mystic | 83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
Size

876KB
MD5

066bb534adef3007b59a440df554a6c6
SHA1

2bd0c128ee738a1761ada12b9f097b8fa82a49ed
SHA256

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf
SHA512

4174a8b175a1ba4aa8fd1d9b0bb51224cf6a9b6d6b00a0d08841716a203b540e02d3df6119d0ba6f99beb26a2704bbb7a61b04cefabe6a2d9efe618c2330a97c
SSDEEP

24576:AykgzpSUtBf1kZd2NqLeHdcOBla4TyouFzZRf3gD:HkWpV1kWHj84eTZR/g

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1928-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1928-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1928-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/1928-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3472-48-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5Ln7gt9.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation 5Ln7gt9.exe
Executes dropped EXE 8 IoCs

Processes:

FI3gq62.exedb2FL06.exeTa8tZ82.exe1xy55nF7.exe2Ev9506.exe3yf84jj.exe4xl958hh.exe5Ln7gt9.exe

pid process

1948 FI3gq62.exe
1140 db2FL06.exe
220 Ta8tZ82.exe
4696 1xy55nF7.exe
5004 2Ev9506.exe
3976 3yf84jj.exe
3868 4xl958hh.exe
4516 5Ln7gt9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	5Ln7gt9.exe

pid	process
1948	FI3gq62.exe
1140	db2FL06.exe
220	Ta8tZ82.exe
4696	1xy55nF7.exe
5004	2Ev9506.exe
3976	3yf84jj.exe
3868	4xl958hh.exe
4516	5Ln7gt9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exeFI3gq62.exedb2FL06.exeTa8tZ82.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FI3gq62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	db2FL06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ta8tZ82.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1xy55nF7.exe2Ev9506.exe3yf84jj.exe4xl958hh.exe

description	pid	process	target process
PID 4696 set thread context of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 5004 set thread context of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 3976 set thread context of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3868 set thread context of 3472	3868	4xl958hh.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
412	4696	WerFault.exe	1xy55nF7.exe
852	5004	WerFault.exe	2Ev9506.exe
972	1928	WerFault.exe	AppLaunch.exe
1172	3976	WerFault.exe	3yf84jj.exe
5040	3868	WerFault.exe	4xl958hh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

AppLaunch.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4272	AppLaunch.exe
4272	AppLaunch.exe
620	msedge.exe
620	msedge.exe
3764	msedge.exe
3764	msedge.exe
2656	msedge.exe
2656	msedge.exe
3324	msedge.exe
3324	msedge.exe
3952	identity_helper.exe
3952	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
3324 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4272 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4272	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exeFI3gq62.exedb2FL06.exeTa8tZ82.exe1xy55nF7.exe2Ev9506.exe3yf84jj.exe4xl958hh.exe5Ln7gt9.execmd.exemsedge.exe

description	pid	process	target process
PID 1968 wrote to memory of 1948	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	FI3gq62.exe
PID 1968 wrote to memory of 1948	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	FI3gq62.exe
PID 1968 wrote to memory of 1948	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	FI3gq62.exe
PID 1948 wrote to memory of 1140	1948	FI3gq62.exe	db2FL06.exe
PID 1948 wrote to memory of 1140	1948	FI3gq62.exe	db2FL06.exe
PID 1948 wrote to memory of 1140	1948	FI3gq62.exe	db2FL06.exe
PID 1140 wrote to memory of 220	1140	db2FL06.exe	Ta8tZ82.exe
PID 1140 wrote to memory of 220	1140	db2FL06.exe	Ta8tZ82.exe
PID 1140 wrote to memory of 220	1140	db2FL06.exe	Ta8tZ82.exe
PID 220 wrote to memory of 4696	220	Ta8tZ82.exe	1xy55nF7.exe
PID 220 wrote to memory of 4696	220	Ta8tZ82.exe	1xy55nF7.exe
PID 220 wrote to memory of 4696	220	Ta8tZ82.exe	1xy55nF7.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 4696 wrote to memory of 4272	4696	1xy55nF7.exe	AppLaunch.exe
PID 220 wrote to memory of 5004	220	Ta8tZ82.exe	2Ev9506.exe
PID 220 wrote to memory of 5004	220	Ta8tZ82.exe	2Ev9506.exe
PID 220 wrote to memory of 5004	220	Ta8tZ82.exe	2Ev9506.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 5004 wrote to memory of 1928	5004	2Ev9506.exe	AppLaunch.exe
PID 1140 wrote to memory of 3976	1140	db2FL06.exe	3yf84jj.exe
PID 1140 wrote to memory of 3976	1140	db2FL06.exe	3yf84jj.exe
PID 1140 wrote to memory of 3976	1140	db2FL06.exe	3yf84jj.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 3976 wrote to memory of 3660	3976	3yf84jj.exe	AppLaunch.exe
PID 1948 wrote to memory of 3868	1948	FI3gq62.exe	4xl958hh.exe
PID 1948 wrote to memory of 3868	1948	FI3gq62.exe	4xl958hh.exe
PID 1948 wrote to memory of 3868	1948	FI3gq62.exe	4xl958hh.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 3868 wrote to memory of 3472	3868	4xl958hh.exe	AppLaunch.exe
PID 1968 wrote to memory of 4516	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	5Ln7gt9.exe
PID 1968 wrote to memory of 4516	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	5Ln7gt9.exe
PID 1968 wrote to memory of 4516	1968	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	5Ln7gt9.exe
PID 4516 wrote to memory of 3220	4516	5Ln7gt9.exe	cmd.exe
PID 4516 wrote to memory of 3220	4516	5Ln7gt9.exe	cmd.exe
PID 3220 wrote to memory of 3324	3220	cmd.exe	msedge.exe
PID 3220 wrote to memory of 3324	3220	cmd.exe	msedge.exe
PID 3324 wrote to memory of 4532	3324	msedge.exe	msedge.exe
PID 3324 wrote to memory of 4532	3324	msedge.exe	msedge.exe
PID 3220 wrote to memory of 320	3220	cmd.exe	msedge.exe
PID 3220 wrote to memory of 320	3220	cmd.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
"C:\Users\Admin\AppData\Local\Temp\3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 556
6⤵
- Program crash
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 540
7⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 136
6⤵
- Program crash
PID:852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Checks SCSI registry key(s)
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 156
5⤵
- Program crash
PID:1172

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 580
4⤵
- Program crash
PID:5040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FFBD.tmp\FFBE.tmp\FFBF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd578e46f8,0x7ffd578e4708,0x7ffd578e4718
5⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
5⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
5⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
5⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
5⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
5⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
5⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
5⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
5⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
5⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 /prefetch:8
5⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
5⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7479642309544669126,17917770306646580652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
5⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd578e46f8,0x7ffd578e4708,0x7ffd578e4718
5⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,6419097620992755150,10370831533289737733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
5⤵
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,6419097620992755150,10370831533289737733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd578e46f8,0x7ffd578e4708,0x7ffd578e4718
5⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13859048363353287643,1326813723612266161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
5⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13859048363353287643,1326813723612266161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4696 -ip 4696
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5004 -ip 5004
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1928 -ip 1928
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3976 -ip 3976
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3868 -ip 3868
1⤵
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\01cd17f1-b3a1-454a-a00e-dc12565002f5.tmp
Filesize
1KB

MD5
195cb3e2b9a08e4887c216f85cc42ad2

SHA1
d504399705bfd3675e3f8eb0b46bdea19f506080

SHA256
0e505abb652e4421cd9e8238e234ae6aa8f9c1ca02ba988a6668607921bf55ee

SHA512
1017727e8d7b7d453b9ea805f8bca44cf985c4f8f69226a5930fc517f426d4933d558fc5c6e83eac487d5e4aa33dfd7b3f6a65cf3d2895fe299e97d77bb2cb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
158a0216b85234e010bb3b229c60dc99

SHA1
4f7c912c5c7223902e2bed585283cef6e5584b87

SHA256
fa3c226dff47807298ba6253fbab0b5e5404b502bb4d9661921cd5985a480c22

SHA512
bcbef694d47abd31f97580556c3aa89579cc0b70c9543b1de97947d651616321d5bd32d89bef4aa7353d92dc0722e74bafaef90ba399491210db4c6fad9ac8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
92da8228e5b3d00b9e020f2d1d9319eb

SHA1
6d8eb4784f63011805c297dbc0fb98e30db08288

SHA256
96d045ed775bff7945d14894fe1fa823521b882c1c89dd6fc8c147a18b4bc0b5

SHA512
8eb2ba0d9455b99b38b01ed64bea0fbf0362807ef58d2b37ea4bfdf3feb2dd0eecdacc15be557f3202cd54660d40d4ca4c0651e31e623a9f2607ad71fd0e229c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
94d8794d951b1e8e45371d44cf5038bf

SHA1
14055f4d9c0d03e1d6f670f411eac80560710733

SHA256
d62abd21a28515bf3334e1c9664111a18591e7c0f6d4ae92d1addb21021a80b5

SHA512
43ef776808b0529adfb5da1cc3e9ac7968aeaf175beb8e7701f4bd2410c964f491a631200a08aa1b61c72be99743095017d0f772f16685a37e1b64d24eb7e656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5e1c9e123a271667296f75f95ee557bc

SHA1
d909dc449370fd331b7fd4d1368df88024aba2e7

SHA256
ab45ae5b6f5a0257065b3bf12a6631a6c96f88e30ee2b1a17085373b07674179

SHA512
a9b535fba4cb58859aa5f9ef0504f0e8cd7fb69eda2411cdc81e4460c8dc71a2a6c81f476438421249ed0a864fde7897035df230f14ef7724b07294f0a8e77cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c6133ddc42599fbdaf28943bbd201c98

SHA1
00606e9c84ca8c4bc65b25cf0e061954cef7eae5

SHA256
3ee3e4d2c9d922a6469499b4c502a1a1abbb205c81acf0d76b44b9b348e9a6e8

SHA512
c189ae9013b903946497d7201cbee8ee4637ebbba8421bb7675f216c9af679608f55ffb0b1c9ef0169c995182a8d102e171a8943e9e0a900d37eeb2ac5814bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
85079b20682da70e54fe216e7ddd6311

SHA1
672f6a234638cb8f318e195a586fa0f2f1d7e5da

SHA256
afdf2254c02e01f042f75484cd128e9ec5262278a2eddd0cd6404d58fe7412e5

SHA512
9de1774f21171de375d7870e4e921840b3663a3307f874db8a34ce8908c939ee33260ada74acc70fcb8bee445023244fd89e9f7f592318394baa802c2681f739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
22185416bf5095a65352aece6b8864e9

SHA1
4da344197a0eb816a1471fefbeb31d1703029bbd

SHA256
3527a72d42a5e53cd457a80d75f11549e5fd99f774e57edf5af4224ab1ff6e7a

SHA512
deee28f0874d3c99f6fe688c88ec689d77a25517360bbc152900f56b0fddbb42c9ca98aff7d675edbb76f3461adc37bbd1c86a958f68907d46bb6a215c48759e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
a97be2e0e8fd47be9b14efe838125f8e

SHA1
e06fa19877b9d46e231b9adc6424bd71f73bcbb7

SHA256
dfedcc8a69cab31b51b5d88e1122bf4a0dfb7e9ae41f66b2cc8500b7ffc35e09

SHA512
7bf6fa10019824a11f2d97242deeaa26d81463d0178df54c17ae30e98d39f9b599ec65073c6e0eeaba58f733a6d3fce2cc05d83f73bde18e0d67982dca322676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
8d6caadf9414dcc5d33e35053422fa84

SHA1
0f22d6eb2d68dd478b45b14b20b24ce14625a9a3

SHA256
1717992192318f021cdab6d245752ce5250e955d049e7307dcdf647e5b6582b0

SHA512
ab9e5b3263422cd9c5c2f31c839e6ec3eef5eb90155680df5133b8ce61638f6e46ecd243275c81ce161b5ff8ac9cf4e89cc44828ca4320bf28a3a3fc9d7d4ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
e3fbfc29a15fae3199ad7d2a2773a06a

SHA1
e29d0d81af99b3abbc238c7073459c459497a047

SHA256
548aad1a4e2eda5fdaf0723b499ff6293e1119a7d037f6113243c08ee28c8bef

SHA512
496e1e3a8813b733fc99c08682e52c1d8222c2b7d528cf2288f0770b6414181dffb4b8dca17f236b7866a2e4aba1300d4e9e1a4f1da3ae11a2ce14fd943540d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588911.TMP
Filesize
48B

MD5
6305f9b1dffb28213e718abc7d0bdcfd

SHA1
0f853592ac2b721090c2d540d2c802eb7773da54

SHA256
095457dad2e8181b69796543130149151b8fefdd2c4d586bf46f8a2024f264c3

SHA512
01cfebf28618043151b5eb8064acda3fff62b591a77bf4b44d0848c16db2975f5f8f5cc7cda955508102435eccd0a0ae06b66ce11487c3094e3240cd18e8358b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e17eb6c3be2e070880043d3f5778b376

SHA1
826d5e72b42a628f427d0aed865c0b35255561a7

SHA256
e68ac55a39f98f44fa14261b297175bc77db2bb965a86556808409cdbfce9f34

SHA512
4b0c8549b77d58b91c9d78efa019601f1627dab2114279bf1d0220663aa2defdfc1f92ad0a0f509c4227229451028132275540d995a3c55db88c6f8bb627805f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b0bc7cee3d24baba794cdf5a3bf373cb

SHA1
1840c69432065bd01af08ec170770f7b2c46479f

SHA256
3e60cd5104fec92ccf508975feac91cfb3e240925d10cbf12483ca267edbe9bc

SHA512
ad06546d6388c72af75a94510021ac56bf9e7f57b0dd41a6af2c1d1c5de53cc797ca79ce4c6e1fc2bc51e4276c11d8960a483dbed33fc9c75f8069c2d1d4e885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d5d.TMP
Filesize
1KB

MD5
458579faedd63fabf72cae3ace51fede

SHA1
b3041ef543d387fc47e99fb6c62f55f67f1c166a

SHA256
25239f01f7e8d8b0069822c90a738e74ed3e5a1f4a2a83e282ee70b64e35573b

SHA512
dc6860830b5c0b96848751c15853657d94177db0b62bb7f4cd451922e6f1d813b216314f991f20c69a522437db52e600cfbd48e2c47150317ee0a7d46dcc85a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
40bb7eb2d11cddb5e41e73bf081fc583

SHA1
3943d71e6155cfde683363a77ab12abf80f041c7

SHA256
6ca80caefb7ba1cedb47b78fa7d3af54fba73dda90c0f293e9902ae5a9f876a3

SHA512
5b717bb80f4301a5ce1c588d08a17fb31d65ce3c69730040236a3bbbc37a5090051410a21eb54641bfa603cf694cc91f3ab9b6a5adabe6566caed0680aec855d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
26e2069b64a957e615fa1663d8728705

SHA1
c502d4f2465efe21e13c05d60f08eae1d0e45a10

SHA256
bdeb72ca867db57c0b8eed5f1e10398c16406f08014b4b5520abb3f534ae8f6f

SHA512
d7a4b855652558834d8b872f0c93b46842a8047d6cb1d8c14e59ed1fa4e6a818828d6ddea5ad3155dd9420b4a03996d45520588a63672f9bffaf825e4d3cfbcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
4721c3df851938dcaf732340faff6b72

SHA1
12f593096470a69fd127b9d8f81e136b36045636

SHA256
e033682aa962083134ba840f964a656ad53561ec8122a12021688b9093d3e377

SHA512
3a720fde85be93c272492f5303b17459bdd51fdc119beb3581284417e610114aae1a1f55b8575bed83423cdf48c0544f46993c6f917dfa4e68ded150710b4988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
709035745210581c861f19db20f903ab

SHA1
e08abb7a068d42e257604b7245ed52ff85e2e11b

SHA256
2ccade84e72a59ab4c207a3afd8f7bc5919ca46472dcae6fb58e7e2dff236b7e

SHA512
2599a8a4ff8e07c88cd3373fb3dd747cbb649deed15349a36a0684ec108596a1ff1c951abf71c2a0fb84857506739cb8dbff4004c54c48e3be44fd1b3181aa6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFBD.tmp\FFBE.tmp\FFBF.bat
Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe
Filesize
87KB

MD5
c7f3fd22f3865b6770fc7560515ad2b1

SHA1
124a75b572209da7f39959ad82ca4738917cf631

SHA256
34d9c803544fe8b7d82027b68237413e6137b0479d068bbb392cb1dded25b37f

SHA512
2cf27f86a6e47ec158a3c47b537c1727c033b5148d39b2ffef00168a46072e982c58425a7cc5d30ff65c9de6f9194002b848a72761d77aca7c06fd39a9c045b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe
Filesize
737KB

MD5
eb38e31f85aed830e5417be5e66c3332

SHA1
1109e1aed9f7e5f2dde0a01f4ad2c34e34124e61

SHA256
abed45fcf32b29e53a86caa1af2a3e4110a2a601365b5eb7f3b4860e5d1f134a

SHA512
d3a1229968298fce3ee9bd1d73a048771542a451ae1baf704584357da5b56e2f11191088bb2ace5801489041312f3183afde580d5ff2678a4df91cce7b9eb6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe
Filesize
339KB

MD5
ceab6d7b32ee2f321c1b5a6ff5974bc1

SHA1
088471024b97d9e6a0745c04988f56d63ace564b

SHA256
7a32fc8a5ae6b56f78a2428df6502d88c69de9e54c26e4235f3a86814a55ae5b

SHA512
0a392fef62deae104c25491859c555f542a19ad4ecc621ae833515bb218562771487b48a051cb7fcc2e8e0f5d05cb6382de6fdff696098d52e47d4d5b65523b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe
Filesize
502KB

MD5
fc22e38ab629c20ddf2f3b9c7be5b033

SHA1
7aa8c002df5b16521884daccc13338e2c382d932

SHA256
386bc59396ea12ee20709565e4e2f8b51d6be38d84637668064882d78c1fb477

SHA512
38b0fe7f36ec58cf1b00d31ac03c15ee8c6ca7841502ca596c5c40ba96f1b2a938f883fbb4ffbacb27e336fa14cab55496735518afa3434e6bfe29d133ee0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe
Filesize
148KB

MD5
4eb3061e5a50c086c05cb65b56f62b0c

SHA1
32321fd1ab6ae4de709d8510e17e84fe901e9e96

SHA256
e4376ea14db956de0e3bf7fbb625dbe787f9f959b959f74efc27ae603b053f99

SHA512
49c3bbb69c0c4b80e8f0a56f9d1753b8856544d8e84e3b803f15640b5578d73b82276d1f529f74e2e8ca51b3e99ce87105d5b3d4eca49436abb6b25fe0770559

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe
Filesize
317KB

MD5
6f3e9b8927e76edce253f4019f44015d

SHA1
5405db793ee440e1b2d31d39dd7f12e572f73acf

SHA256
741f2c012c1489a7563d9f332eb8cfadd7673983d59006d09dec5a86a49ef5ca

SHA512
c59244d024a37487ff592970e2339043c410b40f217d3d5d1f2d7ace159feda0daf2bc68ab4ccb51ec14f43e1e16e3b42dab7530c49e81d9f0f6ba29c5576738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe
Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe
Filesize
298KB

MD5
2fa1d252aebab8694d7acac396e39a11

SHA1
8b546f55e262002d2feadc9e608145ecb8bb3b45

SHA256
0923a6fb53240bd2c207fb8f4994d0424d7554cf1ad6991d76807eee8d2185e7

SHA512
9551dc943ac781cebedf7c11e6671d234b66c1f907b87024307c00a88433c1ecec75e2afcc0d5b4bcd374cf9771c8a2daa2c11b9ab4bc08aa88ccb881bd96e51

Download Submit
\??\pipe\LOCAL\crashpad_3324_XCHCDWVPLPTJORLD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1928-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1928-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1928-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1928-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3472-62-0x00000000079E0000-0x0000000007A1C000-memory.dmp

Filesize
240KB

Download
memory/3472-63-0x0000000007A20000-0x0000000007A6C000-memory.dmp

Filesize
304KB

Download
memory/3472-61-0x0000000007960000-0x0000000007972000-memory.dmp

Filesize
72KB

Download
memory/3472-60-0x0000000008150000-0x000000000825A000-memory.dmp

Filesize
1.0MB

Download
memory/3472-59-0x0000000008770000-0x0000000008D88000-memory.dmp

Filesize
6.1MB

Download
memory/3472-54-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/3472-363-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/3472-53-0x00000000077E0000-0x00000000077F0000-memory.dmp

Filesize
64KB

Download
memory/3472-52-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/3472-373-0x00000000077E0000-0x00000000077F0000-memory.dmp

Filesize
64KB

Download
memory/3472-51-0x0000000007BA0000-0x0000000008144000-memory.dmp

Filesize
5.6MB

Download
memory/3472-50-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/3472-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3660-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4272-34-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-29-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download