amadey | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Size

1.6MB
MD5

97453055568c0ddae722add23c1805c2
SHA1

520a1d3ecf08a765dc04394ddafec79919a37126
SHA256

f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf
SHA512

52a14c06f6b61b05db155c469bf23153188ec6adc8683acb1c76c6eb090dd50e19e8d29eeae92fd7953bd13ca9095530edd3e14936ef54fe487e80c5e84a81d4
SSDEEP

49152:xmPBfFYwWOac3d97MlGFh2c0AHs69OTryrzItwcHFwqfCtWVbIM:OnYua2EgO369OTAzItwcHF1KtWVb

Score

10^/10

amadey mystic redline smokeloader 04d170 plost backdoor paypal evasion infostealer persistence phishing stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral20/memory/2412-49-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral20/memory/2412-47-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral20/memory/2412-46-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fL2rD0.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral20/memory/4032-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Ov5Ya8.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5Ov5Ya8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

Processes:

fm2Mt27.exeFn7Xp41.exexs7ER73.exesw7ms13.exeFO8My22.exe1aZ92xY6.exe2GI5320.exe3Fi98gw.exe4fr976Ae.exe5Ov5Ya8.exeexplothe.exe6fL2rD0.exe7Cc0hf94.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
5056	fm2Mt27.exe
4128	Fn7Xp41.exe
5068	xs7ER73.exe
1432	sw7ms13.exe
1552	FO8My22.exe
3264	1aZ92xY6.exe
212	2GI5320.exe
1544	3Fi98gw.exe
4876	4fr976Ae.exe
2700	5Ov5Ya8.exe
3420	explothe.exe
1792	6fL2rD0.exe
1280	7Cc0hf94.exe
5724	explothe.exe
5984	explothe.exe
3912	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sw7ms13.exeFO8My22.exef7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exefm2Mt27.exeFn7Xp41.exexs7ER73.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sw7ms13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	FO8My22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fm2Mt27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Fn7Xp41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xs7ER73.exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

Processes:

1aZ92xY6.exe2GI5320.exe4fr976Ae.exe

description	pid	process	target process
PID 3264 set thread context of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 212 set thread context of 2412	212	2GI5320.exe	AppLaunch.exe
PID 4876 set thread context of 4032	4876	4fr976Ae.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Fi98gw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Fi98gw.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Fi98gw.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Fi98gw.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2560 schtasks.exe

pid	process
2560	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

AppLaunch.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4984	AppLaunch.exe
4984	AppLaunch.exe
4984	AppLaunch.exe
4460	msedge.exe
4460	msedge.exe
3520	msedge.exe
3520	msedge.exe
5184	msedge.exe
5184	msedge.exe
4652	msedge.exe
4652	msedge.exe
5596	msedge.exe
5596	msedge.exe
5648	msedge.exe
5648	msedge.exe
6384	msedge.exe
6384	msedge.exe
6080	identity_helper.exe
6080	identity_helper.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4984 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4984	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exefm2Mt27.exeFn7Xp41.exexs7ER73.exesw7ms13.exeFO8My22.exe1aZ92xY6.exe2GI5320.exe4fr976Ae.exe

description	pid	process	target process
PID 1264 wrote to memory of 5056	1264	f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe	fm2Mt27.exe
PID 1264 wrote to memory of 5056	1264	f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe	fm2Mt27.exe
PID 1264 wrote to memory of 5056	1264	f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe	fm2Mt27.exe
PID 5056 wrote to memory of 4128	5056	fm2Mt27.exe	msedge.exe
PID 5056 wrote to memory of 4128	5056	fm2Mt27.exe	msedge.exe
PID 5056 wrote to memory of 4128	5056	fm2Mt27.exe	msedge.exe
PID 4128 wrote to memory of 5068	4128	Fn7Xp41.exe	xs7ER73.exe
PID 4128 wrote to memory of 5068	4128	Fn7Xp41.exe	xs7ER73.exe
PID 4128 wrote to memory of 5068	4128	Fn7Xp41.exe	xs7ER73.exe
PID 5068 wrote to memory of 1432	5068	xs7ER73.exe	sw7ms13.exe
PID 5068 wrote to memory of 1432	5068	xs7ER73.exe	sw7ms13.exe
PID 5068 wrote to memory of 1432	5068	xs7ER73.exe	sw7ms13.exe
PID 1432 wrote to memory of 1552	1432	sw7ms13.exe	FO8My22.exe
PID 1432 wrote to memory of 1552	1432	sw7ms13.exe	FO8My22.exe
PID 1432 wrote to memory of 1552	1432	sw7ms13.exe	FO8My22.exe
PID 1552 wrote to memory of 3264	1552	FO8My22.exe	1aZ92xY6.exe
PID 1552 wrote to memory of 3264	1552	FO8My22.exe	1aZ92xY6.exe
PID 1552 wrote to memory of 3264	1552	FO8My22.exe	1aZ92xY6.exe
PID 3264 wrote to memory of 404	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 404	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 404	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 3264 wrote to memory of 4984	3264	1aZ92xY6.exe	AppLaunch.exe
PID 1552 wrote to memory of 212	1552	FO8My22.exe	2GI5320.exe
PID 1552 wrote to memory of 212	1552	FO8My22.exe	2GI5320.exe
PID 1552 wrote to memory of 212	1552	FO8My22.exe	2GI5320.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 212 wrote to memory of 2412	212	2GI5320.exe	AppLaunch.exe
PID 1432 wrote to memory of 1544	1432	sw7ms13.exe	3Fi98gw.exe
PID 1432 wrote to memory of 1544	1432	sw7ms13.exe	3Fi98gw.exe
PID 1432 wrote to memory of 1544	1432	sw7ms13.exe	3Fi98gw.exe
PID 5068 wrote to memory of 4876	5068	xs7ER73.exe	4fr976Ae.exe
PID 5068 wrote to memory of 4876	5068	xs7ER73.exe	4fr976Ae.exe
PID 5068 wrote to memory of 4876	5068	xs7ER73.exe	4fr976Ae.exe
PID 4876 wrote to memory of 1712	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 1712	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 1712	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 3776	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 3776	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 3776	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4876 wrote to memory of 4032	4876	4fr976Ae.exe	AppLaunch.exe
PID 4128 wrote to memory of 2700	4128	Fn7Xp41.exe	5Ov5Ya8.exe
PID 4128 wrote to memory of 2700	4128	Fn7Xp41.exe	5Ov5Ya8.exe

C:\Users\Admin\AppData\Local\Temp\f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
"C:\Users\Admin\AppData\Local\Temp\f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fm2Mt27.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fm2Mt27.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fn7Xp41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fn7Xp41.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xs7ER73.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xs7ER73.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sw7ms13.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sw7ms13.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FO8My22.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FO8My22.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aZ92xY6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aZ92xY6.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2GI5320.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2GI5320.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Fi98gw.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Fi98gw.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fr976Ae.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fr976Ae.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ov5Ya8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ov5Ya8.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:624

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:888

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fL2rD0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fL2rD0.exe
3⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Cc0hf94.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Cc0hf94.exe
2⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\71F4.tmp\71F5.tmp\71F6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Cc0hf94.exe"
3⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3189984602827666328,14319810388174664188,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
5⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,3189984602827666328,14319810388174664188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x104,0x16c,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
5⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
5⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
5⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
5⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
5⤵
PID:6092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
5⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
5⤵
PID:6432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
5⤵
PID:6600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
5⤵
PID:6664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
5⤵
PID:6760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
5⤵
PID:6848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
5⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
5⤵
PID:6208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
5⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
5⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
5⤵
PID:6212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
5⤵
PID:7144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
5⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
5⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
5⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
5⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
5⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
5⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8588 /prefetch:8
5⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8588 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8720 /prefetch:1
5⤵
PID:6360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
5⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8596 /prefetch:8
5⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8472 /prefetch:1
5⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7582170400568920245,12152322673576158578,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6641705757022425899,14351774782365464437,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
5⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,6641705757022425899,14351774782365464437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13654259263535227156,9350766265100424543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
5⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13654259263535227156,9350766265100424543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15579152150362231523,17987724977359244500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,61708373153547390,7715499849259370740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x14c,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:6420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:6184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x168,0x16c,0x124,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb228546f8,0x7ffb22854708,0x7ffb22854718
5⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5984

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
72KB

MD5
e47f587733a563f8cdbbd3a827a93684

SHA1
1b08f0dcb77e69dd59ab48f8b5417a5c10bf89bd

SHA256
d390c27d2c04782586bce0b2df0c276c7338af7a7155a898299ff82079aec4a3

SHA512
b114ce251742e5919f9b73a585ae28498eb0c5509f5f453b3f028e573d5faea497972465e2688a2d0ff0c83945708d851d34bc0abaeaa7686cfeb6b9b4ce335b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
f644bdee817ace090ef5a9484af51708

SHA1
8610da9e28edd18c557f9afda43f55d3e98f64c4

SHA256
290685c5249f7bcf68552cee8b4f98f98ab91aa2d00737eb25629480f86d33af

SHA512
6d0fec81dbbcdca302f8b3d455c07f472d6cb965ba664e389f2e1aaccb44b0457518a2fd0a110277b9f2d2fc5c2337948b0c838aa713c602bfb2edd1e9fff713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
37d12a1d0993092f57f4719ea086c6e7

SHA1
7d935df92cbe6204f2fc3e4550480fbd5f36464d

SHA256
515f07969850c9ecee9b16dcaf6c41fdb580ed2d334bceb0ed308cf128524f73

SHA512
2a93c4cd97624783a5fbe341dbd62895da2d2e38270ea766d9cfb3948eab01ee5d2575036ad4bebb06bf239733992ce85169e22ba867189d0cb4bbc31a6b2248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
68f19ec73dfcee0fc508b87fabf89cc4

SHA1
72abef704ee99bbffe462e9d9770303877e77a9d

SHA256
5b3175e8320f438e1962586058eb0135b47783f56fe4ca3b7ab5c793ad8f982b

SHA512
d776ac05a252f7b41746ccbc7fc56613551fc9f6b65e55976f05d0db8f1df677c3da4428aaf8622b4549aa48fc2bee2a548688e25b71191eaf2554bf59465970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
ca26e0486c0ea0ba0d2e01e716077b90

SHA1
7e380b4d5194b8d537f446ccf3eef778bca886e5

SHA256
98e14bec24e71cfd88f995c20c3a5c4f39cc6eeaf30331bb2927796778b82b14

SHA512
b75da71d628421bea89a55b1f8aca01c72bedcac4dacaa288791596ae53135d964828e9c8b4ea3b15ea9503c5c461f2f696b0531cbde4982d308a1c1eab3a08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
faf624180bc06b93ab7755b69aa26888

SHA1
58e870ffe2d60415cfac7670b6c6e183b204f6ed

SHA256
2242dfedfadd80e75c3723da923348515c115b49a9dd6ac92bed331da17cf74a

SHA512
2a2096b702fd40654bcf39ecffb59672257cf1c388ad921e12d4d0f603e0fa7a1993e275e5421bfbb42f7d26a790d0de3a2910670271ba3d8933ec68177c93d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
297a1625fdfc03a943754417a52d7515

SHA1
fd38d420748a952812a1d11e933e19fa901689be

SHA256
8b59f44a6e77d44a02f3bce23cc0519f7225574ff1677875d9172d3185b2bb0b

SHA512
f54a4f6c9d1e43becc1e28de61dafc62d2fe791d39279be6d1c36a4e6f40e9050fac863593dc013dafb9ef7b83bba1e78f7ce5346556ac92078715bec9e3eb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
2fdf5096fff5586eaba29164898f96e3

SHA1
b9c32cd242c082cf49f3910547485a2a5683b02a

SHA256
72a8f6a7488876730c6e180115d16e24254969379ae9db8705cebf8fe16b9c7e

SHA512
686aef4e830ef3817553fd593b0053516d9fdbf5474c7128fe68804fca9872d4f6263155f30749775c38c3766a7d134f229754a0cad7adbbacd43475a8c9ee96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
b7cd1d29b0b97f50917e6be4cd7750a4

SHA1
045d0625312570ea983aac468f7c938194173eb3

SHA256
3bcee7086b385ff7952dd7ad9b634c0041241e7dfca60f3c6486086f3e10cab2

SHA512
5542490c5a212a07e4bd1cfa00d179adf24f276c0ccef11c61250e880f4883433834a85aec7f01c46f7d3d89a1c07ef9d6f3811f51544792f567a1df2dee9d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
3646e1860389d0ff149371331ba12440

SHA1
948b97cdf16a60bbe986550ffa17054f40d23e94

SHA256
dbac74c55505dfd09d6cc5ad7fe14759968abc93fca73000d2f943824a5a9090

SHA512
bb469a10dffb2e93c6ecbb0da636d36f09d1a7badb886be2cf76f40df62dc829b46368bcb10e0987e642721ea3e1e885af0a0f0a053224257e24ad4481fed7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
d22d1964c78e12aa7f20a153639fbd33

SHA1
13e6e10c1f5c3bfe6e71496d79374ef2882b9690

SHA256
e8dcf03277ab1cc87039ed44e28a24464f8b76c33f3ab91a5b1bae9090052657

SHA512
7edf17856f5d53adeb44133a6309cda6923aac25157e209345d123d35e44ad89c0feddd2097c39bc672acf27a348a55f56f195e11cce1c4225b45ec72742a2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58179a.TMP
Filesize
48B

MD5
e029ab5876cf4e6198fb1745841cb363

SHA1
6346b12c402b065cfb6d6924ebf275a42bed8ead

SHA256
f4b735fcf67a813f6a7d795029baa40bd2ba9c561905b91e475a776eae4b80f9

SHA512
a2934a6f5c6eda017efb052ea0a20a588c604308e7ec33f232b0e8d28c74869e5a301c1f34775ceb4e7cc3d75a14fbeb21e2649e40cf4d129a57237565abf55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
17e10a406d5b3f7b8d36e53c99f1a772

SHA1
902edc5f1563680fa2c34df44168a867be6da88a

SHA256
cec0a28f70dc6b6c4f1a859f82ba7fc18206965a0f17b67a8ea46645f3b30f53

SHA512
c387a6f991c1046d4873481711b90154f525eecb8da1fac96e059c2a80b481fbe234f185de14448e0245adbc7f4f04c9d61984e8e78d3bf65ee136f0c1ec64df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
fed3d8072adbf4c55b57916cc0fc49e6

SHA1
dabe335ee7fe29731143178b6bb1f45e8e274203

SHA256
5bf68ce85a8e234451696120b8cb818fe82d7acae3900aefc4406e3859107b96

SHA512
5ede3024a1eeb3c6a032e8a85817641195ff2fa873a51d28d803ce010da43e2eeefa0a7e5e27d485830d9b7d314df4cfe1ee9627960c9ca79d828384b502f353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
4fc8fc4536e6265da73d8e0d1fc33021

SHA1
c223449ec66d92ea85161ab4c1183a01e10cddf5

SHA256
219c130a31ba12233a6e008a5b16264cb6770c23ea26b8a6301de8f1bc10104d

SHA512
284707bb852f99c0283b7ad9c030cc54e4356f3f1049339d395821fb36d2ed68cae9a13e103d256b09287d0a01a5ea2d7d0243b28e9ab0cb1388477e17152d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ccf5.TMP
Filesize
3KB

MD5
48ad56eb61fd00af0f27c83eeeb623ec

SHA1
0eb34912ff347fc9a1b90bde00141c35fea72148

SHA256
c4a358f5eb6b98f137c8eb941944908ef887034e7ef9dbb1c36d60659807e7bb

SHA512
d1d7afd021306810d79c7d1db596bd804dff9a29f61517bb094379b50bb46d9126e9ec24d577470066221ce2c393bc018a019a25ee01cae2a37e06f0dc4d4fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
4f1a558056e339fa2eb8c93a121d886f

SHA1
30f5731589e552ed08d1a1ec21a19bdd7d823d8a

SHA256
aa0999a396b7ee8811ef1c8b4f75ad781a190fc526885a5df10e074cf6db8eec

SHA512
22fce1afdda8f8a0ececbc76ff52cb4a296f9964c8181505082111846cb3179a7b23859d97b2e0f32f031ca830682c320a8850acae5fb42237295de44d2a0458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
458c177a732473095944a28a1811fdf9

SHA1
d1653e7c251d35ebc92d2a77b3a1297d26350d22

SHA256
380ffceb5a90fbd9b6a7bc99b7b5f302ea23e69e001cff349c98c337367e3312

SHA512
aeaf370248bd0e26fdef5b61dc85d5e710701e899598fbc7e9ef276f441be614f993081d33244e76c0d824af3a3d18db03abf7cb1098a8a97cc16230cef54d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
29a5534adfd1be1d315bd2cabcff59ca

SHA1
d48257564df8c46c5f11ab5829f0a5d6c046e2b6

SHA256
c8384aaaec3b28e2b930a00b03137b31a16ef4cd2d5b658cb4e1e393533a75c1

SHA512
20193cfa0c146369ea8a8459d17761dc5065449e40dd7b52a554fcfd4e53b8cde2083d03ef645495f5085f5a168d20bef932623833b6c28f1aeb5b8e390c8af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1f51622386b206933591b109cd0dc3f9

SHA1
82d8b71c3d840d272b4bb48504ce5d72ec78ee68

SHA256
0e423484aedc11b5da0bd6b6218e2f1e90dd2a3b0fe6ea970598cbb83de48166

SHA512
16123a2d7013283b13c85098c00aff185b631055a9d1d96cc8585623d487ffe92f76376473d11445c79b124e4f84617b48712f83a7aea7ca5e02328b2f7435d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
a0721d68f8d4966a057f43774dedd061

SHA1
8463f21ae68e698962d182b8b6acc59d5b000992

SHA256
6539c9a1f4ddeac5f1dd7b48669ff79ef4574e0a9ea41ad7043bb2369203962f

SHA512
09c8ed49010d89919a1f5e4b51c27f04d4172f4d2be9336713d31d03a6c79a4599beaf8695168f6497e2cb71d0ee4b3d7b9a820f630fb5d365553e2fe47829dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\71F4.tmp\71F5.tmp\71F6.bat
Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Cc0hf94.exe
Filesize
89KB

MD5
f7d1358824265441e49cc57790c287ef

SHA1
35ea7b34dc7b6b9af71185bcd5864d41a1eda339

SHA256
bad1b7b0b3aaf5f546c1a35c6414ee210edc33007b199c414e82111def311a33

SHA512
04023953f8d9dcf7857cc9d5619dc60283d61847473b9813e2b87fd2afff665fb63e92882421efa68177949a1f40198f571331847113ebce0cf265f1c0baa113

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fm2Mt27.exe
Filesize
1.4MB

MD5
294a4451804d6678b058f070b6ffd8da

SHA1
e3b8858713cbe47bb95717ef9d9cf224f0b7227a

SHA256
d9b240e5d10586fbe1cf650d6a0956508af28c8e13b411ede4b1a1dd9cb166a8

SHA512
47e9f03c635539decb55f9f21fcf7d491273a0068c88c445c3b8c6bdde8b5eab8f3bf4979626afd13eeb86fd39e9117f9588842376d41d2976a1aaafc5829e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fL2rD0.exe
Filesize
180KB

MD5
e4b9fbe4d1a9dedde8898ddfb3d76b86

SHA1
d27324194479015458c25e5db1078397c99f1fab

SHA256
495cb2c53214ab4b0aa0e6992b50d43946f607a08e931ba76b0d7aef03b89382

SHA512
2b148e507e8619c15c3a3f3cfacc04af0a1451fb66a170fc6526472e0412a3178e4c30b3a8e137a91314d4c8cbe63b46c88a4e4e36eb9c97b6dc37d95fbccc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fn7Xp41.exe
Filesize
1.2MB

MD5
1c9c7e00d816af61e7c246cd9ce9df9d

SHA1
9d309d13f28d3245490b5b5d7af32da440c36281

SHA256
4e5eaae9fca41c5d13b3f3cd0131aa5c801d40403c881cfbc693e4a2daa81f30

SHA512
a49819ece21a8cf98d1ab932f1bdcf68c838a9e09b02cae05a9d9eeb19d28f25ebbd8a8f3a5c63ebccbf87389cadeb4f0a0b80105d371669c63ab4e450157698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ov5Ya8.exe
Filesize
222KB

MD5
90a0f257b050c802c4fa016fa2afa344

SHA1
842f65b63fb44e37f1d8f7f5806ff16da63c4ee3

SHA256
5e863bc8cbe96454d05c8f715359d4a94f9ff1b9e074f309126d29948ad87b18

SHA512
66c66bc5a1066619ab46fc85cabb36f582be4b202b64fc249d1fb8f8ec85b1c44b495f493b3f2225fd1c4dc8f1ee988aedb2113623755826c40c2ecc4cbeee9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xs7ER73.exe
Filesize
1.0MB

MD5
cad932cc18758286c790d339fedbcd45

SHA1
760e58aeca7dd13ca41eeec2405b73eb896eca3a

SHA256
4025c36e9653f8864faf4202406c5ff2edb242b448b8c20f6187c5aa60f1b414

SHA512
e8301a0b52143e7cd338bdeb25abc8c582d45a54a3daa7c1c545a4a8ae52d691469c0cbeb2c88980248abc7d14851e54895d1d7c7817d8facef48f26b82acc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fr976Ae.exe
Filesize
1.1MB

MD5
dacf9ff2eac9feb8db298b8afe3f06f9

SHA1
77080003128fbf653b9a4f98023a64d628c685e9

SHA256
eea0e0f845ffe186734cefb1542f4acb294e69b2b235ae3bdbb9a5c0cb5c0204

SHA512
87d26f56341ca19167ceb792c0a18d084340b7c3a81536a126f653be980d24c30d2aaf5160d0c33ed20d1c42355e4e8a1d1f92817416ee04a29af57cfdc2b91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sw7ms13.exe
Filesize
652KB

MD5
8b0c157e0f1ca89f1e76b0dd5a810515

SHA1
1292dd0fc1967674d0cbf1b724e6cc8e07a4f936

SHA256
59cd252abca4a84f0aed547b07382468050d690e274ba3ae55590ae6fac44d3f

SHA512
58b7af5505c9e99478abbdf8e2fc8002d248366aa5ebda6a83a2c0ca6fc4da8418e1246ce0633a63567bb05d5b86d430cd6dbd07529fc960c63eb71582d913ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Fi98gw.exe
Filesize
31KB

MD5
9982e7cfcc455e1dc270de79ad3b4a82

SHA1
4cf90fb04b3dd0c92d07dbdf11312099b343bd66

SHA256
3855269be17cc0cea46419e24fd6583a76dcea6b86028847571aa7d2f7e57ada

SHA512
c9ffe5e3a8196585926c74011e0151f1cd26db961a9d09535a33ebd458f511638708b604b991d8f5ab60d0180280a812549075eddb21b6c93fde5a1e437a84f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FO8My22.exe
Filesize
528KB

MD5
b65db504831ff040a3558b52cec458e1

SHA1
32db447a4a6bf53dd0acaa4e775bac2c787f7b60

SHA256
e0ea52b548d82d63439ec3747e9a4c5e5134e6a7fb34edde6387ed432ba464c5

SHA512
43a84ed18a1be5ab4c956a7ea77e4818caf6cebf4fab4982d4879d39d01a1c2861870c41ec9254237b768decf9f8280bb2329b1b49f17e6a59ee4bcaac466961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aZ92xY6.exe
Filesize
920KB

MD5
f4d34da1c2b6359be4c6da978b18f090

SHA1
720165d7715b05e365776b206463e808d0a70a7f

SHA256
77cc390b4f54c22a723cdf06efa486f3cf1ddfa6df1b41b3f6ab7bb4881589aa

SHA512
2ee151aefec18e860ecc5e255e9cafe681321b57b7f2b171f62a6af588a2269e858b6722be62182347cafbee0a7277a7adb11fcf69cbd9ceb2c222698a7b6e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2GI5320.exe
Filesize
1.1MB

MD5
f5406716e9c125e403bf8d4917595682

SHA1
be3bdb557fa96f8c1cbb21f397d0059158c7631a

SHA256
e3ac87f6f766b0324e78085eb60c2d0dfb96b14d2b0547803e4370488ae9240e

SHA512
51f143e577b594ff9c09bc0f2627aff3fb200abb4eb06276d2462e1ba28096c96bd0c7f267a47294306e14521e09883cfea6c86fdde045d907de38a17e9bef43

Download Submit
memory/1544-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1544-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2412-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-64-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/4032-65-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/4032-82-0x0000000007E20000-0x0000000007F2A000-memory.dmp

Filesize
1.0MB

Download
memory/4032-83-0x0000000007460000-0x0000000007472000-memory.dmp

Filesize
72KB

Download
memory/4032-76-0x00000000047D0000-0x00000000047DA000-memory.dmp

Filesize
40KB

Download
memory/4032-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-84-0x00000000074C0000-0x00000000074FC000-memory.dmp

Filesize
240KB

Download
memory/4032-86-0x0000000007600000-0x000000000764C000-memory.dmp

Filesize
304KB

Download
memory/4032-80-0x0000000008440000-0x0000000008A58000-memory.dmp

Filesize
6.1MB

Download
memory/4984-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download