Analysis

  • max time kernel
    460s
  • max time network
    462s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 12:26

General

  • Target

    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbTZSYWJBaUdLd2FlTTZTOGpObkhZSjJPTjFBd3xBQ3Jtc0trVFQyRHdwa3EtTTl2VmxjbW5JZFlwaGotOXgtZ1ViaDFTakZiR0RHZlk4eHNyaUluVi1LVUNkOHI5SEx5YjNiRVhIMGlhRmlneXdKSGtSSUYwb1dBcW82WTl5M2NhRVBjUmlpVHFDWDJXNXcwV05wMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fw4w7jgg3vk6qb%2FCheat%2Blauncher&v=rKLwAhQYsQ0

Malware Config

Extracted

Family

lumma

C2

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 42 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbTZSYWJBaUdLd2FlTTZTOGpObkhZSjJPTjFBd3xBQ3Jtc0trVFQyRHdwa3EtTTl2VmxjbW5JZFlwaGotOXgtZ1ViaDFTakZiR0RHZlk4eHNyaUluVi1LVUNkOHI5SEx5YjNiRVhIMGlhRmlneXdKSGtSSUYwb1dBcW82WTl5M2NhRVBjUmlpVHFDWDJXNXcwV05wMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fw4w7jgg3vk6qb%2FCheat%2Blauncher&v=rKLwAhQYsQ0
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d1046f8,0x7ffd6d104708,0x7ffd6d104718
      2⤵
        PID:1920
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        2⤵
          PID:1808
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:548
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
          2⤵
            PID:2236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:3016
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
              2⤵
                PID:4452
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
                2⤵
                  PID:4288
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4164
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
                  2⤵
                    PID:4336
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
                    2⤵
                      PID:612
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
                      2⤵
                        PID:4596
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                        2⤵
                          PID:3244
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
                          2⤵
                            PID:2408
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
                            2⤵
                              PID:1928
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                              2⤵
                                PID:4604
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
                                2⤵
                                  PID:3896
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
                                  2⤵
                                    PID:1360
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
                                    2⤵
                                      PID:1332
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
                                      2⤵
                                        PID:1064
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
                                        2⤵
                                          PID:4588
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:1
                                          2⤵
                                            PID:5264
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
                                            2⤵
                                              PID:5512
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
                                              2⤵
                                                PID:5644
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
                                                2⤵
                                                  PID:5656
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
                                                  2⤵
                                                    PID:5680
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
                                                    2⤵
                                                      PID:5692
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
                                                      2⤵
                                                        PID:5756
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
                                                        2⤵
                                                          PID:5768
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:1
                                                          2⤵
                                                            PID:6048
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8328 /prefetch:8
                                                            2⤵
                                                              PID:6128
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
                                                              2⤵
                                                                PID:6136
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9036 /prefetch:1
                                                                2⤵
                                                                  PID:5388
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
                                                                  2⤵
                                                                    PID:5376
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:1
                                                                    2⤵
                                                                      PID:5176
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9484 /prefetch:1
                                                                      2⤵
                                                                        PID:5168
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9288 /prefetch:1
                                                                        2⤵
                                                                          PID:5524
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9436 /prefetch:1
                                                                          2⤵
                                                                            PID:5556
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9868 /prefetch:1
                                                                            2⤵
                                                                              PID:2328
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9268 /prefetch:1
                                                                              2⤵
                                                                                PID:5240
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10188 /prefetch:1
                                                                                2⤵
                                                                                  PID:5248
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8932 /prefetch:2
                                                                                  2⤵
                                                                                    PID:5452
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:8
                                                                                    2⤵
                                                                                      PID:1740
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8708 /prefetch:1
                                                                                      2⤵
                                                                                        PID:5628
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3429581662106412005,6955082068372117935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
                                                                                        2⤵
                                                                                          PID:5052
                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                        1⤵
                                                                                          PID:4996
                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                          1⤵
                                                                                            PID:4840
                                                                                          • C:\Windows\System32\rundll32.exe
                                                                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                            1⤵
                                                                                              PID:1152
                                                                                            • C:\Program Files\7-Zip\7zFM.exe
                                                                                              "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Launcher.rar"
                                                                                              1⤵
                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:5724
                                                                                            • C:\Users\Admin\Desktop\Launcher\Launcher.exe
                                                                                              "C:\Users\Admin\Desktop\Launcher\Launcher.exe"
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:5776
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                2⤵
                                                                                                  PID:6060
                                                                                              • C:\Users\Admin\Desktop\Launcher\dll\helper.exe
                                                                                                "C:\Users\Admin\Desktop\Launcher\dll\helper.exe"
                                                                                                1⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5376
                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-SILPL.tmp\helper.tmp
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-SILPL.tmp\helper.tmp" /SL5="$30232,2101212,54272,C:\Users\Admin\Desktop\Launcher\dll\helper.exe"
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • Adds Run key to start application
                                                                                                  • Drops file in Program Files directory
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:2760
                                                                                                  • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
                                                                                                    "C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" /regserver
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Loads dropped DLL
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2984
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Launcher\About\plugins\PEiD-0.95-20081103_ExeinfoPE\PEiD-0.95-20081103_ExeinfoPE\pluginsdk\MASM\compile.bat" "
                                                                                                1⤵
                                                                                                  PID:4216
                                                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Launcher\About\plugins\PEiD-0.95-20081103_ExeinfoPE\PEiD-0.95-20081103_ExeinfoPE\pluginsdk\readme.txt
                                                                                                  1⤵
                                                                                                    PID:5920
                                                                                                  • C:\Users\Admin\Desktop\Launcher\Launcher.exe
                                                                                                    "C:\Users\Admin\Desktop\Launcher\Launcher.exe"
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:5948
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      2⤵
                                                                                                        PID:5844
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                        2⤵
                                                                                                          PID:5860
                                                                                                      • C:\Users\Admin\Desktop\Launcher\Launcher.exe
                                                                                                        "C:\Users\Admin\Desktop\Launcher\Launcher.exe"
                                                                                                        1⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:5288
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                          2⤵
                                                                                                            PID:2160

                                                                                                        Network

                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll

                                                                                                          Filesize

                                                                                                          134KB

                                                                                                          MD5

                                                                                                          30ebdc01d3ab9fb3772445cb4a9ebbba

                                                                                                          SHA1

                                                                                                          f0eee5c8a4f416673ee5a0698075c124aefc5d14

                                                                                                          SHA256

                                                                                                          0ea512eac7298ed72e8d47da4db8d73557599cd2411f69657cc374cd0704e8e8

                                                                                                          SHA512

                                                                                                          4be686006d169dcd1f18dd85b0cbf0c13e1e6cfe6ec60f9cea32ba1afae811c0dd232de2d569de164a7c5a1108960551b04c28600f8959a51fc0bded78ca3fa9

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSProducstInfo.dll

                                                                                                          Filesize

                                                                                                          692KB

                                                                                                          MD5

                                                                                                          e867ab7faf5462d37969565962275e3a

                                                                                                          SHA1

                                                                                                          6e33c444f016183dbf24117931130eebb02bc763

                                                                                                          SHA256

                                                                                                          c22d5cdca62e16567f8c130a5e9ddf7e77212904af5ae34c7888f3aac89e1bb1

                                                                                                          SHA512

                                                                                                          58710340fe2285179332bb34df544f49b54db3bf898557231c71c940b4427242f0d06e430ed25f71ced643d52d4586258830b3ed1cfc3a94eab4d9c9802c6cf1

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll

                                                                                                          Filesize

                                                                                                          1.4MB

                                                                                                          MD5

                                                                                                          ead517fe26df369aa13cf9aa620b935e

                                                                                                          SHA1

                                                                                                          0797d65e0e90f9f2c9e6ae4a673261389aa8b2e5

                                                                                                          SHA256

                                                                                                          e57e457c56447640011298bf85d589964eacdfe8125b36d6ad0f12d2ec053efd

                                                                                                          SHA512

                                                                                                          61f3cda3fc26da9b6a98c1912c3df9fce056a7cd553ca365f6992d8ee91c4be18dc50d84f2c42c498326b76f36eb7ac406d0e566b30ba1b4e3f14004e9373cbe

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Languages\English.dat

                                                                                                          Filesize

                                                                                                          6KB

                                                                                                          MD5

                                                                                                          f49b3dc0407d545259d7518171970c52

                                                                                                          SHA1

                                                                                                          9246cda22f90d743128250ccbdbcf06929c55d4b

                                                                                                          SHA256

                                                                                                          516482b3719d639bde4e134b09e227b51610d307ea9b53c425d70bc705043934

                                                                                                          SHA512

                                                                                                          809867a7ce7d4c784de7f51f3cbd61fbd5ac724c0745a327d51887d5140f26de2815b04beea4a76ab73057752ee443b865bee0d594a81d3d8227285bf1d28c65

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\Controls.xml

                                                                                                          Filesize

                                                                                                          19KB

                                                                                                          MD5

                                                                                                          2ccd73ad418bc151d2cb71199c6b9810

                                                                                                          SHA1

                                                                                                          2c1a2e7279efdae213830bdcb592663b68c225e2

                                                                                                          SHA256

                                                                                                          2f6a09a26fcf3c420688e3a26c53b88b90554b6a5a08776d5bf341d17526949c

                                                                                                          SHA512

                                                                                                          b8895bc4b2ad080c034f68584a910f41cd57bd9aed38254e2e10182fee81badf4ac5b7dabf7996f06878c5ff3f83bd2cc746406a6cbed466fb496d33981e677c

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\TipFrm.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          4a65425e52ccb800479f50424c368da1

                                                                                                          SHA1

                                                                                                          8adc6fd5077624cd38558ecc8194799680875b54

                                                                                                          SHA256

                                                                                                          c703ea1a52f1833d2498076460ea2a920713b8af2aaaf8dba8e1d07a7435d23f

                                                                                                          SHA512

                                                                                                          2229d2eb046b8f7830b593a20f0ff59de011de9a2f8a8c818a857faac82b4748ca2b894f3a3bbe5e5151a5242b590a0ffcfc8729681cf4b9cd9a62e39fc3b552

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          fe84f125c65b81039acc9ea54b887ea8

                                                                                                          SHA1

                                                                                                          8d68d1fdd365f9fa40ef25d0ab1ead4361c7f9be

                                                                                                          SHA256

                                                                                                          546dbcc7a073099096a027efba2598b8242476a0ee20d7026ddee2251b0edf57

                                                                                                          SHA512

                                                                                                          188f81c6fe7d8839cf9b35e38512cec7ef63c1cf6a630ca5ed836023e2c1fc333a9f5dbd2446d9fa4d72f1044edbae981358062eec1951badf9626c8c7f518d8

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          MD5

                                                                                                          82e3a04df52dba9bf65d0ad0f54e0a99

                                                                                                          SHA1

                                                                                                          74db555d6c6fc50143017a2e166ce27476bbbdb0

                                                                                                          SHA256

                                                                                                          193517b0756deab0c5b83d096576f86436527a52b40e02ab5fe872531a240d43

                                                                                                          SHA512

                                                                                                          e5e5d203b6154756005f5f7b847f03f17c263fd08163637b13b674be9d4568245ddc8e6ef9f107ece563aea1bc43a4d3f3016caf830385a9a5724a099c4cd51a

                                                                                                        • C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          MD5

                                                                                                          65daaa150fe43826ca5f3038b4e5146e

                                                                                                          SHA1

                                                                                                          40b7343322b7de29f3bb9e0e3736959d26951dbf

                                                                                                          SHA256

                                                                                                          97a9f90b9185403685c46742c16daee7d4462bad70b25c68bfaa893521c0f453

                                                                                                          SHA512

                                                                                                          f2b628342986f200edba1135c9ebc647ef1d8f7fed641fdbd3d5abe0a1313c4fe54ffba508fb9df612964c58541a578c144f54d63426c96912eea18079af2ed7

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\026c5068-7469-4c20-8f78-53d15bdfb305.tmp

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          44bca81dc2c6e318126e3b0891d328f2

                                                                                                          SHA1

                                                                                                          8151fc901da5096eef4777a5b344c8a905a6220a

                                                                                                          SHA256

                                                                                                          f36fc1b1a7d707b70f8e66f1345ab94a0dc73aa5e2718b374690a7cfa2994d2c

                                                                                                          SHA512

                                                                                                          a58ffdfc0a07a257e10e4d7d1290f8c9392ff1977637118e9c4b37d5f5fc226d218cab2e8a8c20dc24dbd30efa00266f21f40a90355271e246f05ed39e4fd582

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                          Filesize

                                                                                                          152B

                                                                                                          MD5

                                                                                                          4f7152bc5a1a715ef481e37d1c791959

                                                                                                          SHA1

                                                                                                          c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

                                                                                                          SHA256

                                                                                                          704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

                                                                                                          SHA512

                                                                                                          2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                          Filesize

                                                                                                          152B

                                                                                                          MD5

                                                                                                          ea98e583ad99df195d29aa066204ab56

                                                                                                          SHA1

                                                                                                          f89398664af0179641aa0138b337097b617cb2db

                                                                                                          SHA256

                                                                                                          a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

                                                                                                          SHA512

                                                                                                          e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          a07b8694db5087576cd734ba110166f1

                                                                                                          SHA1

                                                                                                          80409982274c5f5bd45629e2a443076efa66f384

                                                                                                          SHA256

                                                                                                          41941ae0236811c6443f453a2662f5e8835a975fb3a9f9a92d34b1d4fd40fb7f

                                                                                                          SHA512

                                                                                                          a53876d31fcab542a48ad4861152f66ccf2b20e62f61fd7ca9f26264fed9b5d372281ef1e61befd563da8b7d15585bf9c35c9615e6a2379cfa4688da8aa87733

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                          Filesize

                                                                                                          11KB

                                                                                                          MD5

                                                                                                          3115a1a6df832d54012e0cf0e0eb07c6

                                                                                                          SHA1

                                                                                                          fe35be51c05b2ebddb5c888f31e0cb6fd7ea4802

                                                                                                          SHA256

                                                                                                          04439f97aa51c381bdb91cbe64a393459a47964fa63f016ba2f647f7142fef93

                                                                                                          SHA512

                                                                                                          c784a679ecf592e7620e7d5fe9f9cc6f58ad9567f7808606ee23d59e4d0d9999035894af3640a50b1bb456caba2af9f08180d769d390392503cf7cce1ce78158

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                          Filesize

                                                                                                          588B

                                                                                                          MD5

                                                                                                          3b9ef569752cd776d12f3a04a03fa814

                                                                                                          SHA1

                                                                                                          1358e5d951e6a3e2c15b9f353ee41c1de03ad2c3

                                                                                                          SHA256

                                                                                                          696f4f0d373704fc1bb899febf09d0c7831afedfb089b31fb41540f817a0fa23

                                                                                                          SHA512

                                                                                                          6d276c1503310356b0d7a53d188fc1cb3f61e490651acef1324514ac8ccd802d017983f4c4009e2a9867fc7df61a5631bf363a415834bcbc4511141d776003e4

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                          Filesize

                                                                                                          11KB

                                                                                                          MD5

                                                                                                          30c1fb90e25844afb4e2a58992c50f9f

                                                                                                          SHA1

                                                                                                          c3cbc73352e876add067fc57776694a34992b9b6

                                                                                                          SHA256

                                                                                                          dc49488806628802808dbb2203c7303cb8cadc32b68b88d2a904b3a31d569b2b

                                                                                                          SHA512

                                                                                                          ee4817b7ba8069bd6af076ae3c5a6a67e695417d6cce3158e1e249d2366d46a0f98896d06e5a7234b536ddba7064d11c80f894e9565daff8a01f5eaf15d298c9

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          6KB

                                                                                                          MD5

                                                                                                          841b1c055f6bdb760021a06a426c1b3d

                                                                                                          SHA1

                                                                                                          58d56340c1f4c11b203d2054fc80370de119b6d7

                                                                                                          SHA256

                                                                                                          8783b78e1cb569d5284c389ea138ce9aab88f4e818228a892e48df8e7b69eadf

                                                                                                          SHA512

                                                                                                          12a3ff19636fbe57370cf6e85b0e8448be90746526f43c3fe18b22850c9df10f9640cbee23ca6b8534916d7d489b2dd2d87574579b23f9dcd08da3f5578570d7

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          MD5

                                                                                                          7c5d57eb83abfe68489c56259daff19a

                                                                                                          SHA1

                                                                                                          bbe97d56dcf600b693d6dfe1eccbfd8da0fc46b7

                                                                                                          SHA256

                                                                                                          eb92d0de7d74d366f8676ffc418f4355870081a94e2deaee42f3ae234d2bcdb3

                                                                                                          SHA512

                                                                                                          9a5375c16ea65cff5e7c5ef7a7a0d8896661530b66597363e487781931e9c7b75df933ad883c05ba3ba85d86a2c9d799e535f640734eb309a194f7a7fd980580

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          14KB

                                                                                                          MD5

                                                                                                          c0bce2598c1b0cf51d5d5af9cec4d146

                                                                                                          SHA1

                                                                                                          5ca388dfb412ccdf65e060f89fed92b02d5a2b24

                                                                                                          SHA256

                                                                                                          ad6aa5686a5575953e4a3ca52bb4982008697ff617e59403c6033086d6362082

                                                                                                          SHA512

                                                                                                          b08dc2054b19c3c350ee3b6e439a6cd95810fbb1aeb14f4f105373d01166d6429278b295c44a6daba9479bccd8557e04f1f469e7ebd106cf1d9595a4649af18e

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          6KB

                                                                                                          MD5

                                                                                                          45f2456dda82cdf0ed56038210365077

                                                                                                          SHA1

                                                                                                          828ff7a724ac1eee236e777d11cecd898ea73f8d

                                                                                                          SHA256

                                                                                                          9e4b3404a455e3047744a0bda70656a02faa1d1c388d13b45890d26e23c1e968

                                                                                                          SHA512

                                                                                                          83b5a8028e5cef1704d386d2bb5d3f9799fc9e5c7cb840514fb2b20f5a5815cc3459d34471bab7dbd7ae48a432940799de0567c6a602587efdd50f767cbe304d

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          14KB

                                                                                                          MD5

                                                                                                          af0a16fd5343179aeefc48c04389eec5

                                                                                                          SHA1

                                                                                                          b65a150a7f0b03cb116335bebb08c6268f75ab0e

                                                                                                          SHA256

                                                                                                          9f04de30d98ef86e7399e9935cd0d3534757d182a03f915d3681311a9e7c1319

                                                                                                          SHA512

                                                                                                          8c4fd229d449b591951c458537b4935c6cbcf83ff499e7c809f9f9e47ecf67f2591f187f1a70ba4fd14746a2380d1ea3f67a8ffb818028a1b31ad7f63af0b318

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          MD5

                                                                                                          8100d0251f5616d0a28f5ce7ce9ec8dd

                                                                                                          SHA1

                                                                                                          7bcdd0b64dc225a451a620256959af77f6925836

                                                                                                          SHA256

                                                                                                          9f53fcc806ed8914c30178099fbd010ca99cb80753f2791b5b256d9ef65a3606

                                                                                                          SHA512

                                                                                                          783eaf50a69279d51b858b0113f2b2be190eb6de7320ec3d37adf5e7a8f5552799d178814d8d4d04c22cb1a67c15d93b1b4dde8b66a648c3500b8168206940d8

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          b136570db262646b79c202bab420ed89

                                                                                                          SHA1

                                                                                                          041a251fad900dda4ee02e6b42219dde1c481652

                                                                                                          SHA256

                                                                                                          620ae4a10bc1f62d66fb4ea6e4ab899e34e8fcdf2d1bc3f3376f7df5be4b1b07

                                                                                                          SHA512

                                                                                                          520121e2a6f25e3f7086835a9f71f5249d8f021642211b9195fdc5740176bcda2e27029d2c4b6df9a1e8f578bf167b5a20c3aea0d9fb685bb0d830ad2753b6dc

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ff99.TMP

                                                                                                          Filesize

                                                                                                          204B

                                                                                                          MD5

                                                                                                          bfe840c52a02eaa3e828b8cebeed18b2

                                                                                                          SHA1

                                                                                                          877771688589bc50b19a1fb39eb0a285968ef6b5

                                                                                                          SHA256

                                                                                                          92a7c688e341dcfd18798887f8590300caf5e4024f8ee36abe89c9e69c3966a7

                                                                                                          SHA512

                                                                                                          d0666111a7764b9ac9e975c43ad4a08b912512f4ebbdf5d4ef766a9f35767eba43d7a2eb07268df564794faa4ad8655cf293310aae2b4b25d01bd4f1bbe8a4da

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                          Filesize

                                                                                                          16B

                                                                                                          MD5

                                                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                                                          SHA1

                                                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                          SHA256

                                                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                          SHA512

                                                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          83421e6e7517866d079f8f3c68fa3b8e

                                                                                                          SHA1

                                                                                                          92171751a4ad155e7c545b06082ca7bd39300ca0

                                                                                                          SHA256

                                                                                                          04bd6cbdab9bbc672c4ae57e77ff614661f997f0c12e04b207ce4669448c9df8

                                                                                                          SHA512

                                                                                                          041a42a8a3f6eea4ad17499f1907fe34b8ef684d935431754e357bfdbef1fd6878581204d113b1a7965e0fdf05a3ba4acc50ae2a78110dc8cf510c5be38da573

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          8488df0ac2c1ccaa5b664559c4f13782

                                                                                                          SHA1

                                                                                                          4144d0a1100a4b915610644d03ab934edbdb970f

                                                                                                          SHA256

                                                                                                          593b7a43c583b7362e9cf9eeea47ce7e0b02dfb05d6af29e5316dfa8a3ae099b

                                                                                                          SHA512

                                                                                                          324f4adb38de67b64aa9187aebce92d9886bd0d786b638e37365281586e273a6925ccaad00073fe41bbf3047f1d92be8b5e17a3c05aaf29979120f2fe101e94b

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                          Filesize

                                                                                                          11KB

                                                                                                          MD5

                                                                                                          6a9adc0777d99e5a11641f9aaaa6104a

                                                                                                          SHA1

                                                                                                          173453a6a34f5b57f0d93d9a02f8f99711ac536e

                                                                                                          SHA256

                                                                                                          a7b3c8ee412e024a261b75f3147389b7944c2564e289fdb55dba20e9a028181f

                                                                                                          SHA512

                                                                                                          3d3dd43c7d7e698fb2f267c1aeea8a000beeb77b6f56d857f0507c70a01cff29bd4c09a498559c5d2bd5a2daf002a3b2b5737e4ed5ac12d1d74463a41dd53ba1

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-A5E53.tmp\KPByName.dll

                                                                                                          Filesize

                                                                                                          35KB

                                                                                                          MD5

                                                                                                          4ef13e267ebbf804dd4157b447aa7059

                                                                                                          SHA1

                                                                                                          b9507c5b02bbae456ae5de7132ebafd27206b944

                                                                                                          SHA256

                                                                                                          2476d897a6d20653578fcb98737c85ccd96a42e57f67843ffbc431c0d05909a7

                                                                                                          SHA512

                                                                                                          81df3f309b6a734fae2e824a4535d9a7251d94885593c7c37ee70853f7c721062023d0d22ba1c92845c6fd14356048478b83c132aa9cec9360690a65b74bf360

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-A5E53.tmp\TempkillProcess.dll

                                                                                                          Filesize

                                                                                                          48KB

                                                                                                          MD5

                                                                                                          2d8ef1f86c38696abef55d64942a2c4a

                                                                                                          SHA1

                                                                                                          f6710bdda76a1cdb2669f49796f6c3161a895973

                                                                                                          SHA256

                                                                                                          e6be04c390cee6b4955c8af0c78221fdea3907ca5d0fb5f4f256fe7b05e8a332

                                                                                                          SHA512

                                                                                                          f668c37d9f722ce8217b87fe6cf2183ecc16451a1402a9d8d143ceac914e7b0056cf8d6aca8f81889cb954c85f12af304efe6d5d9121d4287e47aec2b6732da7

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-A5E53.tmp\WSHelper.ini

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          MD5

                                                                                                          c3d37313bf465f6145bb6f9bd845622e

                                                                                                          SHA1

                                                                                                          1a27da4300e997e07da73f2916483862f9fe1fa4

                                                                                                          SHA256

                                                                                                          1b74775c8d88a46c6f1727029a4acbda6dd9cd1bf5298a3746ce104e0da8f8b6

                                                                                                          SHA512

                                                                                                          4e92ec23d618e8ef2559be1c5d2cb243e2eb074aad86ffb338e3584806953efdd22856847a35bdfee1aa77756dc2b34f526777bd6fedaf5e4b982391d31ad2d6

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-SILPL.tmp\helper.tmp

                                                                                                          Filesize

                                                                                                          696KB

                                                                                                          MD5

                                                                                                          8aa8c628f7b7b7f3e96eff00557bd0bf

                                                                                                          SHA1

                                                                                                          9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

                                                                                                          SHA256

                                                                                                          14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

                                                                                                          SHA512

                                                                                                          5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

                                                                                                        • C:\Users\Admin\Desktop\Launcher\dll\helper.exe

                                                                                                          Filesize

                                                                                                          2.3MB

                                                                                                          MD5

                                                                                                          fa65a7aa5711dd8f6d16cfd45cec392f

                                                                                                          SHA1

                                                                                                          a88b05f1c4e3ebdd691aa8f2cded523d2f4dbc93

                                                                                                          SHA256

                                                                                                          893844308af014ec38999a21a801858e94359cb19149f64d60db29413f12ab43

                                                                                                          SHA512

                                                                                                          63d7b32a9fed13d25cdb890ff7f422622fc53933d065edd6e2e7615f4de103c60bb74dc7e05cf656c40e818ef354facd25b1156dd867e82badb33dd298c2c62e

                                                                                                        • \??\pipe\LOCAL\crashpad_1524_HJXCGHSLPOCNTHZR

                                                                                                          MD5

                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                          SHA1

                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                          SHA256

                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                          SHA512

                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                        • memory/2760-1683-0x0000000000400000-0x00000000004BE000-memory.dmp

                                                                                                          Filesize

                                                                                                          760KB

                                                                                                        • memory/2760-1797-0x0000000000400000-0x00000000004BE000-memory.dmp

                                                                                                          Filesize

                                                                                                          760KB

                                                                                                        • memory/2760-1674-0x0000000003930000-0x0000000003944000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                        • memory/2760-1684-0x0000000003930000-0x0000000003944000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                        • memory/2984-1781-0x0000000000BF0000-0x0000000000CA8000-memory.dmp

                                                                                                          Filesize

                                                                                                          736KB

                                                                                                        • memory/2984-1780-0x0000000000400000-0x0000000000612000-memory.dmp

                                                                                                          Filesize

                                                                                                          2.1MB

                                                                                                        • memory/2984-1773-0x0000000000BF0000-0x0000000000CA8000-memory.dmp

                                                                                                          Filesize

                                                                                                          736KB

                                                                                                        • memory/5288-1807-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/5376-1659-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                        • memory/5376-1682-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                        • memory/5376-1798-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                        • memory/5776-1655-0x0000000001530000-0x0000000001531000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/5776-1653-0x0000000001530000-0x0000000001531000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/5948-1802-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/6060-1656-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                          Filesize

                                                                                                          336KB

                                                                                                        • memory/6060-1654-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                          Filesize

                                                                                                          336KB