amadey | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe
Size

1.5MB
MD5

a79cf239a470549a3b4bc72b4a7c5e85
SHA1

45ba7c2f0a6410323b89d07de10f1fda4ead5ace
SHA256

1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c
SHA512

759c0992285af843a9827e9a1f63c47b492cb8897adaeb1fdc835b2125803d000845e87e26b0e5117ccfbf09617aae388d2f683c7e72eded05a96e00dad4a28a
SSDEEP

49152:AOhpTOU8O5vOPfgJX8qsi8SlvtjITFqLcYqA857:zTdj5GXgJOi8qRIp5f5

Score

10^/10

amadey mystic redline smokeloader 04d170 grome backdoor paypal evasion infostealer persistence phishing stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1640-46-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/1640-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/1640-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6VS7TL9.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1240-58-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Zt6pM6.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	5Zt6pM6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 15 IoCs

Processes:

Hb1ZX96.exefy0Ww33.exeCu7aq69.exePv0un35.exeRJ1lQ94.exe1Ot68HS6.exe2id8611.exe3LP68pg.exe4Om746Xo.exe5Zt6pM6.exeexplothe.exe6VS7TL9.exe7Ef4Ro85.exeexplothe.exeexplothe.exe

pid	process
792	Hb1ZX96.exe
1492	fy0Ww33.exe
1536	Cu7aq69.exe
2012	Pv0un35.exe
2104	RJ1lQ94.exe
4984	1Ot68HS6.exe
4540	2id8611.exe
1656	3LP68pg.exe
2356	4Om746Xo.exe
1216	5Zt6pM6.exe
4000	explothe.exe
1816	6VS7TL9.exe
4440	7Ef4Ro85.exe
4684	explothe.exe
6136	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cu7aq69.exePv0un35.exeRJ1lQ94.exe1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exeHb1ZX96.exefy0Ww33.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Cu7aq69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Pv0un35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	RJ1lQ94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hb1ZX96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fy0Ww33.exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Ot68HS6.exe2id8611.exe4Om746Xo.exe

description	pid	process	target process
PID 4984 set thread context of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4540 set thread context of 1640	4540	2id8611.exe	AppLaunch.exe
PID 2356 set thread context of 1240	2356	4Om746Xo.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3LP68pg.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LP68pg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LP68pg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LP68pg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4448 schtasks.exe

pid	process
4448	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

AppLaunch.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4036	AppLaunch.exe
4036	AppLaunch.exe
5020	msedge.exe
5020	msedge.exe
2544	msedge.exe
2544	msedge.exe
3008	msedge.exe
3008	msedge.exe
5196	identity_helper.exe
5196	identity_helper.exe
6728	msedge.exe
6728	msedge.exe
6728	msedge.exe
6728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4036 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4036	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exeHb1ZX96.exefy0Ww33.exeCu7aq69.exePv0un35.exeRJ1lQ94.exe1Ot68HS6.exe2id8611.exe4Om746Xo.exe5Zt6pM6.exe

description	pid	process	target process
PID 1900 wrote to memory of 792	1900	1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe	Hb1ZX96.exe
PID 1900 wrote to memory of 792	1900	1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe	Hb1ZX96.exe
PID 1900 wrote to memory of 792	1900	1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe	Hb1ZX96.exe
PID 792 wrote to memory of 1492	792	Hb1ZX96.exe	fy0Ww33.exe
PID 792 wrote to memory of 1492	792	Hb1ZX96.exe	fy0Ww33.exe
PID 792 wrote to memory of 1492	792	Hb1ZX96.exe	fy0Ww33.exe
PID 1492 wrote to memory of 1536	1492	fy0Ww33.exe	Cu7aq69.exe
PID 1492 wrote to memory of 1536	1492	fy0Ww33.exe	Cu7aq69.exe
PID 1492 wrote to memory of 1536	1492	fy0Ww33.exe	Cu7aq69.exe
PID 1536 wrote to memory of 2012	1536	Cu7aq69.exe	Pv0un35.exe
PID 1536 wrote to memory of 2012	1536	Cu7aq69.exe	Pv0un35.exe
PID 1536 wrote to memory of 2012	1536	Cu7aq69.exe	Pv0un35.exe
PID 2012 wrote to memory of 2104	2012	Pv0un35.exe	RJ1lQ94.exe
PID 2012 wrote to memory of 2104	2012	Pv0un35.exe	RJ1lQ94.exe
PID 2012 wrote to memory of 2104	2012	Pv0un35.exe	RJ1lQ94.exe
PID 2104 wrote to memory of 4984	2104	RJ1lQ94.exe	1Ot68HS6.exe
PID 2104 wrote to memory of 4984	2104	RJ1lQ94.exe	1Ot68HS6.exe
PID 2104 wrote to memory of 4984	2104	RJ1lQ94.exe	1Ot68HS6.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 4984 wrote to memory of 4036	4984	1Ot68HS6.exe	AppLaunch.exe
PID 2104 wrote to memory of 4540	2104	RJ1lQ94.exe	2id8611.exe
PID 2104 wrote to memory of 4540	2104	RJ1lQ94.exe	2id8611.exe
PID 2104 wrote to memory of 4540	2104	RJ1lQ94.exe	2id8611.exe
PID 4540 wrote to memory of 3152	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 3152	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 3152	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 4540 wrote to memory of 1640	4540	2id8611.exe	AppLaunch.exe
PID 2012 wrote to memory of 1656	2012	Pv0un35.exe	3LP68pg.exe
PID 2012 wrote to memory of 1656	2012	Pv0un35.exe	3LP68pg.exe
PID 2012 wrote to memory of 1656	2012	Pv0un35.exe	3LP68pg.exe
PID 1536 wrote to memory of 2356	1536	Cu7aq69.exe	4Om746Xo.exe
PID 1536 wrote to memory of 2356	1536	Cu7aq69.exe	4Om746Xo.exe
PID 1536 wrote to memory of 2356	1536	Cu7aq69.exe	4Om746Xo.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 2356 wrote to memory of 1240	2356	4Om746Xo.exe	AppLaunch.exe
PID 1492 wrote to memory of 1216	1492	fy0Ww33.exe	5Zt6pM6.exe
PID 1492 wrote to memory of 1216	1492	fy0Ww33.exe	5Zt6pM6.exe
PID 1492 wrote to memory of 1216	1492	fy0Ww33.exe	5Zt6pM6.exe
PID 1216 wrote to memory of 4000	1216	5Zt6pM6.exe	explothe.exe
PID 1216 wrote to memory of 4000	1216	5Zt6pM6.exe	explothe.exe
PID 1216 wrote to memory of 4000	1216	5Zt6pM6.exe	explothe.exe
PID 792 wrote to memory of 1816	792	Hb1ZX96.exe	6VS7TL9.exe
PID 792 wrote to memory of 1816	792	Hb1ZX96.exe	6VS7TL9.exe

C:\Users\Admin\AppData\Local\Temp\1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe
"C:\Users\Admin\AppData\Local\Temp\1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hb1ZX96.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hb1ZX96.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fy0Ww33.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fy0Ww33.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cu7aq69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cu7aq69.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pv0un35.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pv0un35.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\RJ1lQ94.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\RJ1lQ94.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ot68HS6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ot68HS6.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2id8611.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2id8611.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3LP68pg.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3LP68pg.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1656

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Om746Xo.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Om746Xo.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zt6pM6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zt6pM6.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1908

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1844

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:2576

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6VS7TL9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6VS7TL9.exe
3⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ef4Ro85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ef4Ro85.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5285.tmp\5286.tmp\5287.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ef4Ro85.exe"
3⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
5⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
5⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
5⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
5⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
5⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
5⤵
PID:324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
5⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
5⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
5⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
5⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
5⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
5⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
5⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
5⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
5⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
5⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
5⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
5⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
5⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
5⤵
PID:6524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
5⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7844 /prefetch:1
5⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
5⤵
PID:6848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8404 /prefetch:8
5⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8404 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
5⤵
PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
5⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5840 /prefetch:8
5⤵
PID:6276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8596 /prefetch:1
5⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17136442572191724240,8467972214986850336,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4404 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17434886336678611857,13924366032353604181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17434886336678611857,13924366032353604181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x140,0x174,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff038746f8,0x7fff03874708,0x7fff03874718
5⤵
PID:5796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
Filesize
34KB

MD5
8c05bb37db4b5693a243f36fd3a79e7f

SHA1
d242e3252516383272bcee7428407cb6cf0bf4dc

SHA256
7f9892ece92037cba575144370fea573a617cfd58a2112a364c468b647d6e915

SHA512
f03ee3b0a30e547c808d25620ba4a3f3cd16b6ff08161824378b57ed0f3532578381132e3661e6197f7f002da90912abd78e2e04def3a4d3228ec7812f5e083f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030
Filesize
223KB

MD5
204ee440ed54e602397e27310df3eb56

SHA1
862f9a0ad77e6cef38e7117e302207e8a6f3c57e

SHA256
5d57e352079859e3fa34abf45a8ae0c12b1d6619cc299de18236dff26492eea3

SHA512
9df48a0a03c00cf15eb7e0fb57a1beba13aebb8f67032e744cfa6cb6621b0c0f039e330accfd1d773229efaddebdc6f96a128326e315a0d7338b8fe537650eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
a16a513461ad5073e3e7084e2b621d97

SHA1
8e81f4ca859bbdace77f8808f30b76761995c6cf

SHA256
e8a51477a283b00faec3ba5993f9a07a328e0598e131d9ba0dcd6fc17a76afa4

SHA512
384f1cbdfe88c68c32cbc3ec51c765df3f182a50f57b5c95b47a4c7a6b32ebbeed08494596836f14c080d1ffb586c626bfe3ad1d47a6787efd82a54ddb9c1261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
e4af28453adffa4b48e680fd453452ee

SHA1
605b65a841c06aa01d815b54de86e0f17c6eacf6

SHA256
e7cba41cdb62f605ebec0ea8c3489d6f81555ec3253c9963178acd3a9370fc12

SHA512
82f6df7c3a06dfb514c73484be6bb0220c65af98b4c68530a5662f435e922048b86d6f3d5fe226cb065ac1beb0c75dfa1de9164ddd12479c22a8f994bb48503c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
eccdf48f18bf835851c4546855305045

SHA1
34ca844a06039acfaa05da3bd9be25c8706e5f20

SHA256
150f06ce10c0eafb5b1dd4407c4fe01a263bd4a71212d74ac5e5ffbc9b85dfb6

SHA512
6a74896e5824bc00e8a3528d429f5f0bd737c4fc256d94e01d6a99dd6e1962da334fcfb714840dbdf3c2d0f71fcf00dd4cc450bb3aa2e99b7702be8e0c354685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
f0f7891664e3add841c14dd0dfd44d7e

SHA1
1eafce3d39e4ac19b0e8f4665bc9dfba297aa127

SHA256
3c1d11a8f4ebbad15a58edc9c27d4617eb1b7cdff4812b6f0caace2c9a30b2f6

SHA512
6e09e4abfc239513ffdec21b281b4f2d748b732088c480162bd99b07f5e1b97e6d3ead5d975a20c4681e73285037468f4aaf5f411d819acbca3f4e1948b5253e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
de0290432c7b0d71039c8112d683cb22

SHA1
3d61786cddb22be8828081210fc13551bbd27483

SHA256
bebff13583881bd4e084cd4287c8e45b08a071279c7dcbf872a6aabf059db0d8

SHA512
93755e31a4e3728743083aff6f716b0ba689dcc41f93d4e76a683c8a8acb66c00c13e7590c792f1cab1a9d0eb0f0e87f96a4a65e0726c6a256948105ed685c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
83c9fddf8d6e92b417b27d8de757f2af

SHA1
c648d0d2ce112a3be216d3025e89a7e7f77d9196

SHA256
8dbf7f095f9e4880e65e4b0fccaf881edf7638c6fcb69189a139abb6e357238e

SHA512
ba507318cd37d2ceef3ab2f9307c50f42f8d95776792bb6dfc0a0a911ec60bb438f0b8fdce93ee3f2404fa549cb4ca6f439f42dc04faafddf8e3ee0fe151cbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
ed96928099e1c248428dd158e61e8ac8

SHA1
7ccb21212ce807523990153453e5c8d1f7e97ad6

SHA256
6bbf3d47ff0d8f4e42d487cee90ad94e4c1bb4c36991ce6639a8193bef36dae8

SHA512
d374ebe971a64fdbe71b59645383f99e219ceb2cba9bcbc35b68195c912967ae5fa9398948ba4a3ed993bc5ab7d21fb2e601133eda2e0302c9b35bcee90b9e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
4ce017e368a2f33be75bba28af313e3c

SHA1
d780157f2e78de28a6a7b7d554ad5f82d1877fb9

SHA256
84dff4bed3aa29cf14bd88057d111dd647383c02cc4a0d6a5c776f3b155bc24e

SHA512
38f1ca986ddf567559698a6afa59f8aa7f4bacc4e0d474d499d59a8cb59ed85e91f2db2441e5e64a8d194a20432a2bfb9f4be7c65ce457a88dd1bc5a06a21eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize
82B

MD5
88784ea6d3eb481bfe4c92c5d2da250b

SHA1
2de94fdaeeb376a0b00e612757c40f6e4c8bcab5

SHA256
e5126f88eb9c57cf3466cdb5f9c08000c1b2cafead5a393ac22e670ab517a7eb

SHA512
89fe78d929ab7662a5fd4b60d799585dd2ebf9bc287ef38524f2b21bb906dee9205e84b6d07d9c3fc78a50a723f06d2ecc5d73422765fa6191e90d9f2c07aff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
78d9c856953b91c1773c133f6b28828b

SHA1
9bd2c7f32c7bdca6f090ae1d5b84a59e075ad4e5

SHA256
5fd97d4ec9b654cedfcab0b7fb593d02680fb08576c32c1ad98b3e6abce20599

SHA512
f17b61aa76061219f997c1d1f7764f811320c2b080bd5bf5752250d71b6162d67f35e14f542a9343dfd702278f2684cce87533bda709cdb813ece4841b8f10de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58460d.TMP
Filesize
48B

MD5
04025e76df4f3fa932676f97a3d7c8a5

SHA1
90ebb34732ee47867a669a0c9573e5bebfd78722

SHA256
58a582e0f25f2e39a988a545c30101b76ddd14026861a87c8d8c5f95cfb4f7b2

SHA512
9491ec25340bd613cca00a10c20b00bae88cc23394e78ef15a554aebbc216cff044ac264f0803f24229d281f8136b9fa133344552803e70b76075a044aff7830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
1e83ec570bc4882c68c20f28e7ed8c1f

SHA1
d6d534db3365ff0aea3e2607f21e1fdcb325cc17

SHA256
8a0d4c236296a2b8538f0870e97fd161180e8fa20caa1fff2237fa29f9e62aeb

SHA512
3db43ab44480a8638e24887a796bc6b755ffb205e2a806a034d17375cf8fceaac6b05f34806c39c26b2e92788d61ff17a13c01385c0b4b9662f72cd2bf559e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
52992ddaa140da0a7b9ad847cab40f3d

SHA1
28013083ca1b491defe6c594a72c26b6b3a10b3d

SHA256
bfdcce2f4b6923e330ab01e571a0115c9f15c02bfe1213ef79a68e3d3a2157da

SHA512
f929bfb730e2384175bc806fc56defc68187ba3c6fee52bef2f0662289351607940df32ff07d10bb0162c58fe33a4cd5607bc253a733c63b8d158c2ac1564224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
667d291b65cf828d390b939a29b2efe0

SHA1
4817800c9ea3dc1436863853abd238e77d929d84

SHA256
386685480e1588316e7fda8da8681f86ac12f188ea08fe396f3784c8e19239e5

SHA512
8b434e52bb0445d1272cc7b25cf72675a2d0c5285f92eb721a0ed7c24f793720add720989f80d28a799543a2d63d360e7263501372716d4f56aef45edfe6d597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
25837ced16d75f545ca494126ce68658

SHA1
a525b178b27a2e55f71298c68bdf2cef8a0773ce

SHA256
9ad90e7929aaf8d51a684cfb266b9f4e9c0ef94e06e52752f7b3fbe4856bc67e

SHA512
633e593a436d1a546aa98e8af4f8bc3490ff5d2cff7bcd3fe90119cad88a8d3cc00fe4a1876daac4077e2b51a5681de66c74a9aed418d74d8d553e8d3aabe247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ab15.TMP
Filesize
2KB

MD5
0bbc4850f6bc087453d4ae6fb53847c0

SHA1
210942a81a5889654f04218e86b92cc9a4524ded

SHA256
ad37a2f8836363037889a557368e79c46ff6f7fa26919516ce331115e111ea55

SHA512
39f819b3e68acd05b81b77de5c709f0828846c53e5ebd943d408b91c3b9b7dc22988ca2733bfb03bfdfc1c9e32c0607545b4b601f56f75cefb574750588bb5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
c27923edf9d6b8754ffa289005f60960

SHA1
a7f493b8581d43661052bc91e1201f93cd7602c2

SHA256
1943bfa73404924a091b6eb343ad5bd7d7c254c1f84082ac7075fa8a880200bf

SHA512
f101707e3204411289247802a9eb83693fa2edd7ec71d1240f6d177590985e92ec0d1b801786cac0cc911e965852446f91a67e2f99c965cdab205ad89cf15b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3c404565605f53c4b09bf21191875948

SHA1
59d37235c0b1a7c08b9e18d10376481c039489f0

SHA256
b9235d171ce95a378088ee4605c4dc825ccc9fb51008914e88b51b193e3b0955

SHA512
111ce170b6a9f41a276210badc755dc21d0f3edb51ddc8107c2f1b4bd5ad252e724b486a1ee2823026691c3ca031f718c1f33e67af1fb98b2a5bcc55d3c4f15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5285.tmp\5286.tmp\5287.bat
Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Ef4Ro85.exe
Filesize
89KB

MD5
95f4b3a36c0427c205de6941dc6e7323

SHA1
87898bdc8468a48d04b7c541d19f4589f5120b65

SHA256
348f031fdf53cf9c8136fbdbb8ff657276d5bdd3bfd0732b602f413c6be36667

SHA512
90c9cf1f3c16befd4375ee517f1d1c1e059791b8e7bf7bc1735e342ed81709f10bd2eecac14927467f68fadb2bffb772da5e308aabb4da4aa49a75b208fc47f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hb1ZX96.exe
Filesize
1.4MB

MD5
d349b1147ba61951a75f6278d9f02f52

SHA1
c8cde4be621ab6ba90fdda2b70cf5236d46e935f

SHA256
6cb98bb7185a53a4147824106238306a383b8d8a4e786ce7e14517f3b4f011af

SHA512
f253a2eaaebaadd56c1610ef1a9f1bfc5f713fb766b5ffc2b81fb0db1af17eae8c63af6d4fbf9a9d843e630ebb6efeb9146dc6221fc36f3037e935b536f2b087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6VS7TL9.exe
Filesize
184KB

MD5
a8a4c2d1963d2f74a53e7796cc8054f2

SHA1
c1facad1d63ec1db8e34d961b9f43b37db1b6511

SHA256
368621d585a7de45bccf065be3d251e798443c823c7bc2e9330e6d98f8ed6cd1

SHA512
2adef3ef5a1569840c1f5de06438b240b99750e9bf9bef5ef809138cca907e48f397be12cf81729f735e29bf09dbf76d7cfd1873ac178fb51e01c8449f005db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fy0Ww33.exe
Filesize
1.2MB

MD5
53d8801ec99a542fafc7cdd6000913c1

SHA1
fee9027bddf783eed85cd4ac8c6468c8eb5acbd4

SHA256
7902960a71e90101e6ba31ed76b3663485abdd10d645d3363a7faeb986bd85e4

SHA512
eec628034daef4796fc22bb186f448c61f7246d297e619057234a66716cb549cf7cb878a35148ee8b2dfa9746cf70d3800ff615545bd93d6e4e93a5c186991c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zt6pM6.exe
Filesize
221KB

MD5
f52d5ed8caba4b346a18ad7883a53f0d

SHA1
3e9304bffa2d0d447b4eb209e9b6254ee3b09217

SHA256
e774a3b5f360cacaa89f1d66cafe29ae6242f6827ef3f69f3e3f2e2691dbe0ca

SHA512
e097b9d1c11e67146df2f1a2d1a7d405dff864d5080b52d5f919153b03ef9f676461de8414f72d45bd8f603ae2065bab7c14caff1076eeac5f476b498deb96ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cu7aq69.exe
Filesize
1.0MB

MD5
0c890b71b7ab1004d113a435a42746cf

SHA1
6347046dcfa7432d73f299b8db6220808d512b32

SHA256
46fab91478d7e4ea16c69b0254be9afbe69a99935bb25daefd675b1a48be7c1d

SHA512
382d894a2f2af3e4dea40528ff1368711c15ef3b8f0ed837246643dacb32f74babbe88cf430ab083763039e98be2ee2f0331fa9eacca3d7413a0df87ab2da5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Om746Xo.exe
Filesize
1.1MB

MD5
1fef4579f4d08ec4f3d627c3f225a7c3

SHA1
201277b41015ca5b65c5a84b9e9b8079c5dcf230

SHA256
c950de6308893200f558c1d2413fa4b5bce9a9102d8b8d96a658edd8064bcf52

SHA512
9a76150ee8ac69208d82759e8bdb598dff86ee0990153a515c9cb3d92311e099e996daf52c06deb35216fa241e5acb496c1cbee91fb1c8cedc5fc51571dffe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pv0un35.exe
Filesize
643KB

MD5
84afae48d07924f0d7b131a37ae9afbe

SHA1
6d407165ffe10030de78789d767080c5e104db4f

SHA256
befb0df50532c700b7023db0b1bfbfa0ebf463f00e738b4fd59e073007008993

SHA512
a36310443fdf62aa3e33ed1765ca8c3a13a622c7b6d8d281d6b46a56a697a73ea5b3b2074cc8d6fff82334b2d4f8f51dfe02e0d59c634e5ec8a92e2340116c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3LP68pg.exe
Filesize
30KB

MD5
983fb95a33c6e0d6b223febf315f58b7

SHA1
0295991bf3e3c450c0b2f8c443c52d44fb498531

SHA256
2d1322a46d2176aeccf477b045203b7bc52db2bd24a2310b089b63a72073adc6

SHA512
e5e9fc10deda20e0ded2738acaba078fa1540242b93dc215515d187746c58d579cfeda8586dfc064f858ba2ff9f6caa5b1c3c7a425e72bad92f4fd2cf9a03b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\RJ1lQ94.exe
Filesize
518KB

MD5
edf9b050e1b11b718b8237265b443ba4

SHA1
2013e10f52f768e76e5fb1302ad6540e8790adba

SHA256
1f9874809924fdca20623f69f91ae7cefd37e84e6b4b1647771139c1b598736d

SHA512
3990bde592207ee6159697e5a577fa147ec9b189423675cc0d3d7c898e3fe1b99a5d18b7a1b1391de7a991f765180a249df34521419dea4913a8795b30e93ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ot68HS6.exe
Filesize
874KB

MD5
9eee364499677bcd3f52ac655db1097b

SHA1
d65d31912b259e60c71af9358b743f3e137c8936

SHA256
1ba694e249e4faca92ccce8670b5d6e2a5e6ac0d1f523220a91f75aab3d78155

SHA512
1364dece0df02e181c2feb9a3b9e559662945991d3919ae0c1db2fcc091de3ceb349dcf4e4921b904e265263e6a2cca9c83a6a914ca9544850f8d2bb2fe41678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2id8611.exe
Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
\??\pipe\LOCAL\crashpad_3008_GFZBHJAICFTBOXKI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1240-85-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/1240-64-0x00000000081C0000-0x0000000008764000-memory.dmp

Filesize
5.6MB

Download
memory/1240-84-0x0000000007F40000-0x0000000007F52000-memory.dmp

Filesize
72KB

Download
memory/1240-83-0x0000000008010000-0x000000000811A000-memory.dmp

Filesize
1.0MB

Download
memory/1240-82-0x0000000008D90000-0x00000000093A8000-memory.dmp

Filesize
6.1MB

Download
memory/1240-78-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/1240-65-0x0000000007D00000-0x0000000007D92000-memory.dmp

Filesize
584KB

Download
memory/1240-86-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download
memory/1240-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4036-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download