
ad191363781985d579fe4853281bbc3fa6f950eb88d342818307a5631fce8b9e270f38f0b87d6444eede56d5d59381cabaa6529f4252b6b2285d90a4a37ea275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gt2Af11.exe
Filesize
1.1MB

MD5
ed173328d1931f2916a4ed40cdcae723

SHA1
3c3b26c1a9bc4d35778f509d11356926de59ccad

SHA256
b2b2eadfca132eeca8517d05f6128823281b2ff9f10b59ad902209bf986ddd00

SHA512
03b0ea1f56b60ef777ce030e2d1a6079ba7ac1e97dd4eadc90305cf30a3e2e700e9de73286521557ce56b7a87440135d16a3777a485fb0fd4132ed3c0eb5e483

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ri687QR.exe
Filesize
1.1MB

MD5
028acd6b8d59c554ff41f837cbc3886c

SHA1
db3e10489bfbe192006373f7d004a6d21fe59787

SHA256
a7da8994326d83f8ee2902b8b96608ed588cafa99a9fd6f53bfdc72d0c9b7ada

SHA512
c13f3a6cc1919feb2bd129fc8c983be9a5f794177a14dfd63d34fa0add0e5c491b85ead7487bf417e827fba04a6fbc01154c69bb5ff453b4c725376d35c6b599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZA4hP56.exe
Filesize
698KB

MD5
294702aad4a50e2904aabc229bf63222

SHA1
06496ad15d675ed3a2909cdfc3a2fdfa4e7ef955

SHA256
572e5bb001ea13fe9116f22e5ef156f8441285e4daf89889a2c9aea50f82e231

SHA512
15063c6fd56b0020f2f9928caf911ac43428ed00d5577d2fbdcd99bf7d1f4a1b69d5752d44169b2ac564a513b04b87ef10340a765d7214f68ecd990d38b64a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3oQ78Qa.exe
Filesize
30KB

MD5
a2a8503fa5b0909fc7061ab2526dcf79

SHA1
6de70590fbce34fcecd14fa489eebe32ddc54705

SHA256
c22853b040f35efa42761bbfad1455d3f552c61ceddfab30f180f2b0d50268fb

SHA512
b9b8db133956f578e13cb77ffd8d881a86e957048c452aaade2f501a22ba7b821323d1d62e7656d4856c8d9dff497ad9076373c29e2d3eed5545e0451750c6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mF1MZ63.exe
Filesize
574KB

MD5
8ac38c2fe934b7249b579786a31f6416

SHA1
2f75c2d2a83b9a13ade2321c2f5c0f55964fe42c

SHA256
9e404bc764a48d9ea36b18e7e1786890a3f111ad76d50160ffee3fd8b7a80abd

SHA512
04d4f2800a807599e11363c02c7988da34f567c1815cd4a2cd5f4503f8e525a2bca4fcddc64bb4a3610b83e3dec42d56a2a55e844f8178bc35fb523783446b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pg75EY7.exe
Filesize
1.6MB

MD5
29e9546e7fe835b413a5d65599213b53

SHA1
64d6d2eca4e197a390702a08b074c5ef6da2fa32

SHA256
d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814

SHA512
e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exe
Filesize
180KB

MD5
c48daf2acb868a7a781de9b5aa6af69c

SHA1
04a9e5ac7d3b2a326b64b5cdabdfd4c75f07742d

SHA256
c74ac1603c2417b67ff88a4011d5f4ea9e972ca80d554237c845269bc68d562a

SHA512
1690f6f0d3228467f8fc9ff5a2a843a103acf4cd68df058df8794b1e11e3a9d01175434821edd0f79626f885f4f808cf08c743c4ea6ab21525790bd8fd8f0ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
ff32549725de81479d2849fddcaba456

SHA1
e6fd7d684fa167c632f3a666d3213267a0e3eb5a

SHA256
d66bba14a81476dd4cdc0e8a11abe4832c7df1ada84f44a952e2b391f34eb9bd

SHA512
2878b38f535640331ba28633b0cf8c27b54406314da7fb4b1b8683aef20b52c86f510df1bcad4d7b11a7fd91967de74323a3a539055f90f54e742257c04727bf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\pipe\LOCAL\crashpad_2244_QNUBKGVFEQIGORMI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1804-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1804-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3448-44-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/4496-57-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/4496-370-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/4496-73-0x0000000008710000-0x0000000008D28000-memory.dmp

Filesize
6.1MB

Download
memory/4496-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-360-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/4496-74-0x00000000079A0000-0x0000000007AAA000-memory.dmp

Filesize
1.0MB

Download
memory/4496-78-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/4496-59-0x0000000007670000-0x0000000007702000-memory.dmp

Filesize
584KB

Download
memory/4496-75-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/4496-77-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/4496-58-0x0000000007B40000-0x00000000080E4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-68-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4496-64-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/5088-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5088-42-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/5088-226-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download