amadey | 66af6bcbc768a1e6b57b31bb0e5016e2c5414e61f60b73ef3e5ca74fdcce06b5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
Size

1.5MB
MD5

e51db332898f96c123006867309d8ff7
SHA1

5f0766969d31cdc281703bfe21e6f94e9625a039
SHA256

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35
SHA512

3a54dbacec0c202fcbfc9bf963eec06ddd3d0a05158504a389d39c734942fc4e20177a1d4e1700262b8e1da1548d57ce75650f10b100175a560d2891e25b7c10
SSDEEP

49152:gM3XFzwFlHHkXZ2spmEitbxvbmLOBgqRQqWr:zHF8FVHkXZ/pMt9jmLFq2q

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor paypal evasion infostealer persistence phishing rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3424-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3424-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3424-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3424-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4464-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Ff7UI5.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	5Ff7UI5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 15 IoCs

Processes:

Ne6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe3Yj63sv.exe4YH070YN.exe5Ff7UI5.exeexplothe.exe6cl5ZY4.exe7VP9vi48.exeexplothe.exeexplothe.exe

pid	process
3520	Ne6rm96.exe
1960	ad1Pw71.exe
4192	QM8iU38.exe
4976	Ke7PS41.exe
1992	ra0xn46.exe
1856	1Kh96ep8.exe
4252	2Lr5170.exe
3000	3Yj63sv.exe
4280	4YH070YN.exe
4856	5Ff7UI5.exe
4492	explothe.exe
4824	6cl5ZY4.exe
3964	7VP9vi48.exe
5452	explothe.exe
1468	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exeNe6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ne6rm96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ad1Pw71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QM8iU38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ke7PS41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ra0xn46.exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Kh96ep8.exe2Lr5170.exe4YH070YN.exe

description	pid	process	target process
PID 1856 set thread context of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 4252 set thread context of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4280 set thread context of 4464	4280	4YH070YN.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

6872 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5000 3424 WerFault.exe AppLaunch.exe

pid	process
6872	sc.exe

pid	pid_target	process	target process
5000	3424	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Yj63sv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yj63sv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1904 schtasks.exe

pid	process
1904	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Yj63sv.exeAppLaunch.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3000	3Yj63sv.exe
3000	3Yj63sv.exe
1236	AppLaunch.exe
1236	AppLaunch.exe
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
4856	msedge.exe
4856	msedge.exe
3472
3472
1844	msedge.exe
1844	msedge.exe
3472
3472
4028	msedge.exe
4028	msedge.exe
3472
3472
3472
3472
3472
5584	msedge.exe
5584	msedge.exe
3472

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Yj63sv.exe

pid process

3000 3Yj63sv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1236	AppLaunch.exe
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3472

pid	process
3472

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exeNe6rm96.exead1Pw71.exeQM8iU38.exeKe7PS41.exera0xn46.exe1Kh96ep8.exe2Lr5170.exe4YH070YN.exe

description	pid	process	target process
PID 5104 wrote to memory of 3520	5104	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 5104 wrote to memory of 3520	5104	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 5104 wrote to memory of 3520	5104	4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe	Ne6rm96.exe
PID 3520 wrote to memory of 1960	3520	Ne6rm96.exe	ad1Pw71.exe
PID 3520 wrote to memory of 1960	3520	Ne6rm96.exe	ad1Pw71.exe
PID 3520 wrote to memory of 1960	3520	Ne6rm96.exe	ad1Pw71.exe
PID 1960 wrote to memory of 4192	1960	ad1Pw71.exe	QM8iU38.exe
PID 1960 wrote to memory of 4192	1960	ad1Pw71.exe	QM8iU38.exe
PID 1960 wrote to memory of 4192	1960	ad1Pw71.exe	QM8iU38.exe
PID 4192 wrote to memory of 4976	4192	QM8iU38.exe	Ke7PS41.exe
PID 4192 wrote to memory of 4976	4192	QM8iU38.exe	Ke7PS41.exe
PID 4192 wrote to memory of 4976	4192	QM8iU38.exe	Ke7PS41.exe
PID 4976 wrote to memory of 1992	4976	Ke7PS41.exe	ra0xn46.exe
PID 4976 wrote to memory of 1992	4976	Ke7PS41.exe	ra0xn46.exe
PID 4976 wrote to memory of 1992	4976	Ke7PS41.exe	ra0xn46.exe
PID 1992 wrote to memory of 1856	1992	ra0xn46.exe	1Kh96ep8.exe
PID 1992 wrote to memory of 1856	1992	ra0xn46.exe	1Kh96ep8.exe
PID 1992 wrote to memory of 1856	1992	ra0xn46.exe	1Kh96ep8.exe
PID 1856 wrote to memory of 1480	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1480	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1480	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1856 wrote to memory of 1236	1856	1Kh96ep8.exe	AppLaunch.exe
PID 1992 wrote to memory of 4252	1992	ra0xn46.exe	2Lr5170.exe
PID 1992 wrote to memory of 4252	1992	ra0xn46.exe	2Lr5170.exe
PID 1992 wrote to memory of 4252	1992	ra0xn46.exe	2Lr5170.exe
PID 4252 wrote to memory of 4092	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 4092	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 4092	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 4564	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 4564	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 4564	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4252 wrote to memory of 3424	4252	2Lr5170.exe	AppLaunch.exe
PID 4976 wrote to memory of 3000	4976	Ke7PS41.exe	3Yj63sv.exe
PID 4976 wrote to memory of 3000	4976	Ke7PS41.exe	3Yj63sv.exe
PID 4976 wrote to memory of 3000	4976	Ke7PS41.exe	3Yj63sv.exe
PID 4192 wrote to memory of 4280	4192	QM8iU38.exe	4YH070YN.exe
PID 4192 wrote to memory of 4280	4192	QM8iU38.exe	4YH070YN.exe
PID 4192 wrote to memory of 4280	4192	QM8iU38.exe	4YH070YN.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 4280 wrote to memory of 4464	4280	4YH070YN.exe	AppLaunch.exe
PID 1960 wrote to memory of 4856	1960	ad1Pw71.exe	5Ff7UI5.exe
PID 1960 wrote to memory of 4856	1960	ad1Pw71.exe	5Ff7UI5.exe

C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe
"C:\Users\Admin\AppData\Local\Temp\4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 540
        9⤵
        Program crash
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4492
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe
    3⤵
    - Executes dropped EXE
    PID:4824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\5CB7.tmp\5CB8.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe"
    3⤵
    PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
        5⤵
        
        PID:4740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        5⤵
        
        PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
        5⤵
        
        PID:5336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
        5⤵
        
        PID:5628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
        5⤵
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
        5⤵
        
        PID:5932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
        5⤵
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
        5⤵
        
        PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        5⤵
        
        PID:6324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
        5⤵
        
        PID:6376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        5⤵
        
        PID:6548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
        5⤵
        
        PID:6748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
        5⤵
        
        PID:7064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
        5⤵
        
        PID:6528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
        5⤵
        
        PID:5472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
        5⤵
        
        PID:6760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
        5⤵
        
        PID:6544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7960 /prefetch:8
        5⤵
        
        PID:6056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7960 /prefetch:8
        5⤵
        
        PID:6064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
        5⤵
        
        PID:6332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
        5⤵
        
        PID:3080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7664 /prefetch:8
        5⤵
        
        PID:5024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
        5⤵
        
        PID:552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5264764448148802543,6239960569205261170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3772 /prefetch:2
        5⤵
        
        PID:7056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:4816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9421121274679487451,17741416871167303589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:1428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9421121274679487451,17741416871167303589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:2284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:1368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10726227278766416191,7808285469894409127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      PID:4092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5637845794816546160,6176737887921729929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:5684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      PID:1360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:3804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6266067077678501302,13857992646962935758,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        
        PID:5092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      PID:2436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:5396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:6156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:6168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:6184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:6244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb51b446f8,0x7ffb51b44708,0x7ffb51b44718
        5⤵
        
        PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3424 -ip 3424
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:6872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
34KB

MD5
1859aea7dc09d0a9a7aefb9fb25e1a35

SHA1
922d879559f041d25d3b7e07f2ba722346c793de

SHA256
b24b1d9ae581c072d4d5033a3ef0e58b920c42ac8ba161684206c59e0cc19f5d

SHA512
d30d213755b202d7c2a0565513be3d3f20bab599222e8231593370314e52b3ac11c88b65794877db7d3b21d14f3da277886738e5bae0387242cfda4b552a0ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
220KB

MD5
a2b8f50613120957b728fb63ba3754a7

SHA1
9ba7ba93ef671ce1c7bf227bf52857169622b73f

SHA256
671464fcd75cfaf5b761b3288f2e986cbc9c7376d701bc97161e5d6f07e394c9

SHA512
025446665b3ac1ed7e6497e94628986291ad5c0625bf7d349ea9f74bb9df85c7f2d771fe91520773ff155c95bd2e6cc461bd8f12f5ef54aa0ddc390d123398d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cffdd8043f32336348bb48b2c616d733

SHA1
6aad19f5d65cb65e8ada22b4e95c986711f4f29b

SHA256
a625b29d1f60b22959b84b588a6638002f36a4bc75e2714fb33bc9a8e0d5ed33

SHA512
cfbe1d51d9d84756c2564963ec3a6a1a4bd7990265fc6cc8e75c53bac88f4f4de5f02e727acd198e2af3a587dacebee82b270249cc2696e3e066ccca82af05d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
bc7c772747d24cf7ceb6811efcde89b1

SHA1
fed7c60f9ee1300cdf72ba8b836b731ce16ba9ee

SHA256
cf08e4378ddd4d0a2b37abc53033be8934727b99383c3f03e48fbb5aff686f21

SHA512
40b445c2ba1ea7f7d379b266c5fad54381b226f7f4064b78cbcc3044ac2ebc1289654fdd1b25d16d1f1308a761bacd8a16bde48df48b02643f5e7933d09d9110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5d98007cae9df32ae53f5bf1a74b273c

SHA1
f5ff53beb96defa7598f536b9b091817b63b0d2f

SHA256
26b9f15e6ca768396ace555360ec92c8f886721a7d6d3b58af658f119e047e9a

SHA512
f8ecc733e4e97ff12083b4f4743ae0f036183c5aec27889aa94e9985c931be4189349b867cae0ae41fc110b7e467ededb616bf40d02d43b30aef0b45c1af5133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0e4adba98274cfc874f744a81e68ae48

SHA1
960e37e1a05a2ed22bd35c8c29ec4e5b0cb40f0f

SHA256
a78103b1ee6d10c08f8fa48b84dab694d171da0afaed62d4fd59e7e7ea589737

SHA512
e0cb85e6350873f61eaea4608a870bd9d1df352e292f5b8d8f54d214c557cf47eee1a5e6fe0b9f48ad14b64d767540afc964d8618de5102e6f4079f3c4222a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e4e876cd3bdd3b3d7068b498b6109b97

SHA1
186d7947fd54b322fd4249f91aa59a50462c796c

SHA256
3ee673e4f7ed0f4f74bc14076d335a3e020c40e010db4691376854499341a497

SHA512
df803cf742c4829f6259d3566feec3c0d06dc0402b33f7dbf604cd9878e72e85ae287d8a725a9d38fd682453ea0e08de626ddffc8f09da3c7fa0a14f350e7e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
266e83ef8b819cd9e032ebe046ffd63c

SHA1
2f3dc02af7dfb070cb64a8483b47009dcb232fd9

SHA256
26df785514c9303a0a94ce7350c0e51a5ec3e98b919fda54daa3b0971685310c

SHA512
3a6b20db30badff573e2bf4cfcd0875fa7f8e13fdb19a45b52c618c0a6a852cd7aca1c7a1b450dd513384207747bd41426974aa7a41fadce4327ed9b22b0e472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ecd6944323f689ac155fff52256e5801

SHA1
dd75528a93e1fe485f45194c339a173aabd89d71

SHA256
9012c28420e4b0c97427de3f5033426ce35642573e635f2891a2937e7414666d

SHA512
a73d0c0bd4611a0c8e163e055271c4ec68dcd814850fde09895a824ab796c225dadcc1a5f6fc084e9b34cd827f5686c24e95f4c093bb512d50c6c6768a0f8cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
14e9fae0eded524dfc10a90588cc48dc

SHA1
5a20a54c6085b2180f7cb058f69a2d9642b23e3f

SHA256
0260adbc68454eeee0f66114e5161ee69367fc2541194f43b03401b6421112f0

SHA512
9002c49a8edcc87df609724b022cc1aa8ece737bc045f7775e4e0273a8f771ae5ab9a3a71e3556e1a0154e21a26448677265c2809d1cdd93cc63a6ac55b08c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
9bdaf79b308a5ee12d5a1f6527c2f5fa

SHA1
48c845434e78e8259325d4e1512cf6eb08e41121

SHA256
b3a70f66310aedb963c27ff2dfd5632098d70b18b0fae4f3596520874a0fcd13

SHA512
3bfec30a5195441b54d7ca3d0c2f1922b2a88148e452be2ae82fd60db27bdd867a01367a22fa3b43fdb5f8f36fdebbb72868aa53dfca1de36952df19e04e9389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c820def7546be5c4f44052e2b3f910e3

SHA1
58b4c1f3e0adde7e142cf486d1fc290e785a8901

SHA256
78f1c46c1c32b8e5fed2d7e9b00f7d674f4a0083f3b9d8864d7dd11964c14bff

SHA512
c567e8a1ba2d8810bd06cb30921966a0211195d52551d5838d6e6c58817b9166caa3144df6d6ab29b5eb122736ee66c593705c33148d2010635947075f941e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
85d89ec7dea3f6265d25c29ca9ab9b52

SHA1
86b95fbb6bfcc48c07437021de7e9ffe39856d7c

SHA256
8c97dd9f7ae11144a7955535db9908987dca0486c505dc62593235254f5a45d4

SHA512
0108ead82b549ccdaf9ba28d1a109ec91199ef7fbe4b251cee702c94c2625255d471f1fb3ef2b2a75a7a3a3c823386122d61cff7be458764cafa8f7ca10c15ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d098c008b2a227715c62f69b2831e723

SHA1
f8cea073dcfdef5b7dba27af05acc276868e4a46

SHA256
3779363101c928a7cfc5f260ae763f82ce314d9035a63785209765e6313ff1d6

SHA512
25bf09a47be27cf51c48f7e7617ec76d2ead5a2ed93ed18afde705d91ce1a0481b761d2cd62e662b6e44d7dffe5d20e384017817106d68b7ab1a50b2c44e6667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f06b.TMP

Filesize
48B

MD5
3b9893ced0ab52a195a0837051cdb087

SHA1
c91aa10db42a51a00b2623975df8db92fd6a9c59

SHA256
3b55860a4bbfd0ef7a78d3dd40dae57468a169654b8c227c4f0c766df39d9d70

SHA512
8f6da6727a78dc029d0d9232eaf3bc97fb147748320ff845a9b704d2e53132101c99315ff28eb90fa6f7d0c99eaa393a77f96ecfbde898f5a0335b7495cae199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3919bdcca273d334e957b95a2439f211

SHA1
76084bf01a2b8b424bb3df7a6178f95751446807

SHA256
a000d265a8e727c99d43247a21357c959e9f836f5ff290ea6ce328ef82a08edf

SHA512
d83cba98d4038649a0a5a9aea3ba888b8237867c7bdcfea40890127d5a50512ca071e7f9a8a020014632d9d0022944f65b175bd8ff91d09d5af1f9946c5cd460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ec112a3b6d02ae23e6ea03535594f87f

SHA1
1d9042fca41806251397c07c8fbd034003276b84

SHA256
39af06bf747dacb82fd88e006df95b05406d7f93eee3877f0fdc74aa7be54258

SHA512
6243736ea7955545a7fc08ce43999e2c019d0150ed99f0029869c9a3d8a56b1e632247bedab566797e9c93208436dfa3c58db9131ad776d7e291a83d93376f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
805e0356f76cfef345a3bf3c06cd6199

SHA1
429cd7cc201afb580bb6bb7c7eb2e30192eefa9f

SHA256
17f0f412969844c0e356c8ed2aee3a9bd569f295f0e8dff09c1bd08a73d3c365

SHA512
fa4c8f84b51ccf0b47f66083f28749af8088fcb5e3947d089507885f17aa77e252c7684b6cbdbfa88caaef8f750872372f60fbeeade838a950c67be9140f10df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
500d5848543d62670f41ade50e0ddb1e

SHA1
a4ef6316f0a72907f2dda5211a106982cbf0fcf6

SHA256
e47ce3d98f8a56400ba54943a3ce382bafb75e07383eccee50179c271a75f1e3

SHA512
214601afcaadff7faa915f0e68b69489e511329326cf769351195377c96339ee517c7ce91249d363e750c6b4f851a81d211c2947ed27143abe60e5dc316fc4cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2e5.TMP

Filesize
3KB

MD5
563533b4f6593a936b0af292435c44d5

SHA1
273a71626a5958f2a9c1a3e8b5e773d1f5753327

SHA256
6882af7e39c7d728d02c2244415136ec3f0b2ff0b0413d5b34ded7bc74685f50

SHA512
b36db1aa8d369be24810157e97133455b48d6d03f65ba97a7adafb4a28116e216c132bf905aede38ff59c3ccfc707f4bd3ca94111d4e451560469eb532beae34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3a180c878af721c697098893d11c1a2e

SHA1
1d0ee3e9223cf5cf1bef828beed3e700b920e623

SHA256
6ba2bf3cdf6ed733cb49f43bbfa9d0adf900f6479b3304cd159cf7b0123b5e74

SHA512
569015da77d82752bdb56c6fe535122736f599005de841768875cbd585e581bc0407764b0c253ae380ece58ec58ef4ce87b5c6c72a6f21268fc6acc9e2350b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2892601243aa8b72c9735cd2edae29b6

SHA1
4ebab93eda3e07d6cc8cdd23a721bd91941897d5

SHA256
aaab80eb4e8bc2162cdc21b15b926b75c02798c9a95489e8211267620d8438f7

SHA512
b425f38797aa21e1419e882320ef795b71cecaad801b3b21139e66e4ba1022fedc7bc4ebb5a7ff34cebb9f6e8090ffccbd3efc6539452a012845f9e6448976c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
35b9724ea06b3160242d7b4c751a62e8

SHA1
bf2d827e134ac6074d439e267e53d0814c737878

SHA256
428d9d8e4bf6ff6ac333dc00f1d1f34d9a865d9d83883bf3544a4d8d52e613c4

SHA512
17a67c15cc345cc9f3a7671a1efadc1948d383055832085dae873edbbdebd7595c274ec00d2b097bdd0420625115beba3252c44106abcc2b8f4a1bdd742f3d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6a8436f625161da13ed927f11b168d09

SHA1
32babeee39b9316ba6088f90c07875a0eb6f3d53

SHA256
6fb69934d6bb76574d1c10fe78a5e640451af41fbdfb0423ffc0d73f6781c5ca

SHA512
e05cdf16e3651a702a1dfa47a3de6e1e1d9ea2396d69302254b15d61c5009f74ffde66aa433876f1e69984c04e4c7ed311e67c0c5584dc3c01da39c0195d44f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22cd1f5a4c3af6e729eb27be63a98eee

SHA1
de3bdac0fbd5a56272bb6b65d886f78703e04c30

SHA256
9370930a254961801a714a95d3504c8250f2cd9150daa3029a4bc92e48b1a3ed

SHA512
71c52d0972eee70ed66832431ce9371c9379599b5ac0bb76bfcb632c0ee3c0753d3880a02ec907e87f99dc033a7694b65cba403ec9c294642bd80e77d034ca11

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\5CB7.tmp\5CB8.bat

Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VP9vi48.exe

Filesize
89KB

MD5
3133993a538a99260b5c75dea467b6bd

SHA1
b692d4b36bbe655541d433b6df4c3f6eb3f1c653

SHA256
01dd907a4893609e560a3f454ca46940ca62e1773b7c88832131b13250df657b

SHA512
583abbb3c458e60badb918c822102b23a8f782ce29ae257fa38658801f76d3670f5e3b07ec3246c456ca73a2aa6b9e20610fd8f7921849bab9286ce83aba5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ne6rm96.exe

Filesize
1.4MB

MD5
bb050dbdad09b6bc2f9db25e1a3004c7

SHA1
d1f8a357ce5327c9d57240310e3212e64f3babdc

SHA256
c755956f09922488a6ec4cdff24394c9a62954fa9b811fa93d8122aa3b6671bc

SHA512
15c8bebd1f5153f07d82142f85d4de9662eddd405813100b8f1d00b1893686f94368fa6c64bda805920178511054bffbfcd09a3e0c8ba03d9d375b03615512aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cl5ZY4.exe

Filesize
183KB

MD5
88acae707753281487dbc4527670d207

SHA1
7586b5f38a75d254955b41764a9f9a24f0f955b5

SHA256
8acb5f4f5b17179dd329d91b90d3195e179c2073a8262c79f525296163aabbb0

SHA512
77dfb4f601e8f637c5ab7e5cfc08e51a4a384d07f85d56cd87d82e8d4731e877fd841b0369232b5301d3cf8f9a8c001e787af072f798547a106c1175e0f69d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ad1Pw71.exe

Filesize
1.2MB

MD5
8e8e91a7197d3732146ad5c3dccff354

SHA1
c676eb26052a0fe2b614dd13db89153b1a859efe

SHA256
087a896f87f3804d36f472b9bd51df25519b800924be524ba493ca987c06fbaf

SHA512
d86710464152555147d7629ba22b1dfb4ad2f9829954d01877e7c635bb3f1fd102f568d00e66bf0ee10a7cadeb57b8361f3631f154d4d726cff8d293f6fbbe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ff7UI5.exe

Filesize
220KB

MD5
3ecd38a31f182874dc4d87d671100149

SHA1
548bc5ba1eb0de483cb566b317ce8cc94796a178

SHA256
a6bd53b43ef7820cb928829288276a9dc67c2746b8e07f0e83413cfacd2edfea

SHA512
5d895fae9f16f19cc954aeb8325895d3e70c871982a20e42431a541fb598be8c2f018a36b9a24b7e718c0859621555e819ec98e4db465b9f2ddbef39dcc67a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QM8iU38.exe

Filesize
1.0MB

MD5
967017a45c0c287b2ba5ab6f10104124

SHA1
8f0c76f5bccfd14f23849956a71873ea478143c1

SHA256
1b1c8ff3f8b0603d134d080497fabae4b843603676a023b8051e7f204eecaac0

SHA512
c69913a5e85c18d1a4cf989037928cb149b9103b2d1b669141c6264933dac31486c90c0852437806269fdba8fea8dcae7d099ad3acc6fa42a28ae44d55bb1abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4YH070YN.exe

Filesize
1.1MB

MD5
cc4365a9c7ecf0318360c45254979e82

SHA1
d608476ab37b1d13ecfc184072ef3a7fe63b1647

SHA256
47fdad2537a470c75542cc2d083feb3e0f3ca88338bb2e5672a800a49eabd2fb

SHA512
69e18695ddcf7e036286d5ec4fe847bbc4162a98d3365ed452a2f7f852d2e10230c4664fa625218a8f56f361ed414940b849940fff2af03b57733c377359da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ke7PS41.exe

Filesize
645KB

MD5
8d634245a812844ec5ae4bee28bcdde2

SHA1
f155caf7c67ace562f56763954532b5846e7c050

SHA256
21dea19875cdd46e800e3036ba9dfdc27a486d3af1d7382eeab09dba4816ad5b

SHA512
1425ce838574ef4fdaa5d505e259aff3dfb99c1200cea749b214c5375f6b7be6e5b8871a3fa22737cbad97a34671f617d315b2c915bf76859adf510f347acbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Yj63sv.exe

Filesize
30KB

MD5
01db0ac394d011fde2a7d7c88dba99ec

SHA1
33157ef71a8e7744a71e9ca1da1be6ac46c84178

SHA256
40288e39d9a0b282ada1fe11dd6ed3f0d8e00fe417356a5969511632f096daee

SHA512
74a5aceb4c653a7c1b5fb6d9a4f8512751531fea719c34bd37e1ab9cf49452d28a9096aa0e6dfbd8a912384fc54594c01c54ee794a3d8dc5f32dbef239f927af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ra0xn46.exe

Filesize
521KB

MD5
77a8ab496365178c46a095cb8cb28cd3

SHA1
bd6d15bf014edac87ed66e007b8def58250e40ad

SHA256
4c8ec900c71a459ba62dfa2c5c9041c3056ca6d1af16b60f4bb8b03db498f58b

SHA512
dc4e50a32358d7d5b19c2be0ba54d3ca0d0cfec36250f9042b1d2673b70071e6df2a05e55f387018bee786eb5c3e321825f137d1a642803e10a5bd7a52854f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Kh96ep8.exe

Filesize
878KB

MD5
3d6052b8fd7dd9c074d3a44a8aa029b3

SHA1
21e53e281b95d3fa17748dee13fec3e06382938e

SHA256
96e449db3e1b1c1ec4102ab96f33c2e4bc564109154cad6f129f47b1b240dfc5

SHA512
9020b107104c45e07545e5183c67b6f44e3a0a83a90bfa0f8c1b1cdb1b9b92aba16508a8095778b9a2f58ffdab5f7bd7067819a3fa34b9c44264f555b62e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Lr5170.exe

Filesize
1.1MB

MD5
af1f39bf6ad69013f0bba4803f391d19

SHA1
f30be3f7bfdf1895a1761dc4d7e5fc6daa5b70bc

SHA256
d5b5a1e8b2730b04854fee843d893b2b35298cc559bc4feb7dbf4fcea2acbe5f

SHA512
3820617eb0018be7f4dca921570fefb8e33bc507b71a468e2ce41e1b6fb4a9036a368e23e17fcbcbc673787e66bac0064f62195dae30f1a5143f267492b6c080

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\pipe\LOCAL\crashpad_2304_GBOFZIBACBAGMJFQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1236-46-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-286-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1236-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3000-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3000-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3424-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-56-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/4464-91-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4464-883-0x0000000007CA0000-0x0000000007CB0000-memory.dmp

Filesize
64KB

Download
memory/4464-877-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-93-0x0000000008700000-0x000000000874C000-memory.dmp

Filesize
304KB

Download
memory/4464-92-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/4464-90-0x00000000085F0000-0x00000000086FA000-memory.dmp

Filesize
1.0MB

Download
memory/4464-89-0x0000000008C10000-0x0000000009228000-memory.dmp

Filesize
6.1MB

Download
memory/4464-83-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/4464-79-0x0000000007CA0000-0x0000000007CB0000-memory.dmp

Filesize
64KB

Download
memory/4464-72-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/4464-70-0x0000000008040000-0x00000000085E4000-memory.dmp

Filesize
5.6MB

Download
memory/4464-69-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download