mystic | cca6e4355cfdbbd8cbbb95338cbd8fdd72b6bb105b6468e366b69eba4a761b98

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe
Size

878KB
MD5

d318c6337d7cad78817bd3b9b3f43bc5
SHA1

dbf134d1a4d1d712bd4d917bba0c2545fb5f901d
SHA256

b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2
SHA512

4b3f8c606d1f33c823c3fa74f560208d951d4591a1fb894de6919eb809ce167fe0e5498eb89c3f3ef4c231580bad8ec5d7bc4bd2f1d0974bcd9571b4bac4a4b0
SSDEEP

12288:KMr0y90qyaqD7Ok06pNmgoVKDrk4qKdFagXt0ogWtTlY3tXrGlqFfmef2mglg+x2:GyCdce3DrkaTRgAitbGUR2maXIJp

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4812-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4812-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4812-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4812-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4652-48-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	5wf6ml2.exe

Executes dropped EXE 8 IoCs

pid	Process
2628	LN1mO30.exe
3672	Ab6Sl08.exe
452	Yv8bp87.exe
3928	1El11lU6.exe
3608	2WV5607.exe
1584	3du32Ol.exe
1012	4Qi486Yp.exe
2760	5wf6ml2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LN1mO30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ab6Sl08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Yv8bp87.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 3148	3928	1El11lU6.exe	91
PID 3608 set thread context of 4812	3608	2WV5607.exe	97
PID 1584 set thread context of 2496	1584	3du32Ol.exe	104
PID 1012 set thread context of 4652	1012	4Qi486Yp.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5092	3928	WerFault.exe	89
980	3608	WerFault.exe	95
4840	4812	WerFault.exe	97
4324	1584	WerFault.exe	102
2384	1012	WerFault.exe	107

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3148	AppLaunch.exe
3148	AppLaunch.exe
1328	msedge.exe
1328	msedge.exe
3612	msedge.exe
3612	msedge.exe
776	msedge.exe
776	msedge.exe
4436	msedge.exe
4436	msedge.exe
464	identity_helper.exe
464	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2628	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	86
PID 3036 wrote to memory of 2628	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	86
PID 3036 wrote to memory of 2628	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	86
PID 2628 wrote to memory of 3672	2628	LN1mO30.exe	87
PID 2628 wrote to memory of 3672	2628	LN1mO30.exe	87
PID 2628 wrote to memory of 3672	2628	LN1mO30.exe	87
PID 3672 wrote to memory of 452	3672	Ab6Sl08.exe	88
PID 3672 wrote to memory of 452	3672	Ab6Sl08.exe	88
PID 3672 wrote to memory of 452	3672	Ab6Sl08.exe	88
PID 452 wrote to memory of 3928	452	Yv8bp87.exe	89
PID 452 wrote to memory of 3928	452	Yv8bp87.exe	89
PID 452 wrote to memory of 3928	452	Yv8bp87.exe	89
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 3928 wrote to memory of 3148	3928	1El11lU6.exe	91
PID 452 wrote to memory of 3608	452	Yv8bp87.exe	95
PID 452 wrote to memory of 3608	452	Yv8bp87.exe	95
PID 452 wrote to memory of 3608	452	Yv8bp87.exe	95
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3608 wrote to memory of 4812	3608	2WV5607.exe	97
PID 3672 wrote to memory of 1584	3672	Ab6Sl08.exe	102
PID 3672 wrote to memory of 1584	3672	Ab6Sl08.exe	102
PID 3672 wrote to memory of 1584	3672	Ab6Sl08.exe	102
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 1584 wrote to memory of 2496	1584	3du32Ol.exe	104
PID 2628 wrote to memory of 1012	2628	LN1mO30.exe	107
PID 2628 wrote to memory of 1012	2628	LN1mO30.exe	107
PID 2628 wrote to memory of 1012	2628	LN1mO30.exe	107
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 1012 wrote to memory of 4652	1012	4Qi486Yp.exe	112
PID 3036 wrote to memory of 2760	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	115
PID 3036 wrote to memory of 2760	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	115
PID 3036 wrote to memory of 2760	3036	b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe	115
PID 2760 wrote to memory of 740	2760	5wf6ml2.exe	117
PID 2760 wrote to memory of 740	2760	5wf6ml2.exe	117
PID 740 wrote to memory of 1712	740	cmd.exe	120
PID 740 wrote to memory of 1712	740	cmd.exe	120
PID 1712 wrote to memory of 3020	1712	msedge.exe	121
PID 1712 wrote to memory of 3020	1712	msedge.exe	121
PID 740 wrote to memory of 4436	740	cmd.exe	122
PID 740 wrote to memory of 4436	740	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe
"C:\Users\Admin\AppData\Local\Temp\b8c4184e57c309b868bcd24bd67890a8549d93b8919ef57d00907bb0769ce7a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN1mO30.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN1mO30.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab6Sl08.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab6Sl08.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yv8bp87.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yv8bp87.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El11lU6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El11lU6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 552
        6⤵
        Program crash
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WV5607.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WV5607.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 200
        7⤵
        Program crash
        
        PID:4840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 136
        6⤵
        Program crash
        
        PID:980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3du32Ol.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3du32Ol.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:2496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 148
        5⤵
        Program crash
        
        PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Qi486Yp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Qi486Yp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 136
      4⤵
      Program crash
      PID:2384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wf6ml2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wf6ml2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4F73.tmp\4F74.tmp\4F75.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wf6ml2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa9a7946f8,0x7ffa9a794708,0x7ffa9a794718
        5⤵
        
        PID:3020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,854804348202707936,17348172392778306850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
        5⤵
        
        PID:1780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,854804348202707936,17348172392778306850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffa9a7946f8,0x7ffa9a794708,0x7ffa9a794718
        5⤵
        
        PID:2768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
        5⤵
        
        PID:3844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
        5⤵
        
        PID:5052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        5⤵
        
        PID:844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
        5⤵
        
        PID:3328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
        5⤵
        
        PID:3148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6040 /prefetch:8
        5⤵
        
        PID:4136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
        5⤵
        
        PID:2024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
        5⤵
        
        PID:5048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18132978750901032733,11485918192067759567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
        5⤵
        
        PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa9a7946f8,0x7ffa9a794708,0x7ffa9a794718
        5⤵
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11343987907294077160,7327550125316411953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:1456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11343987907294077160,7327550125316411953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3928 -ip 3928
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3608 -ip 3608
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4812 -ip 4812
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1584 -ip 1584
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1012 -ip 1012
1⤵
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70ae4bf8f75c69610c1d00131c1ec28c

SHA1
eab92c184a3b655377f375b1b25ef85fb06c7130

SHA256
9f46453862eb083e85697631455185c0ead19ec86c1ae3d15274c06c9a38731b

SHA512
29299dbc0114f01525bff67ec421a28056905e8f5d21f00502554f446883b6086f8b9a2c27a591f364077da17c21438910b8dbf163a59f6f80272eb7d5f05c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b1931878d6b8b22142fd7fd614add5c

SHA1
0e20ec0bec5a9fe3b6666c3009626f0420415bc7

SHA256
d78e49cf9c940d8a407fca2338e30b754e4579c64e88932c46c3871f62c15904

SHA512
1e7a63ff7340719736560277601ff43f30937dbd4a1fbacbcb0d72fa708216692a4bb4ba658edf227b767975b430fc94e7c4f0b5dab29bef9483bfcfb38e1cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
bdbef10225cb69f6c8bfeb8fe8a3288e

SHA1
2c65149aa05670fe908cfa8c629f57945feaa9f1

SHA256
61619cfec7d9f67796d412f61cf04bd29b67b3032873f6486d7f925e79652b1d

SHA512
eb5a09021dcbabac8e423f49d505e64292198bfc4fc4a83fe15e76d2a2423be7543c4700199f537d98eef73f55fc4c975cb7cf294c58a81c7a8e849fd79a1a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1dd69fb8dbb1e037d2d55d6f80b159fe

SHA1
506b5052ab4ae964f86b754769011250d6a418db

SHA256
2a9268a4f2f03f038a00ee607ad495471ca58a323207c1d39e7e2f4db42dca7d

SHA512
d481727395da54e5a61e35d03cd2bf68697bbab6a7e0978b79b800406043f21bba410ce68280663e45be48059b2fc93200e0be7dd0bebda73a449bec1ef0b16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f2b32621eabfe316fd0808929aad2c17

SHA1
97480c2939da5d0e1886853e6da91e603f8cc145

SHA256
2603a32ae3761e77a36a00bc54400417c5389f675447f2c4af8c7c1a67121ea0

SHA512
eab255b82d2b035ed4609a7cbf04de4a6fa5120de3f9966e6bacf44a18a4b835fafbe7605dd5f66a6a93b7fbf5d20b06c73df9ccefdbdb97a7558023fa4abfb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea9dbeacfa18a1d2bb8dc716ecfe4003

SHA1
7319508332c613f12fff976bf6d44be4cd170b91

SHA256
d2603eb5a98e86a91c96b70ad62278f11919110917790d21b45a1917ff5e4c67

SHA512
4d4b0c6bc89e96cacbe8d76ed4ab50ff4028c3e0d31e96bd5223f99bac9c6b3b49c8ee944b055d790f797b9c23130e3bc0162b17ccc470bce7910a10b1899999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b17c722ee599fdc7cc90a87acd9b4f7

SHA1
be55fd945bc3f818b24410747dea822a4b91f016

SHA256
f1c9693658ef093e5b74d625f250e1d069b0cd46cef2f61cac957f0148bc89b3

SHA512
28e43756d7d622028c18d3e581564a19b5137241d1dea390f32e2b1fab546c2929f1aa25beb832f6b6a5b8a9525c341e19cf3dc66bbb1d896780a83be456a601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
4c87fdec7240f1dee405f681ec8be567

SHA1
de93b9abd54bd4769f0c3bdc62808822a0753173

SHA256
2828e5b079baedb0ee2047f66394d5c8e0caef517ea058479a44ecebe63d50c7

SHA512
17af23224fa3e842cd29d3b9bda18c7e03b3ff9b8dfb0c53f504b1d8391d4c146bed26790ee8956d12a9bb4d365631e6fc00122f7d237d0ac5e3a01571c51a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a1f5ce3ecce9dd8b83595c27dfd0ccec

SHA1
dfdd5977e3c3a489a5497577ab0f227591471d12

SHA256
deffb231bea9444003df47dcc442a66fcd497d965cc8dfd38bd7adbac7a4f661

SHA512
2c6f1c42799328cef3e8cad2e3ca1da6f7758859b62da03cc42ce8d81fd7b9154efe7dc91e7a9f045579ee79adbe93e50f7a97fca9d169752723a01d25909c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
56f0ac64edf64f26319e3203413f8f14

SHA1
3437cd7f3ee7017ac1eb9bbbe9f83500a02f927c

SHA256
ac9e8eabc2b34774d9807e0de6e2bed360e9d0dd5320092d3998f052c18458ba

SHA512
252d905e040a61ab1cf55253037e86a65310ccfe15b3eea1447455ccd89289a5b74be63e4881b1a5e5fd7ddfe69ec5600ba592a15dfd103192f90cee799870ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f63ef264724f198bdf38a61fc22ef0a2

SHA1
11a3c014106b95afdb0203c9275279c59ad649a5

SHA256
ff26b6af298ed57195ee8e28788b3d1c076071051baa408d39f1673215e9c48f

SHA512
67a5a7996f014b5a49fb579eb69fcc0a9c9e8b49e4a71667515ebbcfd1b1dc084fb0040ddf2ec4a859d74dcade7e8f625e192f169d4d4b362f89280a8529ba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ef5c.TMP

Filesize
48B

MD5
64b4485cfae802615ca46c99ea50b3f0

SHA1
d1812eadd97ac7570f836c58653326215e37938f

SHA256
7803626424fb584c043b9dec2f484c45f0e9c7ef0b4aeeff228d0bb3a868a7e4

SHA512
46b8606d8916bd0ccc97de6d9bac5a1b81fcf3af0e4d8830abcb18a334de5a7473a3e658728f5b4ee2114a7de4c4338507dc1f70cd0153c7759e83f8f9eb7293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03153f101af54d49a33b00b959a4da5b

SHA1
6be1bd41d9ac10174d9623caf39e9f6606ef064e

SHA256
d1e760d89357ba2f6ee468b9d6139fefff3582b6dd1288034db321d7e03fd7e0

SHA512
7cbb8ac5159ba6fa90cdd93de689cfa54943911ae674d4b72438f704c03394f895e9e3e0ee7d4df766b76b07240bf20ce4e1315f9a176366abae800ae05a0610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f05e20bfda3d92e6ca16420ae832e33

SHA1
6c091836067ba415e1aa94ee8e41b1727b2656b3

SHA256
aa50c664d6a3c25a65b806aa22b2c2be3f9a6c1fe002c50464f1d4dc4f689e57

SHA512
93fc40982b72c1c8a28b7fd5510f7d9a3ddc9ad48b9abe242ff9cc8f6806222ed71292618629afc5e0a0a675b07ed51f1dd6cac7ffc8d694ddaa1a7e92a40e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592495.TMP

Filesize
1KB

MD5
0dda43edeb4c15e4c9c4647ee56a6e59

SHA1
4c2e57173b6e26e6f2a8038ed3f688b73efeb0e7

SHA256
31face3386c5673fb1faa51f1b76f0dc6448e3a6df65a21ed0036cb79f12d708

SHA512
d856a3645688dcc216127171af7137e5b241f96096f66b3f55b333e7eed967ca128ce69c90f8df77dd3dec87f54d1ebd684426c50d42a49226b4022c2744546a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01ef70098cf976f1f6d68d8633cbb5db

SHA1
f99d9788dab9f3ba9c06bcc8171db633762a25aa

SHA256
e916c1b8d56b7849ccfc3daf3c93f06308c844c4608d28c9825afbdac0fb819e

SHA512
8195195eaddee4f15e94a4f97442297def3b9638016df00301e8fb818b888fdc628f57043c73b1e84ce1eeb95d976de95c202140f21221d1a3a269007ca8c155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7e93d36b7b52f8827f748b866a83abe3

SHA1
3e6f624d59c0db6000590898bd7ccfd07482ef9a

SHA256
8e37e050e56ef0557404af765e002d912895074768d34213ea658b9ee19018f5

SHA512
f65f35d2e683dcd0184989a5e5491411172e5fbe3a71bb7f685e1f7cfac4b68d92988ca39e3c2bbcf128c88376f177a5486928a5d24cd3edcdcb3f91e5499207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3c8699e2243cc0b5887ed9af54a5205

SHA1
ee9b22cb8d22c44abf8a6b8ebab5104863787b49

SHA256
df5a1337d8c5e98189d8a0a7d8f6e3403a473064aca8f1018a8f045052dbd6eb

SHA512
26f2e35cd72fe8d93ab7c02e92ae80b04b904cce394eaaf3c04be53a4cf6b9ff6e2f8c97daf974f2f0619554bf06c7d09f6cbadb19cd75ebc8471f95bd7649a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
dd9e21b0eb4f65c605db4239b5a3ad27

SHA1
2e2c6c55b44161289dfd594d0362261dd84c7899

SHA256
3c29b5a1d540f6c7a1c0927b865654f1d1583719122e0eaabbaf81902407cfbd

SHA512
14282361107e5dcfdd44087a4366970ace256496f9cd5fe5849adc6b6cfc53285504281f4b228b71fb16e13818e120a2593bfd984951a6a71ee764fed5f34958

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F73.tmp\4F74.tmp\4F75.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wf6ml2.exe

Filesize
87KB

MD5
aeb3cc05408bc1863e88b910c15dcf0e

SHA1
e699a0b0c2496878f46dd50ab0988f0f1be22b70

SHA256
5e0964cf2a7ef3d02bada774d094ab3dfb204bc637229e52ba7f47e90227baa4

SHA512
e01ef54b8ee9141d3772ac6b11132df48371c52825f80270239f84cf58fac1bf2a5dcd0828fd441804e07fb8f7c2b5920643e4633dc21940d00687d8b25f3815

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN1mO30.exe

Filesize
738KB

MD5
508dc89f45a007c46c539428df63389c

SHA1
6b22e3ae825510fa830cd0468d5053a095483399

SHA256
b198ef3618efe14d9278ad4fb8d98686508f7dcda50117e5dabbaeab29668761

SHA512
c1a3eb505fb5e9cdb3e2c65008b2a87e093c3e55feaab594feb7b214ebc38cf34f493fefaeb059adf833845533afa59b08292ae5c737689558a4a02c2a8f2da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Qi486Yp.exe

Filesize
339KB

MD5
1d689050a4a4d60136a4bb2bfe102d89

SHA1
920a14f57c4b7697fb6a5bea6aea2a83213564aa

SHA256
946941295ccf4076e6f3044dd0d1b65de6b9596295e3090f0621a5cc7cd5fca0

SHA512
c01b76154c27bdb318453e56347379c7d0f0f05088a4c7b728713c484802ffe56a93eaeb840452b96a696c472e2bd7332a7c3215cd3c1a57b74ee22ed5d391aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab6Sl08.exe

Filesize
503KB

MD5
2aeaa651fff4ad5e7990f3303ef24df8

SHA1
7490b85e7d3c879fb285edb80ea9ee14869e54d0

SHA256
0e409ae63423deedd3ce537023ba2a81aac92155f2d7be1678dcb1ab4eb98f5a

SHA512
e3c1f7a1b64730466060399e774b11a36c6b51de18a24d2215b548908c2144530e264c28233c17f97e98ce4716d8b5b6a7f353a8357e3bbcbc910e5f3ec3986d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3du32Ol.exe

Filesize
148KB

MD5
446d103cc7b2318768970d513e356721

SHA1
332d9ce9afeb305cbc7b989bea54b5353ac65adc

SHA256
c89666d5533c12a97644e548a6a1526d2aac5e1c4ddea12b9765462481de36d6

SHA512
f9883e7a368d35bf67f6fb2ca142902a2a553843e1a4c3f84b7a6499d0b4a8363c1aa7d0566be4631d9378858a8bdc6fecc99b16342fd3fac1d220c89fce89ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yv8bp87.exe

Filesize
317KB

MD5
ebdea3ce8d20b20b52938e5fab300ecd

SHA1
8f7ac02a68b00d3c7d21916b21666c740799b498

SHA256
f523fa279526e755907a7cd3fb100aae2030187e549b63a420efbca0978fc9c4

SHA512
70e756be719bb97a7eb8bae2c3c03220a2653ac3763bdb93ba52cbcca640e9e7594edd9f6a681f236b25c7498434c3746810186473f789cdc359334332bd2666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1El11lU6.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WV5607.exe

Filesize
298KB

MD5
4180e4c82519832a6a2cf437e39c7361

SHA1
db364adf65ea28cc19b3f0c78e4ffde46aacb1c6

SHA256
be15d05609ef73f9d85b1e1e31d960c5968e94aaae7d4fe8f71750b2519facd8

SHA512
b0a9ec383a94fd843a06ab6899818b2b6911dde0104044c144046f022520b9f7995104c253bbb53e873d9545e8308e09a23709b9a8df238db00a2e837c702ec2

Download Submit
memory/2496-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2496-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3148-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3148-29-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3148-34-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4652-50-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4652-61-0x0000000007D90000-0x0000000007E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4652-58-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/4652-57-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/4652-56-0x0000000007320000-0x00000000073B2000-memory.dmp

Filesize
584KB

Download
memory/4652-54-0x00000000077E0000-0x0000000007D84000-memory.dmp

Filesize
5.6MB

Download
memory/4652-64-0x00000000075E0000-0x000000000762C000-memory.dmp

Filesize
304KB

Download
memory/4652-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-360-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/4652-60-0x00000000083B0000-0x00000000089C8000-memory.dmp

Filesize
6.1MB

Download
memory/4652-63-0x0000000007650000-0x000000000768C000-memory.dmp

Filesize
240KB

Download
memory/4652-182-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4652-62-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/4812-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4812-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4812-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4812-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download