mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe
Size

1.6MB
MD5

1024fec3b2cca2d8731fc254914a59fb
SHA1

45d91a792f85805515fee405c53b9981ce67fe22
SHA256

741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311
SHA512

f3aac832937c04a62f2663dfd94be4a9645fb22b522c2711cffb8e9bf91630a9f128cb26b957db21225cc88f45c093cc054ebdb2ec67e47fa5b434ce3aa915ce
SSDEEP

49152:5iYBtU/Vq+vgnB79J3elmGO/mvUkk3R9PvS:RBtU1vgB7b3TGOuveR9S

Score

10^/10

mystic redline smokeloader plost backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6rp5cy4.exe	mystic_family
behavioral9/memory/3696-49-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/3696-47-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/3696-46-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral9/memory/4860-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe5cz8cy4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5cz8cy4.exe

Executes dropped EXE 15 IoCs

Processes:

yL2PY71.exebr8gz24.exekU3RY73.exewa2MX53.exekq5LU06.exe1Qx01Mx0.exe2fr3266.exe3SV96sf.exe4CC512yh.exe5cz8cy4.exeexplothe.exe6rp5cy4.exe7gl3jR03.exeexplothe.exeexplothe.exe

pid	process
2532	yL2PY71.exe
916	br8gz24.exe
1088	kU3RY73.exe
4504	wa2MX53.exe
2336	kq5LU06.exe
2772	1Qx01Mx0.exe
4172	2fr3266.exe
3700	3SV96sf.exe
3916	4CC512yh.exe
2832	5cz8cy4.exe
2236	explothe.exe
3232	6rp5cy4.exe
1684	7gl3jR03.exe
3640	explothe.exe
7072	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yL2PY71.exebr8gz24.exekU3RY73.exewa2MX53.exekq5LU06.exe741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yL2PY71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	br8gz24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kU3RY73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	wa2MX53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	kq5LU06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Qx01Mx0.exe2fr3266.exe4CC512yh.exe

description	pid	process	target process
PID 2772 set thread context of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 4172 set thread context of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 3916 set thread context of 4860	3916	4CC512yh.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3SV96sf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SV96sf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SV96sf.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SV96sf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3496 schtasks.exe

pid	process
3496	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

msedge.exemsedge.exemsedge.exeAppLaunch.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2016	msedge.exe
2016	msedge.exe
2412	msedge.exe
2412	msedge.exe
3560	msedge.exe
3560	msedge.exe
5056	AppLaunch.exe
5056	AppLaunch.exe
5056	AppLaunch.exe
5280	msedge.exe
5280	msedge.exe
5332	msedge.exe
5332	msedge.exe
1468	identity_helper.exe
1468	identity_helper.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 5056 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5056	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exeyL2PY71.exebr8gz24.exekU3RY73.exewa2MX53.exekq5LU06.exe1Qx01Mx0.exe2fr3266.exe4CC512yh.exe5cz8cy4.exe

description	pid	process	target process
PID 1936 wrote to memory of 2532	1936	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe	yL2PY71.exe
PID 1936 wrote to memory of 2532	1936	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe	yL2PY71.exe
PID 1936 wrote to memory of 2532	1936	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe	yL2PY71.exe
PID 2532 wrote to memory of 916	2532	yL2PY71.exe	br8gz24.exe
PID 2532 wrote to memory of 916	2532	yL2PY71.exe	br8gz24.exe
PID 2532 wrote to memory of 916	2532	yL2PY71.exe	br8gz24.exe
PID 916 wrote to memory of 1088	916	br8gz24.exe	kU3RY73.exe
PID 916 wrote to memory of 1088	916	br8gz24.exe	kU3RY73.exe
PID 916 wrote to memory of 1088	916	br8gz24.exe	kU3RY73.exe
PID 1088 wrote to memory of 4504	1088	kU3RY73.exe	wa2MX53.exe
PID 1088 wrote to memory of 4504	1088	kU3RY73.exe	wa2MX53.exe
PID 1088 wrote to memory of 4504	1088	kU3RY73.exe	wa2MX53.exe
PID 4504 wrote to memory of 2336	4504	wa2MX53.exe	kq5LU06.exe
PID 4504 wrote to memory of 2336	4504	wa2MX53.exe	kq5LU06.exe
PID 4504 wrote to memory of 2336	4504	wa2MX53.exe	kq5LU06.exe
PID 2336 wrote to memory of 2772	2336	kq5LU06.exe	1Qx01Mx0.exe
PID 2336 wrote to memory of 2772	2336	kq5LU06.exe	1Qx01Mx0.exe
PID 2336 wrote to memory of 2772	2336	kq5LU06.exe	1Qx01Mx0.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2772 wrote to memory of 5056	2772	1Qx01Mx0.exe	AppLaunch.exe
PID 2336 wrote to memory of 4172	2336	kq5LU06.exe	2fr3266.exe
PID 2336 wrote to memory of 4172	2336	kq5LU06.exe	2fr3266.exe
PID 2336 wrote to memory of 4172	2336	kq5LU06.exe	2fr3266.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4172 wrote to memory of 3696	4172	2fr3266.exe	AppLaunch.exe
PID 4504 wrote to memory of 3700	4504	wa2MX53.exe	3SV96sf.exe
PID 4504 wrote to memory of 3700	4504	wa2MX53.exe	3SV96sf.exe
PID 4504 wrote to memory of 3700	4504	wa2MX53.exe	3SV96sf.exe
PID 1088 wrote to memory of 3916	1088	kU3RY73.exe	4CC512yh.exe
PID 1088 wrote to memory of 3916	1088	kU3RY73.exe	4CC512yh.exe
PID 1088 wrote to memory of 3916	1088	kU3RY73.exe	4CC512yh.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 3916 wrote to memory of 4860	3916	4CC512yh.exe	AppLaunch.exe
PID 916 wrote to memory of 2832	916	br8gz24.exe	5cz8cy4.exe
PID 916 wrote to memory of 2832	916	br8gz24.exe	5cz8cy4.exe
PID 916 wrote to memory of 2832	916	br8gz24.exe	5cz8cy4.exe
PID 2832 wrote to memory of 2236	2832	5cz8cy4.exe	explothe.exe
PID 2832 wrote to memory of 2236	2832	5cz8cy4.exe	explothe.exe
PID 2832 wrote to memory of 2236	2832	5cz8cy4.exe	explothe.exe
PID 2532 wrote to memory of 3232	2532	yL2PY71.exe	6rp5cy4.exe
PID 2532 wrote to memory of 3232	2532	yL2PY71.exe	6rp5cy4.exe
PID 2532 wrote to memory of 3232	2532	yL2PY71.exe	6rp5cy4.exe
PID 1936 wrote to memory of 1684	1936	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe	7gl3jR03.exe
PID 1936 wrote to memory of 1684	1936	741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe	7gl3jR03.exe

C:\Users\Admin\AppData\Local\Temp\741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe
"C:\Users\Admin\AppData\Local\Temp\741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL2PY71.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL2PY71.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\br8gz24.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\br8gz24.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU3RY73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU3RY73.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wa2MX53.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wa2MX53.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kq5LU06.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kq5LU06.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qx01Mx0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qx01Mx0.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2fr3266.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2fr3266.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SV96sf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SV96sf.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4CC512yh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4CC512yh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cz8cy4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cz8cy4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2236
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3496
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:3148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6rp5cy4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6rp5cy4.exe
    3⤵
    - Executes dropped EXE
    PID:3232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7gl3jR03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7gl3jR03.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4277.tmp\4278.tmp\4279.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7gl3jR03.exe"
    3⤵
    PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:2360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:4316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
        5⤵
        
        PID:2312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
        5⤵
        
        PID:2240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
        5⤵
        
        PID:5340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
        5⤵
        
        PID:5564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
        5⤵
        
        PID:5592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        5⤵
        
        PID:5852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        5⤵
        
        PID:6020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
        5⤵
        
        PID:4680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
        5⤵
        
        PID:6116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
        5⤵
        
        PID:6180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
        5⤵
        
        PID:6316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
        5⤵
        
        PID:6352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
        5⤵
        
        PID:6488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
        5⤵
        
        PID:6672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
        5⤵
        
        PID:6808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
        5⤵
        
        PID:5732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
        5⤵
        
        PID:2656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
        5⤵
        
        PID:544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
        5⤵
        
        PID:2996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
        5⤵
        
        PID:6584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
        5⤵
        
        PID:6588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3980 /prefetch:8
        5⤵
        
        PID:2216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
        5⤵
        
        PID:6492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6048450851278179118,931481743731959500,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16401324130166488904,14391603518045927080,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:4444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16401324130166488904,14391603518045927080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:3264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,11177529205564264455,8521218944880301375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
      4⤵
      PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14772791794549153767,11394383173299093439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
      4⤵
      PID:5740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:5840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x14c,0x170,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:5560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x8c,0x78,0x80,0x88,0x14c,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffcd8a346f8,0x7ffcd8a34708,0x7ffcd8a34718
        5⤵
        
        PID:5360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:7072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2463467d-8b57-475b-b639-92557aa0f810.tmp

Filesize
8KB

MD5
0935914d730b6700b1977224540c7e6a

SHA1
437737d72a8c5e8f71b1da12cab4070a86e39bdf

SHA256
5f3dd2fd99a37225053cda424c388459e1d64eea114a6ffba0a08e2905da3785

SHA512
ffd97960247a72e39456cf99bcec1c290392fd9994844df0e3834bcbdd03569b352ae3a8bf73d81ae9d4b119c0a958a4738c34ead27f5bfc7e83e89671e0d8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
1dbb67bf6e130710bf5c2c1db4ede75c

SHA1
726d5a12cb5df9caa488232ee9f07483c5342573

SHA256
4c0c96515cb4aa94099fea0c817f4933bb47abeb4deb0193b12ae14bfa741bb8

SHA512
bbb1b9ad64e5278d20a9c837ea032e5ec172aaa877f919c17b17597f4188343d01024f7cb41d7bde72107418997aecdfa58696b2903879418811fe61a04c65d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ecf405fbea050e3742e917f145043e5d

SHA1
6f67e8d8aad7f7021ed814289c7b144596e59fb0

SHA256
be6e43d50694d370b87fbd0505b7e26f21dc49a717fbc1c274ef2539b7f61d84

SHA512
5dba525163775f9d88c91126f8c35538d9019452a514c86604dfbc21d95da4abf93b4a6f56d239d5908aa4c6fedb75544f12a2f2eaf7588ce7a16d80b2170083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fb4538b8fcf2741fcf4414ed7f928d3e

SHA1
2057258783abefbfd9c46dfb29514588871011df

SHA256
6f756886c682c1605f0e5bdc5ef9a90afc2cc9e5bdb7de42110a14a1b4128cc7

SHA512
f9059b37583a08fb60a21ac47478d51fb281f6a2d4258f294d74946aeb45d036e8e6e5b2aed6d373a28714a0961a4c1b2e8ab2123424c65a28da3aef29343a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
deb8e7bdd96163a27ea27bdb1cafaaf9

SHA1
310383e44e791d2ec1d70aace20dc6f35e3e68d6

SHA256
7ae6a2d03fa88a9f898679bdf276255dc7f82496fb5fcd91f7f708046d85a161

SHA512
1c67c0fc0895368dc756919e9d726bdf7df94d6b476eb7b83a59c59e78a465509c8818ee77435fb68b21a6c87dd33c1e045588e966ec0a60bf6c572373fab21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c50d0e7c5eaf974af088dbaab6c6e789

SHA1
a6209e6c4f6c2716ec2acdcbea4536d0d11eb1fc

SHA256
de445b6f46ec428a41c06480c78e6c064cf176abc5cddf1cc635c92bf63d910a

SHA512
bcd04d68497c717241a1e0fd3257639223b1fb796df35477f302e75ee7571c4f598e85702382ccaeabf6cea7afaecd37747837e2366135120cd65731be009952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19eb7f21c88f7c5d342459e32255c40d

SHA1
46db24cbdebea50ece58ff06b4d87874365a0b26

SHA256
5509ea2195ed258105feb1d1277e3074d9f4105087a682b52c2f7b51e628c77f

SHA512
b6a3b7373742b9a41bfc79fcf7922b86f0253aecc79a5001fd9488b3da3241e373165be6184445a2f17a7fe074ddd7363e0b8ffa087bba148391010785118fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
175161bf6832cf6f84121f02ab1d3a8c

SHA1
c8829eed9d3e20ef62ded3771b67f0267784fc78

SHA256
4e4c01a6c8c9c6f70a1f9f8c06d1bc7d4ac728e5e7e85b70341f005f3fdbd69f

SHA512
171ff4b57107ac2af5ec0b8131ce9230e7cc197663aefe76f8f050f47c0933373121498d9f429a67ac2c16e9698ed2751fb91aea4eb5b55b0b36beeeb426e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c1b75d86a5962511ed8c63c36fe33814

SHA1
cc6e9024aa9832e836478673837d2f54a946425b

SHA256
24b37682ca38c1819475a75f00cc7020beada9d98f09e6ed66718d7bee4f4aa5

SHA512
bb65b059b87c6c4761881f3b6d54a2a28c73ba807726812951d82aeb3ff22547430410b3a6b35a685a5395f501e6b5e842e85f0182f3069ea4a8729a2d122a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
d1f21e6bd1cf5151dcbc3eaf506d7e14

SHA1
fade423640ad08eb17dcfef8affa3053fee7ecb7

SHA256
3370ac2004c3195cc01ca9d5c6fa2b8fc4f872b5b9643368f9d9caf25e7424b5

SHA512
a8d0c10745a19495452bd780a06a206a8e80775932856cf6a148398440549d908268fb4d6402845a64f836022e613b8fb5cfc51a52411efd5c719b1189837b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a649b7138a46d91a0c6b69ef026b2622

SHA1
8e19657a374be0a0395498b861b9618986f0e5f4

SHA256
769bf821f5d30e295ae56b7c2cacf0911897e62ccddd4e05f1c43e1537c43fd4

SHA512
d65cc4ac46999ad9d5ec80ffa9a15b32a29ac37ea537c8abfdd1a86d5423aa6f41f120a9fade2ac8a8280698c184bb4967db3165ca19196fb4a67a9f55b94ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
d1e091c40c6677f0fde68ef4ffe2901f

SHA1
5d01a5cd210c23ddcf2e513bd11760ec0868a550

SHA256
32f0ca213052bd94353abd35218d0b71023a177e2125a09aea844400c45f9116

SHA512
cffbf60f6a6639bfe43d27cedad80cbf38349fbc5e9439d41f9ce04563d4ff83f040e589be1ab2966a22dcfeaaeff1268e7e8196c7c531886e9812af24f2fc09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
355a8fc3728881da483c38214ca023c3

SHA1
e01dedadcf89cb2f15a5c1381aa19225377c5734

SHA256
dcff986ed2f78b8e4cbb418cebc483373ad92fb86c1638f591e639afbb841428

SHA512
16f8c8a9a55eee203df853a96ef06fb4e0149d99f0a3961fda6a5f7aec0e909c6a391467e3f5a2013d286820539846c1d09317ab66a8433270df94203d00cdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ec35.TMP

Filesize
48B

MD5
9e17e12c24efc493830a501468e2b27e

SHA1
3913fb449f79b8a452df575811038602a6797747

SHA256
87dfdd675c9c0ea9e47bfa372218c7abbf66ab626f89bfc38ba339785803378a

SHA512
f4840d0329e0b1eacbc461bc79fb42310a426000e03667e83dcca8a410cacb36c8cc2daa5fb3301405570effe99d5cf57da4889767b3b4600ee68f26e6a389b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
68c9bca34849ffd8bbdf7bf7665ccf95

SHA1
0110ccb3737590d649f6e67ac68dd15a7178d315

SHA256
a7fca5ab8aa9e4c3c33acfef368571143e34a13b3315984e4c2b4a00cb453a22

SHA512
f965ac6b965cd8214978c614913ad5c6e8e1cef11df5ec384d895933d25531109c90c58e8e01bd7d315e3ff23636c38f3ec72e990018404106fedbbbbd6c98ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
91693ed16e16aca40878573aa153309f

SHA1
6c3b279210062bc6f3cbc40b7d118b9a768a7998

SHA256
854a9e270c1aa43258b5146cdd2b73472b08b5631aaf2479019965c297fbd033

SHA512
bdd1fc35d7964aa241b50f4bc78a73e0639457c4e8eb3079269ed6eb2d8ebada7e551e2a746de8835ea9178b501841f01ec921c8da3d65c5e8b90e3b03045e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2efe894acdf2d8611607e6b63cde9f42

SHA1
247edcbf2c65d83377d1aa364fee5f09d7879b83

SHA256
641592457b44468b0d8a5acbe72a3a05f5a3ac37e873beaf4041f45c990d641c

SHA512
670403b2748a2f2e15618fb51dd33949b8c78d9213df0e85fcba5f14beacc5ff8ce49264fbb7dbee1fb33a22fbf680fa82e97ac6d6c9812a51e0192cd53c5cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d659b4e708d6be7f9e715bd4773c5bf9

SHA1
22f18662ace304ba6eb2a6504ebd86da943c707c

SHA256
975d3c62c791422f5c64b71f719713b72523f2dd9d25914baa3ff04b305ce84b

SHA512
bbd780091fdc31e7b302478d2aa4f030d80c0af3a46f880c47208eeeacfeebfae836080ebcadb59cf06f3d3201f244102dbd78f641b7a025d4c85c171b623cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5798c5.TMP

Filesize
4KB

MD5
7c74fdff80ae04a9460832fcbc5a21de

SHA1
6cd3409731b5f1c8573914cf9a3579b8818dee4b

SHA256
bafdded044d8a62495548a72ef7967e10181913d089e02dcc4f710971ed29f9b

SHA512
842d35636b8dd881b074f73c3953164b49e4017246f5bea14194af0d8256fb3ae6649b09bb8205665f104330f3f516ea9549741aa0e9baf70df5c2d6db481a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ba61554c411f25698c35847f7e3f853

SHA1
7dbbbc255188089129ac3c9599fbfb63d5041a0e

SHA256
fee40d229219ec78ea87495b1572c647aef7c105ac2309fc478b9ca9b842b4c3

SHA512
1a2416877c75e3e12d4dedaab83faa278d4baabe17a53b6d2dda0124ef3e4decbbafd7f181f6455bd7dad2b95cd6192b85216b0f552491c4794c48d2e043b3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
979ec2a2603df00039dae05859118978

SHA1
457cbee3303c1a3feb501ac5585fd357b3786a4c

SHA256
708cbc412defff4f0211a2a4bc7356c4912f22056160620ae8cfaeccbecf454c

SHA512
c7d95780419fd2a8285254c7937f48c4f7501174c4bbfc495a091ef9a5a693b3215ba0151e77abc02f17b7c0e696ca2415f55ef6f76a69593d7bd525444fdc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
48c295bd90cfed6d678152738a3b8a67

SHA1
a3f5b7795d64fb67ef3c6859d2c1c87e1690f456

SHA256
88cabd97b677dc44774e95a73e0effe080d3bff6a29610d60f8fc60a5968c437

SHA512
d1de5ad6bb16d566ea7a5a8ad31f013eb737ab2dda50ae1d5665cb48c0497ab72566a9314c3b21fcbcf5b7ed378dbd45802e902bf91ffd93ec4d480a9b4c9c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4277.tmp\4278.tmp\4279.bat

Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7gl3jR03.exe

Filesize
89KB

MD5
851b768fb3c6d3353b20d53b3b7645a0

SHA1
a9f1ad23c902d1851c7202490a5fd3f079487efd

SHA256
db097eea99475562b72063d5086ae8ae422e0b36efadfc8500fdb7d48a7cbd3e

SHA512
4fd121ac6fadc8c8d3502b19a1ba5a649dc827335f7b4dc923a671e99213df3acf0de9f7810465ade2b24530d98e25f8b11a1c872a47c137899c0a542c7b8c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL2PY71.exe

Filesize
1.4MB

MD5
61e2e5f4b903e00beeab2bf5e9ea92c4

SHA1
5da15d550962eb5c7d85e4776a76568ac6414114

SHA256
56f316398edc70d0afa9a21e4610ad7f02ed833685abe309e883e7bcd33a7a38

SHA512
4f85a1e7334e3e0dc17d5ac8dd687f75cf49e1d63224ec202e3e00df04d9931f72d866e464a316dbbc3cb5a194bc70939937b96528fa7e0e948b5cb5747c9fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6rp5cy4.exe

Filesize
180KB

MD5
ff84603810c9163427bbe3a054b0e7d7

SHA1
ba890071b92211f7392eb2f0976434c703b7ac91

SHA256
11fc663517f57b6658b59cde223fda5fe7811c17f9169a7d8ad9bb24209818de

SHA512
e6a4a04d707403faa442fa31511108ec68f4cf21fd76814375dbabb51f137d2e7105f8162e0c0ac0978c7e1d817208beb32bdc77cbf029905f54907693c477fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\br8gz24.exe

Filesize
1.2MB

MD5
e44a00af6c281799e7605fcf3d5a1d80

SHA1
3f0dca3fe7748e059492b84df6f0346a8a10675f

SHA256
aedf5e406b540f47d076a8c52514209ac8b3c663308078a462f56a36e60970d9

SHA512
352bc13184ef9bf12d15b1531c0bacb144fbcdfa0c590badf8fb40723a4ce8fed30d21fa959f0a79f25e71b00eece17e5b486e9bb0759357da22d7680dfd16b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU3RY73.exe

Filesize
1.1MB

MD5
9769d3a41157c2b479094703faed91da

SHA1
51df6f2b1055d755a9cf6a87fc2d6269bde2565a

SHA256
9693e32d5122fbe1f9a608d479a80dea851aaa17f62097d15013c66e2be2d164

SHA512
3d2c2a884225df103011d0e6f949177f418c2ec22cd5fd253f6fe5534c14e0b9f33302644f823a01b5926bf2c849739ff506b05adc6030f6d705a274b89546bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4CC512yh.exe

Filesize
1.1MB

MD5
99f2447d59e3a6887c0ecd4f8b5a245d

SHA1
0b5d34a85f659247d5c2ae662d59941c8f276900

SHA256
8e26541508017b06518f60a95f0e467f2a4f0e7d89aa1110d9332ece61a1f3e5

SHA512
0a8a6e2e86c19c6540162f9530553e52081697a2364a62e324a2cbde366d36277ba950c424ef3db0e6e06b1da06151424e0b1947cab85634f65a7472a4348127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wa2MX53.exe

Filesize
657KB

MD5
21d90ef6156a2c4d39391a7060f5eb21

SHA1
473e5a5e880010faac38f7e43df21b41cda935fd

SHA256
c831905c1cd0775272ae34ee6dbea0630cf72078eb06fd49edd3137a7d1e18fc

SHA512
a6cab78caef61789b3faec8a7f1693d18a8f201706d3ba17192d0e25409665fd3c03b3f92c88645ae108484778fafcba06009f4bae0fc2231a1bd742c79b1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SV96sf.exe

Filesize
31KB

MD5
65c5be4b1f3cc7a618cc193c2d7c7d36

SHA1
32837518db4e939ebaa1a5f01e4423d3334acf20

SHA256
b548cd343120646abfb90a0d286e440b4935c9e050a9f6dbcf87c9d94cd659ab

SHA512
ca5f59ad66a015110272bfa816c79d4f0051a8037df6bec3a3df83c69b2a5287bf9b8332115e61112ee31979037f5e6c32e1b2273f8c9633604d3937d05ee153

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kq5LU06.exe

Filesize
533KB

MD5
76385c1be267da516b8569d2c5989613

SHA1
d970d417dd4bda49c21fb66738dc60a52f8aa30d

SHA256
1e7cc733c156d62c53f393d4fb63f53289c67e8f6755dd06ede4f165ca78348d

SHA512
4cb5095594d8948e280e2d301f8be6eb30dbeccd5b7a233a9ee51835f5759d1d3309440208d69a51918dc4e4e968b2b13bde6c7ff25e383ea15449527cc30278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qx01Mx0.exe

Filesize
920KB

MD5
89162a3e466506d160407bdb07acfdd5

SHA1
f2914930931a1d86a111a3d965f04fd72df52a25

SHA256
04a38ae527de0436c802118130b6cd259fed5e8cf93e6bf7b671270c24400607

SHA512
4ab14be43392aba149d84203ce5a6cf2a3922d25f3844d963848621caa2e1fc4a0cc69e4c8cc7f33950c810e9e54be75af28e97f54db9ba563a7d2fb0ffb1fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2fr3266.exe

Filesize
1.1MB

MD5
eaa30d1a67e41afb9b8492e9de6259c1

SHA1
66be9dc8cdaedd6094bcda88ecf9b28b231e2f95

SHA256
7a7674661748ca4615d78527bdf95017983ff93a3ef733d2bcb0baedddee7fca

SHA512
2a36ccc302480a3c8c52049db077abdbce3996d05ee8f534ceb12b404ccf10d413887f9107e9926a9b1b2db163d690435482f0939a2ba8cf8babce6e83efe068

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
93ac4d43dfaaf7505fd334af924c808a

SHA1
15169897b8558f8dc60d4f7a5c58b3e29053b7f7

SHA256
f29bdfc686b12c441c119d68aa89f4819b259ac22e4a2bbbcd4fb908c1097e6d

SHA512
096ee01ec0467d92a1aeb6d797ab8d9f1e13734b52cd77f6139ccc111082595b46153b886946fef15eeb2cc453a3a726f822e3d533b681638673668c70599c95

Download Submit
\??\pipe\LOCAL\crashpad_5040_LDEGWPOVMVAMCDTQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3696-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3700-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4860-78-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/4860-82-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/4860-84-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/4860-86-0x0000000007C80000-0x0000000007CCC000-memory.dmp

Filesize
304KB

Download
memory/4860-85-0x0000000007AF0000-0x0000000007B2C000-memory.dmp

Filesize
240KB

Download
memory/4860-83-0x0000000007B70000-0x0000000007C7A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-66-0x0000000007890000-0x0000000007922000-memory.dmp

Filesize
584KB

Download
memory/4860-64-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/4860-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download