amadey | b3767abd0edf10f66b81b14d4b2410893837b8c25815d961c17b713ec10560ce

Analysis

max time kernel
184s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe
Size

1.6MB
MD5

ade10cbc533c8399aa2996b16c3484ca
SHA1

f90a827c38ce6c1269a6ce7e83d2dab2b56a5cab
SHA256

ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3
SHA512

6c15ecfaf6080927b299a605f68d6725d49663eec6d9d57b35fa0d150b75bb3ca523bd4932f119f84966983a01a7ebb29f82d52724f5e66729f6f0247044335e
SSDEEP

24576:4yhAsIvxrRj9Wbijl2cDJNc09Y26NvILBCG/hFGYQImW3d5ewxHoOwJcf9k:/OV/nLjpLLq3W3iON1

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2824-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2824-50-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2824-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2824-53-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6mI6ZJ1.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4752-65-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5YN9cF8.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	5YN9cF8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

Processes:

Bb4sI60.exepA6pn03.exeCl9Ma70.exeHF3tF16.exeWi6vt90.exe1hx00uM4.exe2Gi2538.exe3ym33tv.exe4Ls158Jb.exe5YN9cF8.exeexplothe.exe6mI6ZJ1.exe7od4vo62.exe

pid	process
2744	Bb4sI60.exe
2620	pA6pn03.exe
3644	Cl9Ma70.exe
3788	HF3tF16.exe
4800	Wi6vt90.exe
2252	1hx00uM4.exe
3984	2Gi2538.exe
2288	3ym33tv.exe
2908	4Ls158Jb.exe
4900	5YN9cF8.exe
4816	explothe.exe
5036	6mI6ZJ1.exe
2060	7od4vo62.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HF3tF16.exeWi6vt90.exeded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exeBb4sI60.exepA6pn03.exeCl9Ma70.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	HF3tF16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Wi6vt90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bb4sI60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pA6pn03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Cl9Ma70.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1hx00uM4.exe2Gi2538.exe4Ls158Jb.exe

description	pid	process	target process
PID 2252 set thread context of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 3984 set thread context of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 2908 set thread context of 4752	2908	4Ls158Jb.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
488	2252	WerFault.exe	1hx00uM4.exe
1448	3984	WerFault.exe	2Gi2538.exe
3492	2824	WerFault.exe	AppLaunch.exe
2776	2908	WerFault.exe	4Ls158Jb.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ym33tv.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ym33tv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ym33tv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ym33tv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1532 schtasks.exe

pid	process
1532	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe3ym33tv.exe

pid	process
2996	AppLaunch.exe
2996	AppLaunch.exe
2288	3ym33tv.exe
2288	3ym33tv.exe
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3ym33tv.exe

pid process

2288 3ym33tv.exe

pid	process
2288	3ym33tv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2996	AppLaunch.exe
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3504

pid	process
3504

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exeBb4sI60.exepA6pn03.exeCl9Ma70.exeHF3tF16.exeWi6vt90.exe1hx00uM4.exe2Gi2538.exe4Ls158Jb.exe5YN9cF8.exe

description	pid	process	target process
PID 1376 wrote to memory of 2744	1376	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe	Bb4sI60.exe
PID 1376 wrote to memory of 2744	1376	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe	Bb4sI60.exe
PID 1376 wrote to memory of 2744	1376	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe	Bb4sI60.exe
PID 2744 wrote to memory of 2620	2744	Bb4sI60.exe	pA6pn03.exe
PID 2744 wrote to memory of 2620	2744	Bb4sI60.exe	pA6pn03.exe
PID 2744 wrote to memory of 2620	2744	Bb4sI60.exe	pA6pn03.exe
PID 2620 wrote to memory of 3644	2620	pA6pn03.exe	Cl9Ma70.exe
PID 2620 wrote to memory of 3644	2620	pA6pn03.exe	Cl9Ma70.exe
PID 2620 wrote to memory of 3644	2620	pA6pn03.exe	Cl9Ma70.exe
PID 3644 wrote to memory of 3788	3644	Cl9Ma70.exe	HF3tF16.exe
PID 3644 wrote to memory of 3788	3644	Cl9Ma70.exe	HF3tF16.exe
PID 3644 wrote to memory of 3788	3644	Cl9Ma70.exe	HF3tF16.exe
PID 3788 wrote to memory of 4800	3788	HF3tF16.exe	Wi6vt90.exe
PID 3788 wrote to memory of 4800	3788	HF3tF16.exe	Wi6vt90.exe
PID 3788 wrote to memory of 4800	3788	HF3tF16.exe	Wi6vt90.exe
PID 4800 wrote to memory of 2252	4800	Wi6vt90.exe	1hx00uM4.exe
PID 4800 wrote to memory of 2252	4800	Wi6vt90.exe	1hx00uM4.exe
PID 4800 wrote to memory of 2252	4800	Wi6vt90.exe	1hx00uM4.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 2252 wrote to memory of 2996	2252	1hx00uM4.exe	AppLaunch.exe
PID 4800 wrote to memory of 3984	4800	Wi6vt90.exe	2Gi2538.exe
PID 4800 wrote to memory of 3984	4800	Wi6vt90.exe	2Gi2538.exe
PID 4800 wrote to memory of 3984	4800	Wi6vt90.exe	2Gi2538.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3984 wrote to memory of 2824	3984	2Gi2538.exe	AppLaunch.exe
PID 3788 wrote to memory of 2288	3788	HF3tF16.exe	3ym33tv.exe
PID 3788 wrote to memory of 2288	3788	HF3tF16.exe	3ym33tv.exe
PID 3788 wrote to memory of 2288	3788	HF3tF16.exe	3ym33tv.exe
PID 3644 wrote to memory of 2908	3644	Cl9Ma70.exe	4Ls158Jb.exe
PID 3644 wrote to memory of 2908	3644	Cl9Ma70.exe	4Ls158Jb.exe
PID 3644 wrote to memory of 2908	3644	Cl9Ma70.exe	4Ls158Jb.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2908 wrote to memory of 4752	2908	4Ls158Jb.exe	AppLaunch.exe
PID 2620 wrote to memory of 4900	2620	pA6pn03.exe	5YN9cF8.exe
PID 2620 wrote to memory of 4900	2620	pA6pn03.exe	5YN9cF8.exe
PID 2620 wrote to memory of 4900	2620	pA6pn03.exe	5YN9cF8.exe
PID 4900 wrote to memory of 4816	4900	5YN9cF8.exe	explothe.exe
PID 4900 wrote to memory of 4816	4900	5YN9cF8.exe	explothe.exe
PID 4900 wrote to memory of 4816	4900	5YN9cF8.exe	explothe.exe
PID 2744 wrote to memory of 5036	2744	Bb4sI60.exe	6mI6ZJ1.exe
PID 2744 wrote to memory of 5036	2744	Bb4sI60.exe	6mI6ZJ1.exe
PID 2744 wrote to memory of 5036	2744	Bb4sI60.exe	6mI6ZJ1.exe
PID 1376 wrote to memory of 2060	1376	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe	7od4vo62.exe
PID 1376 wrote to memory of 2060	1376	ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe	7od4vo62.exe

C:\Users\Admin\AppData\Local\Temp\ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe
"C:\Users\Admin\AppData\Local\Temp\ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bb4sI60.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bb4sI60.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pA6pn03.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pA6pn03.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cl9Ma70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cl9Ma70.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HF3tF16.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HF3tF16.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Wi6vt90.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Wi6vt90.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hx00uM4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hx00uM4.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 584
        8⤵
        Program crash
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Gi2538.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Gi2538.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 540
        9⤵
        Program crash
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 584
        8⤵
        Program crash
        
        PID:1448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3ym33tv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3ym33tv.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ls158Jb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ls158Jb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 584
        6⤵
        Program crash
        
        PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YN9cF8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YN9cF8.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4816
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6mI6ZJ1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6mI6ZJ1.exe
    3⤵
    - Executes dropped EXE
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7od4vo62.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7od4vo62.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\65D4.tmp\65D5.tmp\65D6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7od4vo62.exe"
    3⤵
    PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:1812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:5720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:5728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        5⤵
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
        5⤵
        
        PID:5324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        5⤵
        
        PID:6596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
        5⤵
        
        PID:6632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
        5⤵
        
        PID:6948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        5⤵
        
        PID:7124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
        5⤵
        
        PID:5448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
        5⤵
        
        PID:5544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        5⤵
        
        PID:6228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
        5⤵
        
        PID:5420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        5⤵
        
        PID:4068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
        5⤵
        
        PID:2580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
        5⤵
        
        PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8552 /prefetch:1
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
        5⤵
        
        PID:5052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14592294832498783308,15859067632587378226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:1
        5⤵
        
        PID:6400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,8945377054002935101,7047924427841549044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        5⤵
        
        PID:5860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,8945377054002935101,7047924427841549044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        5⤵
        
        PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x140,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12857707637259133292,2953766305954807048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:5908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12857707637259133292,2953766305954807048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      PID:4408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15122620542482686392,2046239578577743753,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
        5⤵
        
        PID:5768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,15122620542482686392,2046239578577743753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        5⤵
        
        PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:5088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3459397392713898954,2423470202404582149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3459397392713898954,2423470202404582149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        
        PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      PID:4520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:2584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,12729196961511914130,2250168029918806711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        5⤵
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,12729196961511914130,2250168029918806711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        
        PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13823589695837918127,514414373937935568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13823589695837918127,514414373937935568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        
        PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:4296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2556704803303557650,13124502079251289409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        5⤵
        
        PID:5876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2556704803303557650,13124502079251289409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        5⤵
        
        PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:1808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13204687849623152077,6745069536091331857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:5900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13204687849623152077,6745069536091331857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        5⤵
        
        PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:1136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff850946f8,0x7fff85094708,0x7fff85094718
        5⤵
        
        PID:1000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2663344532579092268,18174477327408388438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        5⤵
        
        PID:5836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2663344532579092268,18174477327408388438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2252 -ip 2252
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3984 -ip 3984
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2824 -ip 2824
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2908 -ip 2908
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\924b3715-2760-4c97-871c-0aa5adee58fc.tmp

Filesize
8KB

MD5
f38930ba109e8497d6f83136c6a53212

SHA1
5cc7827632665c0398e731bfa3da7c897a83b621

SHA256
8a601475b8e55bcb2f86cc6d48c97e1e7b68347f169d188e1ef40e612fced415

SHA512
4e58e0760d72a47ab42017a8899e24e2f3a17e4061e5705aade3c5a6d726c7928e5981dc6b4e80fc51dbb4abead234718de69968d16b37262491127387298a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbbf3f242958118f7b9711e830ada501

SHA1
022351c4a0d6c0ebeedc2b36797347643b75b18d

SHA256
f9ba97df1bc463c62d7a50f5e2524d7aa8fa7311b3bb642ceefb7a396d788921

SHA512
2d8b7b9d39a12cedc7c8f24c0fa068d82ce788cd6cd203a9aeb2ccd3c40062e62d3d15430662b9696172a223668cdf841eabb4b7f71a96110efa66f142ede3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c9d1fe06-a3ed-42df-853a-4deaa38b5968.tmp

Filesize
8KB

MD5
ceb1ac0b2185bdffb4e94a9a32eb808d

SHA1
1b5b151d15d0bd53a8537e78ab8d1dd4e35d813d

SHA256
9dacbf6fde04dbf41b140ebb35d682d9b304ac954f73e513256bbb3242916cb4

SHA512
d576e782dc45b4c501242b10b6a7d3dc749899bf703c0383e11cd36c33ce04e5947ee84b094673c90decfa03a06387c99a98adec7eccc44510a87047bcc7facd

Download Submit
C:\Users\Admin\AppData\Local\Temp\65D4.tmp\65D5.tmp\65D6.bat

Filesize
1KB

MD5
df17aff26f059073bed6a5f8824e5c39

SHA1
f880f5cbe705ed78afe9cb3a7667b50dbc08443f

SHA256
079ad17541306c21039854f1c9a28a9e1b0f131a2fd509f2a6bb1852875a3ea0

SHA512
2c9cdd6846b45cbbfcfbe7dbfdaecd32a602c1feb3af1c0a1e894b1e55af5e1e8f095eb60c42bc6efafc37f3c26bc9e45259afbcde9e67bb75c93fb418a1af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7od4vo62.exe

Filesize
91KB

MD5
f2eb32162552030618921a82538c0ff2

SHA1
6e4e4df261fdba95faff343c96cead516bc9194f

SHA256
c6664c938b76e9c7eb4247493fa1ff3b14c3e8ff2778725cde379e9a55e41738

SHA512
475d44e367d62d75570d09116e04fc32e84d918fcb1c201b076c02ce98855657d1e63abf059d2c92173dec8db52035236732d06883cd987fce5cbb725bf9977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bb4sI60.exe

Filesize
1.4MB

MD5
743bf9cdca6ea5adfb9e475227c5f3d5

SHA1
250bbd060bb82b4066c92cd20df79619681587da

SHA256
2a97859cddc37384d5ef6a7b2f058c822ad9c02eb7e2984459a93d100e4cc099

SHA512
7054c7733a9c0193389a5332d4b19290e1642ef0f42bf5c7c0bfe3d74b41677dbd5cf16ca5478defe709bc7833385ebe67541b703299f63b80b38d0be923dcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6mI6ZJ1.exe

Filesize
183KB

MD5
e12078d2f1c5c08ccc902919ee91bed4

SHA1
4e3c8a0db6668c91f8f5a2de47ff40c4469c784d

SHA256
4b1a61222139aa81ff95af81ed020f1868d2c8ab7957d9a1622f71b4efacc1b9

SHA512
9bfd1c93e132d8a863b51dee6fc4510ef6a622e290286525070aa84fb924c5da088272567175d1e5d6b4ead90fdc03320cd3c4b62963e567fd9e2627ebe54774

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pA6pn03.exe

Filesize
1.2MB

MD5
b5aa8faa391aa31c3d3776f32a62e2bf

SHA1
251bf6b707c1e9eb65269ddfd09634f87c26761b

SHA256
febf939eebc8155aea38ac261f8186a76490443b884aa8b03754342c5ac523f1

SHA512
fab9bb011cd55af7d2042745730edc570c14556b2728faf0c0d9eaaacba20fc54969dcdc934ffaec9a8d8c80d6ba12b1b0db5487c177619827963ab8e4f72511

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YN9cF8.exe

Filesize
220KB

MD5
3d8dec61c2301e71b89f4431164f5d79

SHA1
025f61e763a285b5bfcd1b3806504d834063f765

SHA256
423b28c786a6076a062e8bdbecc8d61154428067d6c3644b89169164849e3ef0

SHA512
591573633664fd4f3dac1c59dcccc0f6a7f9feaaed44922aa51db463ab612cdd9d8c989437a48d9e597c1f09d393322937a3d463d1fff0f5777c964a4bb2cef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cl9Ma70.exe

Filesize
1.0MB

MD5
796e4ec879d848657becd7134a06ab15

SHA1
f4f641ed59de0b6bb52d89e5a9e1967ebdbb5a5d

SHA256
53833bdb9ec4fb73752975fa7106bfe5e9caa9c22f21652268708c3555a0b936

SHA512
8973e2626769f1f9a831853f0444865a84ca7efa3d57ad8449b619fe5d97421027354f25253f8c1b62d6cbf29de4201f6e50489df73de34585a5d0450d19d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ls158Jb.exe

Filesize
1.1MB

MD5
c474cb24af058ec68f12ecedb0bd6087

SHA1
ba1cdb7706fc2085052d82a3ed402aa443a164d7

SHA256
8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6

SHA512
cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HF3tF16.exe

Filesize
650KB

MD5
f62eceb3fc4bfd927e27fa19e756940d

SHA1
189fe79fb7f49bb5caa45533469414d3c068dfcd

SHA256
b68a25e474556269133d2b5d9e2d87c734d17a3d8fcdc36509e35318f454d157

SHA512
c440f576674f8c0fbc161a71bacf18624c67e1f1606f203544a81eb4cd93a8ed5268637135ec157a38fb47bab97cd8a7f9a78c06c0872d0dcf50e12ad2a12127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3ym33tv.exe

Filesize
30KB

MD5
30ec45fd1a7be1935df3aa3d1111e8b1

SHA1
3ccca92612e7499ec8a6e64bb0e3fb6ef8acca1c

SHA256
e684530f18f278535a6e18cd0333933a9655c27ed3a93a72092fa99be4b9580f

SHA512
a2e0f9bf141d747ed5d980a7f3b6b9af69a4662f5c615762805f60b1ee89078b7c14c536ea2b8514ae712b5b94620ddebdb934091a4db18075d8907cf9a3ffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Wi6vt90.exe

Filesize
525KB

MD5
74681a07f8f98d658a6469447868388a

SHA1
d0777184718687027f99064967877cbf6ced8e6f

SHA256
7fad3d06e94f57d01beae8fe2c3a7fc4555a96916914e87bc3d2050d785d0232

SHA512
b51cf8637e2a79066978d37d4de1537998395597910afa3ede6845ed28036aa3094e045a1a5224155e906838723f0301e88843e7e7f94aff29d2870ef492513e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hx00uM4.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Gi2538.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\pipe\LOCAL\crashpad_4408_PSBEZHXPPCBKZAMT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2288-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2288-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-45-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2996-43-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2996-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3504-58-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

Filesize
88KB

Download
memory/4752-68-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/4752-93-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/4752-118-0x0000000008C70000-0x0000000009288000-memory.dmp

Filesize
6.1MB

Download
memory/4752-119-0x0000000008760000-0x000000000886A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-120-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/4752-79-0x0000000002E60000-0x0000000002E6A000-memory.dmp

Filesize
40KB

Download
memory/4752-76-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/4752-207-0x0000000007D40000-0x0000000007D7C000-memory.dmp

Filesize
240KB

Download
memory/4752-269-0x0000000007F80000-0x0000000007FCC000-memory.dmp

Filesize
304KB

Download
memory/4752-73-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4752-69-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/4752-67-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4752-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download