amadey | 6f953e9e446695185aa2821e65a737d1fccc99d224656331e19f1b331cef5b25

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
Size

1.5MB
MD5

f3cd6bba4c29ed1c18b64abeb4e7b5d6
SHA1

b021ab8bb5818ea679feca49aaeb134a735a8982
SHA256

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4
SHA512

3881ad760075d5fc765154095b2cf33c6b873bf2a0bab26f3a5815f8ce74f98d5f38500684d5541b553eeeb7607ddad0dcabcc01d531645916d28784d8af5e40
SSDEEP

49152:b9oWtgy13P2xA/bJOByk2SfIfKsMfTtUIEw4Gr:5oupP2xADJOByoQfKsMr6j

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1996-50-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1996-52-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1996-55-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3960-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5fz3es5.exeexplothe.exe7rh1LM04.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	5fz3es5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	7rh1LM04.exe

Executes dropped EXE 15 IoCs

Processes:

RG2aA85.exeUr9dw34.execa6bB94.exehI7ot99.exeiF5dw77.exe1ip14dv4.exe2zS4859.exe3WE90JK.exe4TU265HS.exe5fz3es5.exeexplothe.exe6lk4BG5.exe7rh1LM04.exeexplothe.exeexplothe.exe

pid	process
4724	RG2aA85.exe
1988	Ur9dw34.exe
1204	ca6bB94.exe
4756	hI7ot99.exe
4576	iF5dw77.exe
4100	1ip14dv4.exe
2712	2zS4859.exe
548	3WE90JK.exe
3108	4TU265HS.exe
1520	5fz3es5.exe
4988	explothe.exe
624	6lk4BG5.exe
4276	7rh1LM04.exe
664	explothe.exe
3712	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exeRG2aA85.exeUr9dw34.execa6bB94.exehI7ot99.exeiF5dw77.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RG2aA85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ur9dw34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ca6bB94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	hI7ot99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	iF5dw77.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1ip14dv4.exe2zS4859.exe4TU265HS.exe

description	pid	process	target process
PID 4100 set thread context of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 2712 set thread context of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 3108 set thread context of 3960	3108	4TU265HS.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4844 1996 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
4844	1996	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3WE90JK.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe

pid	process
1932	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3WE90JK.exeAppLaunch.exemsedge.exe

pid	process
548	3WE90JK.exe
548	3WE90JK.exe
2624	AppLaunch.exe
2624	AppLaunch.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
4404	msedge.exe
4404	msedge.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3WE90JK.exe

pid process

548 3WE90JK.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe
2672 msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2624	AppLaunch.exe
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe
2672	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exeRG2aA85.exeUr9dw34.execa6bB94.exehI7ot99.exeiF5dw77.exe1ip14dv4.exe2zS4859.exe4TU265HS.exe

description	pid	process	target process
PID 528 wrote to memory of 4724	528	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	RG2aA85.exe
PID 528 wrote to memory of 4724	528	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	RG2aA85.exe
PID 528 wrote to memory of 4724	528	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	RG2aA85.exe
PID 4724 wrote to memory of 1988	4724	RG2aA85.exe	Ur9dw34.exe
PID 4724 wrote to memory of 1988	4724	RG2aA85.exe	Ur9dw34.exe
PID 4724 wrote to memory of 1988	4724	RG2aA85.exe	Ur9dw34.exe
PID 1988 wrote to memory of 1204	1988	Ur9dw34.exe	ca6bB94.exe
PID 1988 wrote to memory of 1204	1988	Ur9dw34.exe	ca6bB94.exe
PID 1988 wrote to memory of 1204	1988	Ur9dw34.exe	ca6bB94.exe
PID 1204 wrote to memory of 4756	1204	ca6bB94.exe	hI7ot99.exe
PID 1204 wrote to memory of 4756	1204	ca6bB94.exe	hI7ot99.exe
PID 1204 wrote to memory of 4756	1204	ca6bB94.exe	hI7ot99.exe
PID 4756 wrote to memory of 4576	4756	hI7ot99.exe	iF5dw77.exe
PID 4756 wrote to memory of 4576	4756	hI7ot99.exe	iF5dw77.exe
PID 4756 wrote to memory of 4576	4756	hI7ot99.exe	iF5dw77.exe
PID 4576 wrote to memory of 4100	4576	iF5dw77.exe	1ip14dv4.exe
PID 4576 wrote to memory of 4100	4576	iF5dw77.exe	1ip14dv4.exe
PID 4576 wrote to memory of 4100	4576	iF5dw77.exe	1ip14dv4.exe
PID 4100 wrote to memory of 2708	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2708	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2708	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4100 wrote to memory of 2624	4100	1ip14dv4.exe	AppLaunch.exe
PID 4576 wrote to memory of 2712	4576	iF5dw77.exe	2zS4859.exe
PID 4576 wrote to memory of 2712	4576	iF5dw77.exe	2zS4859.exe
PID 4576 wrote to memory of 2712	4576	iF5dw77.exe	2zS4859.exe
PID 2712 wrote to memory of 4240	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 4240	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 4240	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 5028	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 5028	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 5028	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 4524	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 4524	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 4524	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 2712 wrote to memory of 1996	2712	2zS4859.exe	AppLaunch.exe
PID 4756 wrote to memory of 548	4756	hI7ot99.exe	3WE90JK.exe
PID 4756 wrote to memory of 548	4756	hI7ot99.exe	3WE90JK.exe
PID 4756 wrote to memory of 548	4756	hI7ot99.exe	3WE90JK.exe
PID 1204 wrote to memory of 3108	1204	ca6bB94.exe	4TU265HS.exe
PID 1204 wrote to memory of 3108	1204	ca6bB94.exe	4TU265HS.exe
PID 1204 wrote to memory of 3108	1204	ca6bB94.exe	4TU265HS.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe
PID 3108 wrote to memory of 3960	3108	4TU265HS.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
"C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 540
9⤵
- Program crash
PID:4844

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:548

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4120

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:3924

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe
3⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4276

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F83.tmp\6F84.tmp\6F85.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe"
3⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff532346f8,0x7fff53234708,0x7fff53234718
5⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
5⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
5⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
5⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
5⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
5⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
5⤵
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
5⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 /prefetch:8
5⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
5⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
5⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
5⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
5⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
5⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
5⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:2
5⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7fff532346f8,0x7fff53234708,0x7fff53234718
5⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2596495310556929070,4180572545390218700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
5⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2596495310556929070,4180572545390218700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
5⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff532346f8,0x7fff53234708,0x7fff53234718
5⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10714353411800794091,14164656694551069039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
5⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:664

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0bd5c93de6441cd85df33f5858ead08c

SHA1
c9e9a6c225ae958d5725537fac596b4d89ccb621

SHA256
6e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2

SHA512
19073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e9fa7812c7dd1651e5d540eea482efbe

SHA1
d9032e1e5e760c1679af73b6149f620e936551f8

SHA256
023b7f97e3a6ddaf98a3769dd7626e41e0d31269a4b51ab8fc1a45b523e84b67

SHA512
7e37fe21236c60606bc38137754a90f52a04e06dada32a40560ffcd1d30a9e18cebacbf3e8651dd5e8ae99647b217377f88d08b3caecbf1ca8fb854121ac3b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
341c60ca1f78a4e2a9fb8348bcde767b

SHA1
f341a2b4efb2171be43a66ee87ffebb53157b9c5

SHA256
d020791fb1632dd2aeb7106f55acd14d399222fa3dd236dcbc150809bb03ca92

SHA512
8cd953494442b8734f607bbb176411dde78256f35762442e6b9425de700073bcf405961f6b1e55659b3635feafee3c4c98eb298e6c055e6373a8f7d4f175f21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
83215ccd85434ba5245ac5a55119b6f3

SHA1
d66e1dd4ff9b0f9a37547e0907d067f69f708a97

SHA256
462fb09b995e22b691bc6fb9ae8a2a1cfc0c41699523f541b40ea44a1d4c3322

SHA512
0ca0f20bc15ff2fd628b979bac6daa1fe5c37e6dc881c006804e88293e576192a8d201624e3f6b82388aea2a0d23c87a7bc4838934ffea1f648bffdbfcc9b368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f45f8f1fe145e941f3f329e6f0223a68

SHA1
72a375e2dbbc84db74b0d66f44ee7a969aaabe5d

SHA256
0b2ebc2e8e1b3aa467c75fb0edbe117e83e0a2310460c223ad8d190d2102a678

SHA512
8b7a842f3367992ea5a535300984ee46586e85a68a30b76e33ae3bc66ac3324aa497fe64dcd647585a812a9ac16d4f2adc833493e47eedee3378325ec261fbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bc4c31be6775082a1028d2d76e921829

SHA1
a7d7e61ee4cd546c1e6f6545d857e24ff7fb219b

SHA256
e30a68cf56a53b15dea8b7d267e0ad709826adc1cbfe750ca872d4ffe5da10c2

SHA512
10092124219e771239a67d0b426ba1286fe3209abb44c28dd184c4f9e0e2a91973a0c7bddefe36090978298c6a596a1155765673e2cd4af92692c5f3b292a059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
8d528dfc1196d0c0613259760cb6a2c9

SHA1
7234d206e6ae009f0af981e156d6b75e0699d5bc

SHA256
7e9a2be5e46b81c879adf8a13338a4848af082ab66e75f6b8b46a76013e405c1

SHA512
0a1a69b2eea5d8fa4d86e75887bb79b4ff01d6587489be651dc27594b1ffd27e84a1d44dcf8d6134cb890598c4b0c7a65d4d0b8f281093df9907788f1b9e80c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
50def5c8c862a506f0c65e6462206122

SHA1
540fafa2e7f47ea5e38d409e0bcc1f81f1a8ca6c

SHA256
d0b707dd30d8d6b8f402837a4833d90904cf5d788d149323ba9e029f615e2ccc

SHA512
02bc1ddfee5d00bdaaca55ea4c8954c1cbed3b4338ebfeeff658370132c05f98c6c5fd57239e2152600f70e9db7f6df4c00b020ecce4862e730777a60b58d406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
a92816243424cd90a77710f2bc147d3d

SHA1
72d21a63f19a0241f47b05c4a36899d754dfa880

SHA256
2e716577be02c31fe0f15cbf5ab2db0e05849440742d133fa884a4bd2cd1b9d1

SHA512
3c0160b183c593eb74a3732f0eefea60799fe3d999f5f2c659de5cafd2cc1d4bae0add531971fd02162d4c3c9e033e74f3269d49a408b367da20af6f40a2096c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
57b2b78ea4cf9479e16ffa861064ce8f

SHA1
f1aad23544e789bffda49e7e7be4f88a0986dae8

SHA256
f2a4b7791a9ec9c86d6bb5e895fff3382a126e46ab780d8c5053fbdb7d1a1441

SHA512
81d420d530f075cd200714dda6a01af9e03f0c1597ef560041bfb4843ce441f50dd81c659363f341651f0121178ddb8502f588f9ff0148e51bcca8653e1034c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e0bb.TMP
Filesize
48B

MD5
4eaa00c734829b1e58a2f88534949b42

SHA1
a4a4a9f917f8a1299ba6e1307f1e3816178ec83b

SHA256
1ccb8a8982ed3546ebd6362d6ec64dc963a33f7f11ca15959365a9c496364bb5

SHA512
d41c977ac2b673c248dd98d0a2e6c5fbb218ed364414e7f5a063080fdbb70f93e4a87daed74e29465481ce20276a5458ae5ad74123fa006836fdd96f2f28aaba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5681f5ff615da80042c93f19cde54044

SHA1
3dac8c159b96788f2dd9b8bfc85418d2a6b1246b

SHA256
6a239eb981a7eeb85bdf8c951a0928287e557ed1d5662bfbfb08a27b79f217c7

SHA512
39731e2cc0b5d221e79501e4cf801680b68eef3da63e9879981b07ce86b6e3426a7d928792354c689cf3875f97769deb134b3cba3822d5bd4dcd2d4ce0688aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e9ce49ca7bf18efa229fb97d8e38a1fc

SHA1
de4cf37528ad6d98a2eb2aa7f887ad13194c1817

SHA256
f417efd025bece344538020d61597fe6510d22c4e931492206347e9cdb21e2df

SHA512
e7d4294e09dcd98e0b5c81283c1491f6d9863282eca9585b5eda3ccc7b58a661ca1be0ef8d66522c56099289af0d7dc41375cbbaa5ea04912f31070ad0e3b31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d861a1fc97c4f2712ae509a0997c9989

SHA1
bf85b5407dc4cfbe061ebae9c86db9cc91a2a214

SHA256
b2b3b7bb08e35000c981a10c24ba63ecce78e3c5ae07c43d41f77ba530dd3577

SHA512
3c4d7da7975515fc243c20a9860b893d61ca8396f7febf6bdf4b9625abd6334adbaf3e50910e574325c22075362105c0ddd422362febbb54682ac2ec59f317a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4f29609c660bd371f797fe549d3dd144

SHA1
7f5be78d92a37a5c6d436d24d80d11a4c58f7902

SHA256
02d14551ac2eb8907ac269c8a296f58b220dbea0898720358550fc77a0bf5b08

SHA512
5561167b95843b2f5608223f9dbb6a74e920d71a6257d1d0944715c2ede3006830c61caa3ea050ab4d4634a6b9118b767e718d2cd2ea080187a0cf4613fa502c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d8cc.TMP
Filesize
1KB

MD5
609407f9d8c3f2cb54abc420334e46c7

SHA1
ecb2f3a1722a8d3a92f88903ce91d700e8321845

SHA256
b5b7a081645b76ecb1bf77324504473674b75f79582eecd40e376ffd4c7ddef4

SHA512
91a002f36f644d8e0a263155e4b6384d919bc3574c37230d117f5a9382f82c3737a60366889929f0055bcd9a05bd4a959a252e46686c2d9c7b96abe40620009e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f96a88c3742db44eec2d9df7a9fd2f09

SHA1
d8bed1dc5a452d90c65db66fd4cdddf361abc3d7

SHA256
3f7ee6fca851bf61e4e2c3752bdf9576f90076d7844bde4da3f989057c6c85d0

SHA512
d63a8262a372b206412fd28dec872c4830340ac8bfcc97822bf1791dd1cb1b69150f4cb2d4de119eb27d5381fe9201d692689390e73363ed8f8cf99130492104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
977c5eee63a69f8564e115f980726a94

SHA1
94436e425b66b40bd216c1b602e07bbef8aac01d

SHA256
aa180c2e911e484dba1a7b8a9c29dfece4e9b3b3b14ef9b65d813fd391fe2e75

SHA512
43a77884998a70b924c31734fba54657fd83249fbb1497287434e0a2f51f6743cb7779b04bca50c037c385e7c9dfd1951570cc225b0e4430b6770730e68ddb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
cd3b9f6d8bbac7bce9b1b5683469cabe

SHA1
8b78a1e39b37aec8ae8ad7a5b63a5e784baa499e

SHA256
70e1b265dfc0e0bf91ca79c29fa8ba8cba32e252066d5a6ca62ceba48ccbf89b

SHA512
ab0b0203064eac11ec5322e9a98a0c0203cf861ddcb1c9e538b4b215c1af6db046a8c4e20a747809f9797b70d4fb868e19dd0ed5dad0a8b1d940aa8c96e5b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F83.tmp\6F84.tmp\6F85.bat
Filesize
632B

MD5
401dcacea4acfc09e8774cd0fcf16129

SHA1
ae03b7999297b5383785eddc4f6194fd4c80e149

SHA256
1d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6

SHA512
7c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe
Filesize
87KB

MD5
92b82c490c282bf2b09268be9b629732

SHA1
14c07fab8aca1f8f41936f1217478a25beabe3a8

SHA256
1f4ee8b00682f5dd5bf0c95162897566ba5ca1c4443cb252c7559687f3b78273

SHA512
74f70859a2c9372eb079518a9ed2261180263542213d87ff9911926d282f87548e8f48ecd550e574992907e23597b6ca1bcd2438cc6796b49588a2a93720b27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe
Filesize
1.4MB

MD5
2e20a2d7c6194a7cbbdda4d9452bfa03

SHA1
bdf07ff1bc943028fa77f68edcee9af66605cd5f

SHA256
34146b4c86a617d559fb0012ff0f5afd04927a97143affa9419ea71e5411f061

SHA512
037de372946426dbbf019a01f171b39eb67544a620188a6b0735233f8e57dda0e23a9f4765df5bec28ad7a8c5de7dc9ed420f09b2784d809238286a1265ddeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe
Filesize
182KB

MD5
2eae4f217dafb0e02f5d37c44ae2a652

SHA1
414b9875eff592c656038f38ddcb12e8064f744a

SHA256
9598973b13a014ad884b46c7494a0392a36270e62a365803f9eb1438b2c19f4e

SHA512
4aac7e26b26223cb201b5e5fb581c1e2eb32f8877a1eab582e181695e0503be4a4e545aa326dc112e7deafc1ef2db2c7c1ed1968339cc89b96f2f1110aa637ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe
Filesize
1.2MB

MD5
121aa508cbaf7060c64667863c8e9389

SHA1
fdeaba571f6e72d4fdb77631579f6d9bf5356f18

SHA256
95036dd4a2fc22e08a063ee05b13441b1a9df0d93ef4646c16574f7c460eac3e

SHA512
4ced304e8f2c4662a216a8fa2a36f42ebfbb6fe4f9d05d273f111943ee00a0941ab3878ec5d04cfac688ad4149bdacfb8cc729da9ba43cd3c16f13c64b5eb529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe
Filesize
219KB

MD5
f65f417183727d8ef72b19a7ba3435c9

SHA1
1ba33b32beb0c119eed2ce54d16a92342577f37a

SHA256
32c97705475e244c65dff0254525ab7847555bf05082db2395f05db2e125bccf

SHA512
abe8a29652953dba6b86516890eb0253ef6bae0aed39b92010873ac25154246acd1dec5858036015430d8ca27fe91031b6ba031d0488cce396d1cdf539a7fd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe
Filesize
1.0MB

MD5
4703ba737b5cdb5519cfe63d74fb3dbc

SHA1
21096b4f846b4d7aec36fe953de2007d27d33db1

SHA256
a53869996516adfd7af5610a409584618d747d1386139e632eebd84df93ea612

SHA512
46a42fb2aa810d07cb4048cecc555f8bbb1d13cebf9d486011f5e8f53369fd72e522fce28aaf09a4581ea70e6044eac97cb1b4b2ab73d7a70bc2781815750e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe
Filesize
1.1MB

MD5
a4865323ef36cd164e7a023f917433ff

SHA1
ca2e62e99540d345da483514c50edd4af13705e4

SHA256
6a42355d8aa58d2cc8c78092d4ff0da6ef3293674ae518e15c71d1ae10cd1c67

SHA512
575b0cd897c88af2e03897f67123e3ecdfe8c0eb6cbce87d603520a1d748f231792210671d950ed900858bb0f84e8a9770030d96f3ed69d7964e566a357eebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe
Filesize
647KB

MD5
160a38e156d9d16c2842f119ad0acb7b

SHA1
137cb4df3f0a3a711bb24841585f81bbfff781c1

SHA256
a4a88dd47fb2c0d47afc4cd467cd98b775329552d605d92a369e8a192600a5d8

SHA512
fbcbe0437f1c5a1b2f32a0ff716c3701fc577df48267fdb6c85925ba750cd006723f8716fea1a547edd9bb932bb00589013f9cf026475ca6798c271f278d6077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe
Filesize
30KB

MD5
2f9257e7bc6fb693d58e213784b509f1

SHA1
dfb07e903b57d6b26c219f31c3c229e316425899

SHA256
36c7928fd1c4f637fb4ebb75c5e491ec990d608bcb07adf59644947e46e21150

SHA512
fc37f43d513b8a719a9fe276f5a084aeefd6ab6e3597d1279bdedc11805c9e1dce956d1818d7c9aa5143b71a7d0de2c6b4cca2ba09ed10de3165314320e87ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe
Filesize
522KB

MD5
dcadef184d3ca1c2568441d3b0b06b12

SHA1
c7ed42bcc082a3b1f5fb254185b603cf948022b7

SHA256
2e38b54b82570e519260902146b594aff77a694e956d49e6cf93ddb466163fad

SHA512
dcf3b732b916c1b518c01267cfc330988ad5f5f24646c4b43dbcf488a4c76e417eb9033728d1579eff70bbf63a4411729a0bebd4cf24c2360cd8d16c5efb883b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe
Filesize
893KB

MD5
0e56e59513a4b1d1eb512e8187ec7ab0

SHA1
992bf232b6fe1c8e363818191c267f7ce9a435e9

SHA256
bd2bfabee2939f8bca5de7472b0fc90b6ca02f0a1db275b0970b32a53159ea5d

SHA512
93c4e5da3877442774658a5f516447c8debe2490a969cafea145e67d0572ee0f8c7d3031c588a04d42aa1b769bf5661f31086986c4a0180393b08dd8f9c34241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe
Filesize
1.1MB

MD5
92d270ad52299d83b23749f1307822b8

SHA1
bf40dba809684b1f4994e52c057c2579cf943b05

SHA256
36c4eed0f2893a3326ae8c2a20e85000356a95c67e0dafd7093b19619d6c8f0f

SHA512
1e296b8531aa153461c0de6e401276815efcfee0f66a031ce718d634b771476b25b38fbfdc006a17af27368ee7b06f60ea4a1de156eb21e693f7a24069438828

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\pipe\LOCAL\crashpad_2672_OIYAZFKHYZJDQLPL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/548-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2624-46-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/2624-165-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3364-56-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/3960-88-0x00000000087D0000-0x0000000008DE8000-memory.dmp

Filesize
6.1MB

Download
memory/3960-414-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3960-415-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/3960-71-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download
memory/3960-70-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download
memory/3960-69-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3960-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-82-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/3960-86-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/3960-89-0x0000000007AA0000-0x0000000007BAA000-memory.dmp

Filesize
1.0MB

Download
memory/3960-90-0x00000000079D0000-0x00000000079E2000-memory.dmp

Filesize
72KB

Download
memory/3960-92-0x0000000007A30000-0x0000000007A6C000-memory.dmp

Filesize
240KB

Download
memory/3960-93-0x0000000007BB0000-0x0000000007BFC000-memory.dmp

Filesize
304KB

Download