hxxps://system32[.]ink/s-500-rat-crack-lifetime/

Analysis

max time kernel
1050s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://system32.ink/s-500-rat-crack-lifetime/

Score

7^/10

agilenet upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

ServerRegistrationManager.exeServerRegistrationManager.exe

pid process

1016 ServerRegistrationManager.exe
1068 ServerRegistrationManager.exe

pid	process
1016	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1016-453-0x000001DFD5CE0000-0x000001DFD5ED2000-memory.dmp	agile_net

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4616-449-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/4616-480-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 28 IoCs

Processes:

ServerRegistrationManager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	ServerRegistrationManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	ServerRegistrationManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ServerRegistrationManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ServerRegistrationManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ServerRegistrationManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ServerRegistrationManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ServerRegistrationManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	ServerRegistrationManager.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeServerRegistrationManager.exeServerRegistrationManager.exe

pid	process
4620	msedge.exe
4620	msedge.exe
4048	msedge.exe
4048	msedge.exe
992	identity_helper.exe
992	identity_helper.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
1052	msedge.exe
1052	msedge.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

6104 taskmgr.exe

pid	process
6104	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	6104	taskmgr.exe
Token: SeSystemProfilePrivilege	6104	taskmgr.exe
Token: SeCreateGlobalPrivilege	6104	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe
6104	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

S500RAT.exeServerRegistrationManager.exeServerRegistrationManager.exe

pid	process
4616	S500RAT.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1016	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe
1068	ServerRegistrationManager.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4048 wrote to memory of 3884	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3884	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4652	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4620	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 4620	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 3696	4048	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://system32.ink/s-500-rat-crack-lifetime/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa322e46f8,0x7ffa322e4708,0x7ffa322e4718
2⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
2⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
2⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
2⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,1677975986058081989,5657453749277281954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:404

C:\Users\Admin\Downloads\S500 RAT\S500 RAT\S500RAT.exe
"C:\Users\Admin\Downloads\S500 RAT\S500 RAT\S500RAT.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\553A.tmp\553B.tmp\553C.bat "C:\Users\Admin\Downloads\S500 RAT\S500 RAT\S500RAT.exe""
2⤵
PID:2212

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4156

C:\Users\Admin\Downloads\S500 RAT\S500 RAT\ServerRegistrationManager.exe
ServerRegistrationManager.exe
3⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5468

C:\Users\Admin\Downloads\S500 RAT\S500 RAT\ServerRegistrationManager.exe
"C:\Users\Admin\Downloads\S500 RAT\S500 RAT\ServerRegistrationManager.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\61cf4c9a-bed8-4d24-80c9-f9e5789b98ad.tmp
Filesize
874B

MD5
9b9012a9bfd832cccaa472717b0812fc

SHA1
83c94c188fdaf1fda836796216711d2b64e228be

SHA256
ccb26bdb08795f48448e9fca83711b38294a170700ad98cb55547e8054a36af0

SHA512
0f32906fcc64698cc459ff4e9c530ad6414cef197dd60df343d68eadb28b221f6fd8cea11269403fad6f01eecb1d2fb41c72960d06b62ac0812f7ab32be04397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
28KB

MD5
403907d3b8e04ac29cf353a12b33e241

SHA1
bcfb04ace7ed3cbf4804908e1ecb7b36b0f187ce

SHA256
87fa278346c5200675c526133df28991b14d2c5f7ae38a995b79a3107a3037d2

SHA512
9a2e08251fb58dc568754ac3431c4a1e650709494e8784987f398913f989d4f80a173d48e220004dfaacb42bb898adc833067169270a5508ef722a2f294d7c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
18KB

MD5
725f015d431f3f372ffd5c7d6d17f258

SHA1
037cfb8d919072d74ef538dd12d6812477d307d7

SHA256
f2fee9dc05e8d761998139d0ea9b86f8677c0315b5ec32b62f9653b6ae60e68c

SHA512
b4723e96232070864c146437af4ffd0cc0f918a9d776259bf7861fefd9147c27398e6e0872a6eaa869db983852a1e801c29da99e54b5f8a43859d5d16882bcaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
20KB

MD5
41f6c7cdb5de4dc1eb2923c7cadaf35e

SHA1
51a3aeeab408104c91f65c80aaaa3ca21cd283c6

SHA256
7fb454672ea5282fc639c3ef0ed350dcf7b6756fe536d2ede2820029454da558

SHA512
011b729d5f429966e005938c93565b949c360dbb6bf6aae48c494efe3ceb990e7bd05a3db36f2b2c6acf442fb16fa9720b54e0e3cec04a27ca56cd945d43fcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
48150fd783c011fe90cb62170afca5ac

SHA1
41e6b6f329915e0db88964a58a342bd639a1275d

SHA256
c05a197fd967c6036a22e823b92a13f7646cb03b3221816013226d8e5cb4a586

SHA512
bdee4263aae4b73cf735cebd81aa01146fc07a64ef0862bf2281579c0ca621e62da7b58c49bec4256522b6ca2242bdcfb7d66ab779c57add10225f4d9583b725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
51KB

MD5
80830b0e69473b8a30c8d8328b2af72c

SHA1
6a1ace534d96a6aae10c57a81312ab1a3b97e275

SHA256
27b77a25a104b2d823e97d3588ea8e862dd01e4b9b2dad50340b76eedffef929

SHA512
17d98ff45e89f0d1a3fea61cb924e77499af569da93a32a1f738ef73e55dbbacb5ae9daac06539e14826114080a1b5f8c5e5d7649f02bcbad8f78e2de602ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
139KB

MD5
d0ce38d595f8cc2b381630f9a226cdaa

SHA1
76d5acf13664a23dadf41068143277941e7adbd0

SHA256
1faa97e778bd30197e67bdd0214e373b64d001c10d7a3e749086c1b39201e22e

SHA512
db60126b37f548fc2e62864b7a2f8431d4587be1607c3ee84b621deda03e6962e132fdd661b6cfd1efcd6afe09cd94d38e5557b01910cace3ef1d84c8110d29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
16KB

MD5
aac684b7e4606c015695033d8d7a6838

SHA1
0e218321ac1e54bef03489aa9b1de67defa08fd6

SHA256
635243c5d45272455b54e1a84ed73286bc47953c805a06a82aa3f7c5d13baabc

SHA512
259f073c9a0eb8eba969628b2bbf5f8cae8059afeb9230ecfb5dcb15a998d8342aa1a20194b240851da8b27f6aa4532d936154db855fbf028d4c849211cb1fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
51KB

MD5
f0c575db288081cd1e864e980de6630d

SHA1
ffc05bf3842c350fb86b58beb391d1dc3af9fe63

SHA256
79fe0ab1d15c9cf57c4430b9b918bcf5f8ba19fc761381bff23e5ff816743375

SHA512
6df223d6bf7c2f9602a24f53b07b40a9a9b0c5130b2a55fbf288bbdc669e66a1ac702a255e0c8a2fd84a3776fa766f1b5c853614382947717a4fd25baed6b5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
71KB

MD5
ecbf62b157ed4ff3f5a9ef5816a0bfaf

SHA1
42e03dd563afcdfa8c7d2ca57f67e0aed1e45e51

SHA256
e70c54b551f7dfb3c6d1bcd712daf2cc26afc547ddbc6322a83e41e4975d6b1f

SHA512
a151ca7fcc4bb3ec29721d5c1fd5c4340e2e12dc6ea25ea21ffdad625a389181912e98ac8857283b12d5f4d9ef63f1b5416f66c34c92d9ffeb8a4652dcbba6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e7728d940dd77e3c5b466130ba7bc3d3

SHA1
4a0e7688815863359c344a623613293b7973e20f

SHA256
6709e3632247595ea20415360e6f8feeba4b97ee2c0ca5c3355cab842d483b76

SHA512
e8e241d18fd9f966d8dc6b01bb1d9b143ab771c5900d0a69298798dc27e9d7a2469f0ce9323f584dd4042b3286e977b498aaf83695bb39885a8115845d85d3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
f003f4124d4097b6df483f60a135bb37

SHA1
344f96ddc7408af2e44212827f95edef8a522caa

SHA256
875368fb4324a19095b7a0069f869e0c7e9e3ee4848d411d1a9a20cfa17e1b3e

SHA512
34e7e4036535bc2051188a79e8807f815c9975216fec78dec4977d763c586a6a58b81c9f4880656ad736618e8da8b47a530d4e93e2ea3ed2c40ab10be0afdbf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
29c9fb458366900814a81173134ef471

SHA1
5bc51e0a7ef1ff26957a206ab0660b60dd3c5503

SHA256
5e41eb2084033edbada6525bcbb39b7eedb06dae551a43aad0802e661f886a21

SHA512
be60ec9bc1b98d654bb0f342d431d876ff79c5e55a56d3a97e7b5665eb9284e97a4f6a8093ff7dc306a30ebfd81b1a2e78e69c1d2465da5d74dade2ec30f69e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
98944840bbc0d81c330d04febcf45140

SHA1
ed05d3af247e0af36a57e49c69b7f1b9e0f7ea6d

SHA256
d2058bdf78b9b491c6e7cd9166b74b356011acdcbbb03d6faf92aa2457421381

SHA512
7a84c67d65c216d8cc94e255c3b1db360bb0be84f399b50eb22cc8113a544bdded28cfa2ce36d38d5d02b2175a61e3e66ffb3d6283bc13f55aabec70e20fb0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7ca8f764c6b4e2b9e9863c01b9151f3c

SHA1
153010005ac767192667d56f2b966a43d69cffd3

SHA256
0d24ca6e98b65331a9ffb82ebfc9edff68f271060d066f833fa9727d068f3851

SHA512
825b631e356ec02c6cc461e7f806fd9d85a7c03fad6d7516a41b7327f196858850581caaca5349f567bd479fb6cc1532a4edd8f7123f8cc8fdeddf65eec5347b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
9ece1ae327f12ca12aba5c300a812110

SHA1
0704e523b4db1f7e0d1dac791afc151e3f8ea738

SHA256
28e46687a4d88a18b82e38a606f044523fdb8e71969c859d487a4d72b8fd5022

SHA512
c6ba9e7b443c573dcab54cbd503d271a4fa6f61f40c4a3282a13204fb5b90b64f33c58cebcab5caccf2102ae723c6be93dd4c9213086f06f80aca6edb2d9a73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
6cf38a4dc67168520edc688f860d50b7

SHA1
6e0d25a46424f5dc98946c643c4b242bb03d7616

SHA256
877fb5a6652f0aaaa4f3f94f3378c27abb0a79854e916d2363f608114a14c29e

SHA512
1d9ba93e91f11e1365067141897d66e253a0806dc18a2fb6f2880f524239addcbeb9fc2fe80216630dd6f37d00dde57acde7e83aa2b2044babdd8d44e8fbf31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
7f706b89c118d958e6140f4fa186795e

SHA1
553c429a37854f85a2a468ea2035860eafc051f9

SHA256
c9aab289b459eadd997c0dcdea1aea31b244723ae9b3dc27c49ede433488faa4

SHA512
79d8514012f03ed8dc60a214e3cdef71387f4f5418141d416c8455d41d14091c698e12a4698085c72da2b8fc8097c6b5423c0b8ea02144e86b16554a7c651bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
22ba38e2f386f0c801cbbde13fbd6a89

SHA1
bc6b4d187d22be36912ab4b5aac2545950ac906b

SHA256
eb08b513c2d2b163905a3ed073b15130b8666b84d2bc0081e8bb0a574dced2f1

SHA512
4d829bc3faf1029f8894180c5e51aabc92442047b2c7f5cb4faaf68fa6fcf3a75dc2d2f3b3aeb1527bfd4b278dba6a9e78ad5ffe47b9cc56a4d7692f48f6b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
704B

MD5
acf61a5b8c2aac0a580bc8012b372ab7

SHA1
cc57e1c2324635d9c676dfef355df5b59835a8cb

SHA256
84be1fc5126890398cc13ff0138ccf5723e5b5d5456045afc9efed84444198f3

SHA512
eecf131898c1c7a4bc0ec9483afc5934f1cec898f9ec7f7142814d12f50129d6871bc1fc5b3c476c6705400ee28aaf65243dd74005d1cc357ef3153cc3f317e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a71d.TMP
Filesize
537B

MD5
d308d845110a8cae91bfd127fa087b3a

SHA1
77d776057ab50193cfe72d0bf38cb413cbf5529f

SHA256
927914bc855897312350fc8a4cc92e139506e2a5774ef40c864e39eea3e89912

SHA512
aa6ff919ad2d4238a98f45621ce8b78227dfaae42a7263006780272b19e103a59cc1bd2bf9dfd9887889e8c8e9c20baeb6b649ad0d9e126b18f6accb648a0969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c582c14b179640be06cf8737de83e237

SHA1
5aeff53457a0333424f79b1a7dd8106bc45ee645

SHA256
305619ec7bb5ccb3ee15e1ede750b03f608e0fea48cbcd0e2a81172449f63b5d

SHA512
5777f191dda3ff2c687b7ee33b69fbe44b35db3a52801c36ab2868babec01078bc24f135e6b65cf4fa74ecec71e5e30a5bf1a422f9063e9ace4488a98ce7d621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c3e49a66b1bf47aca53a7221982fb492

SHA1
39cb6078c97872237fa6bbeeaea985013782f441

SHA256
d3ab03a6b74dd1783680b029c42c6b2d3a1dfdb7a84e51ef4c8caf173f262d45

SHA512
819397fab31fc2a70af12d0548c46c86a43daa17ee450dd9188a2ac022c1d9b0bbebe938d183681aa104951b3914baf4b7590aae403baf314019cf5e17630367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ee6ed2d15bbe947031e2f16985f46be0

SHA1
7addce5baa38926a4a28e73e485dfa237b2969f6

SHA256
a329ea304d811643a0755c9762c5271b264b33d822cb27138cd1ab4e19759894

SHA512
fa9c3d91c5f5e6397ec28ba167f2d3d75b111395e98664529ccf50497fe26ed6a414d2038bfa5728b130198af7f92f018e9378dffedbe14a85e366a5871ac9a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a6bee904f0a138fd918bad5f5e621e71

SHA1
e1f7a2b47f9fa8bc039f3abdedadf4be6ed2e5cf

SHA256
2b348b9b93da66d5875359b24111da84433b4ee7d71da119781100074168e683

SHA512
4b0c4ebb6a8b58509ab86604b05d92685959a5721cbf8d5ff63512527fd64490d22b814589fe45a2b84ba31d25f97d8cb9618e094b84502f33ecb6b7f0a1d060

Download Submit
C:\Users\Admin\AppData\Local\Temp\553A.tmp\553B.tmp\553C.bat
Filesize
1KB

MD5
fc4af7384f0b6f274dd3e745f0aceeaa

SHA1
31b310f869b15b84e52ef282cabaee974e5043cf

SHA256
f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34

SHA512
dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\d533a5560301935f53c58c2fa4238f08_215f2dba-ef84-4dd1-b127-5f514a0c233b
Filesize
3KB

MD5
61dd981a0675ee3ce78f5bd138336b85

SHA1
4f31ae7325eb922e7e1e8538a4d5a024211d487d

SHA256
ad45b0c3e4b711b237f9b3a291142ca471cfe3a7e24adddaed95f76f1ccbe124

SHA512
8b5752dbbdead05151a80b8360d3da3bbc1b44542e3ec1559313e05c790ad7d3bcd133cc5adabb4cefc32918698c056eac7ea0f08b728ead54a9e5e0d328df6c

Download Submit
\??\pipe\LOCAL\crashpad_4048_CSEUJDRSWDFOKYSH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1016-474-0x000001DFD6F20000-0x000001DFD6F2C000-memory.dmp

Filesize
48KB

Download
memory/1016-479-0x000001DFDCA90000-0x000001DFDCACC000-memory.dmp

Filesize
240KB

Download
memory/1016-463-0x000001DFD6370000-0x000001DFD65B0000-memory.dmp

Filesize
2.2MB

Download
memory/1016-464-0x000001DFD6EF0000-0x000001DFD6F22000-memory.dmp

Filesize
200KB

Download
memory/1016-462-0x00007FFA1E9C0000-0x00007FFA1EB0E000-memory.dmp

Filesize
1.3MB

Download
memory/1016-475-0x000001DFDC820000-0x000001DFDC832000-memory.dmp

Filesize
72KB

Download
memory/1016-476-0x000001DFD6F30000-0x000001DFD6F3A000-memory.dmp

Filesize
40KB

Download
memory/1016-461-0x00007FFA235A0000-0x00007FFA235C7000-memory.dmp

Filesize
156KB

Download
memory/1016-452-0x000001DFBA2F0000-0x000001DFBB3B4000-memory.dmp

Filesize
16.8MB

Download
memory/1016-482-0x00007FFA235A0000-0x00007FFA235C7000-memory.dmp

Filesize
156KB

Download
memory/1016-453-0x000001DFD5CE0000-0x000001DFD5ED2000-memory.dmp

Filesize
1.9MB

Download
memory/1068-553-0x00007FFA235A0000-0x00007FFA235C7000-memory.dmp

Filesize
156KB

Download
memory/1068-547-0x00007FFA235A0000-0x00007FFA235C7000-memory.dmp

Filesize
156KB

Download
memory/1068-546-0x00007FFA1E9C0000-0x00007FFA1EB0E000-memory.dmp

Filesize
1.3MB

Download
memory/4616-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4616-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6104-555-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-557-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-556-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-567-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-566-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-565-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-564-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-563-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-562-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download
memory/6104-561-0x0000025952CC0000-0x0000025952CC1000-memory.dmp

Filesize
4KB

Download