amadey | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
Size

1.2MB
MD5

bee9d99ecef94f358964129388df01b0
SHA1

828bcb3d3ed8de9b20d11206b81c837781695348
SHA256

8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b
SHA512

d437f45bc4606f0b1ef8146fb59b69dfe5e0d2bc234b1ba15761e533fbb2e8d5b62c6e865994ad338e69f81716b9ceab4d6a9c8c0d71f454514e607642727e55
SSDEEP

24576:VyGLW/wF2kZsHM8n7mQ4B6kAyQgNROuaNpszalvbF/Tm46Kp0Jkpd:wGa/CxqHJV4B6kAyQYHaNezqp/S46Km

Score

10^/10

amadey mystic redline 04d170 daf753 frant evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1040-70-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/1040-71-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/1040-73-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1SX75WI3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1SX75WI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1SX75WI3.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4356-76-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4NT820Hf.exeexplothe.exe5Vj9yf8.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4NT820Hf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5Vj9yf8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 18 IoCs

Processes:

Ft3oe86.exepl2vN14.exerr3jV75.exepX0WF76.exe1SX75WI3.exe2Px02xd.exe3es9218.exe4NT820Hf.exeexplothe.exe5Vj9yf8.exelegota.exe6Fn7yT90.exeexplothe.exelegota.exeexplothe.exelegota.exeexplothe.exelegota.exe

pid	process
1104	Ft3oe86.exe
3064	pl2vN14.exe
4708	rr3jV75.exe
2680	pX0WF76.exe
2804	1SX75WI3.exe
4260	2Px02xd.exe
640	3es9218.exe
4940	4NT820Hf.exe
4892	explothe.exe
4808	5Vj9yf8.exe
2384	legota.exe
4428	6Fn7yT90.exe
5420	explothe.exe
5444	legota.exe
2420	explothe.exe
5468	legota.exe
3112	explothe.exe
2456	legota.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1SX75WI3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1SX75WI3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rr3jV75.exepX0WF76.exe8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exeFt3oe86.exepl2vN14.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rr3jV75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pX0WF76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ft3oe86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pl2vN14.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2Px02xd.exe

description pid process target process

PID 4260 set thread context of 1040 4260 2Px02xd.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4528 4260 WerFault.exe 2Px02xd.exe
4532 640 WerFault.exe 3es9218.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2220 schtasks.exe
4028 schtasks.exe

description	pid	process	target process
PID 4260 set thread context of 1040	4260	2Px02xd.exe	AppLaunch.exe

pid	pid_target	process	target process
4528	4260	WerFault.exe	2Px02xd.exe
4532	640	WerFault.exe	3es9218.exe

pid	process
2220	schtasks.exe
4028	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1SX75WI3.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2804	1SX75WI3.exe
2804	1SX75WI3.exe
880	msedge.exe
880	msedge.exe
4468	msedge.exe
4468	msedge.exe
3364	msedge.exe
3364	msedge.exe
2776	identity_helper.exe
2776	identity_helper.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3364 msedge.exe
3364 msedge.exe
3364 msedge.exe
3364 msedge.exe
3364 msedge.exe
3364 msedge.exe
3364 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1SX75WI3.exe

description pid process

Token: SeDebugPrivilege 2804 1SX75WI3.exe

description	pid	process
Token: SeDebugPrivilege	2804	1SX75WI3.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exeFt3oe86.exepl2vN14.exerr3jV75.exepX0WF76.exe2Px02xd.exe4NT820Hf.exeexplothe.exe5Vj9yf8.execmd.exelegota.exe

description	pid	process	target process
PID 784 wrote to memory of 1104	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	Ft3oe86.exe
PID 784 wrote to memory of 1104	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	Ft3oe86.exe
PID 784 wrote to memory of 1104	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	Ft3oe86.exe
PID 1104 wrote to memory of 3064	1104	Ft3oe86.exe	pl2vN14.exe
PID 1104 wrote to memory of 3064	1104	Ft3oe86.exe	pl2vN14.exe
PID 1104 wrote to memory of 3064	1104	Ft3oe86.exe	pl2vN14.exe
PID 3064 wrote to memory of 4708	3064	pl2vN14.exe	rr3jV75.exe
PID 3064 wrote to memory of 4708	3064	pl2vN14.exe	rr3jV75.exe
PID 3064 wrote to memory of 4708	3064	pl2vN14.exe	rr3jV75.exe
PID 4708 wrote to memory of 2680	4708	rr3jV75.exe	pX0WF76.exe
PID 4708 wrote to memory of 2680	4708	rr3jV75.exe	pX0WF76.exe
PID 4708 wrote to memory of 2680	4708	rr3jV75.exe	pX0WF76.exe
PID 2680 wrote to memory of 2804	2680	pX0WF76.exe	1SX75WI3.exe
PID 2680 wrote to memory of 2804	2680	pX0WF76.exe	1SX75WI3.exe
PID 2680 wrote to memory of 2804	2680	pX0WF76.exe	1SX75WI3.exe
PID 2680 wrote to memory of 4260	2680	pX0WF76.exe	2Px02xd.exe
PID 2680 wrote to memory of 4260	2680	pX0WF76.exe	2Px02xd.exe
PID 2680 wrote to memory of 4260	2680	pX0WF76.exe	2Px02xd.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4260 wrote to memory of 1040	4260	2Px02xd.exe	AppLaunch.exe
PID 4708 wrote to memory of 640	4708	rr3jV75.exe	3es9218.exe
PID 4708 wrote to memory of 640	4708	rr3jV75.exe	3es9218.exe
PID 4708 wrote to memory of 640	4708	rr3jV75.exe	3es9218.exe
PID 3064 wrote to memory of 4940	3064	pl2vN14.exe	4NT820Hf.exe
PID 3064 wrote to memory of 4940	3064	pl2vN14.exe	4NT820Hf.exe
PID 3064 wrote to memory of 4940	3064	pl2vN14.exe	4NT820Hf.exe
PID 4940 wrote to memory of 4892	4940	4NT820Hf.exe	explothe.exe
PID 4940 wrote to memory of 4892	4940	4NT820Hf.exe	explothe.exe
PID 4940 wrote to memory of 4892	4940	4NT820Hf.exe	explothe.exe
PID 1104 wrote to memory of 4808	1104	Ft3oe86.exe	5Vj9yf8.exe
PID 1104 wrote to memory of 4808	1104	Ft3oe86.exe	5Vj9yf8.exe
PID 1104 wrote to memory of 4808	1104	Ft3oe86.exe	5Vj9yf8.exe
PID 4892 wrote to memory of 2220	4892	explothe.exe	schtasks.exe
PID 4892 wrote to memory of 2220	4892	explothe.exe	schtasks.exe
PID 4892 wrote to memory of 2220	4892	explothe.exe	schtasks.exe
PID 4892 wrote to memory of 5040	4892	explothe.exe	msedge.exe
PID 4892 wrote to memory of 5040	4892	explothe.exe	msedge.exe
PID 4892 wrote to memory of 5040	4892	explothe.exe	msedge.exe
PID 4808 wrote to memory of 2384	4808	5Vj9yf8.exe	legota.exe
PID 4808 wrote to memory of 2384	4808	5Vj9yf8.exe	legota.exe
PID 4808 wrote to memory of 2384	4808	5Vj9yf8.exe	legota.exe
PID 5040 wrote to memory of 2544	5040	cmd.exe	msedge.exe
PID 5040 wrote to memory of 2544	5040	cmd.exe	msedge.exe
PID 5040 wrote to memory of 2544	5040	cmd.exe	msedge.exe
PID 5040 wrote to memory of 1940	5040	cmd.exe	cacls.exe
PID 5040 wrote to memory of 1940	5040	cmd.exe	cacls.exe
PID 5040 wrote to memory of 1940	5040	cmd.exe	cacls.exe
PID 784 wrote to memory of 4428	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	6Fn7yT90.exe
PID 784 wrote to memory of 4428	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	6Fn7yT90.exe
PID 784 wrote to memory of 4428	784	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	6Fn7yT90.exe
PID 5040 wrote to memory of 2864	5040	cmd.exe	cacls.exe
PID 5040 wrote to memory of 2864	5040	cmd.exe	cacls.exe
PID 5040 wrote to memory of 2864	5040	cmd.exe	cacls.exe
PID 2384 wrote to memory of 4028	2384	legota.exe	schtasks.exe
PID 2384 wrote to memory of 4028	2384	legota.exe	schtasks.exe
PID 2384 wrote to memory of 4028	2384	legota.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
"C:\Users\Admin\AppData\Local\Temp\8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 596
        7⤵
        Program crash
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe
        5⤵
        Executes dropped EXE
        
        PID:640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 600
        6⤵
        Program crash
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:4216
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4352
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6CA4.tmp\6CA5.tmp\6CA6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe"
    3⤵
    PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd4df46f8,0x7fffd4df4708,0x7fffd4df4718
        5⤵
        
        PID:1220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
        5⤵
        
        PID:1456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        5⤵
        
        PID:1104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:2544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:3032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
        5⤵
        
        PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
        5⤵
        
        PID:2452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        5⤵
        
        PID:4112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:2356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
        5⤵
        
        PID:2452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        5⤵
        
        PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,748885003138301895,2708386203505492300,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1404 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd4df46f8,0x7fffd4df4708,0x7fffd4df4718
        5⤵
        
        PID:244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,16785356027107183701,7185587826178393986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
        5⤵
        
        PID:640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,16785356027107183701,7185587826178393986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4260 -ip 4260
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 640 -ip 640
1⤵
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5420

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5444

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5468

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4d3eeb56c221e5142398b814ee93ef7e

SHA1
e478a55491204be10a9adbb5f32b24de3d97f778

SHA256
954d93d56482219f3fa0031400f1d62dc3b3067c918d34ff79025fa114ea16df

SHA512
a650026937cd091eb3328496d3da94cc0fee09585af878f5b76a3df64a7c0a60991eeb5068882eb7c4584cfe142a1c79ee8999c5f0319c9f41491235e13bfcc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
95a41cd8e54661831b4dba0e1af108b6

SHA1
27342a295e64d7af3807a5401fcbd090e5d12e30

SHA256
1223396ec65ac5f80ed6344eaf5244e758472ff6a7bf25ab4b9d214875f2c0ae

SHA512
778053cf6733e1aaa34a0ac42ba8361aa25f11030c46e6210af1d1dbd8ca4f60e8d2d53fd99924614c069aaf5fc5d0c6bfd9a052231f58c5517f64bf81742d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a945ac349c30fbb43748af942e3cad79

SHA1
9aa898617f4d9ad51f31d9f9c5d0425517db1393

SHA256
f955e399c843e2d1c65ff0ee3662ac84d428be5dca9bbc03c51206c7b24c8a6a

SHA512
bd1a120cd38244cba8bbdcde14ef38bae82d6d8b1ad1c696d3fcb6729c486c45f8fc695f8f2915518edd80d5f627842f9499b91f0a7ecc2828a1af259090f8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83a31f84998a5c6e17f522ec645aa038

SHA1
abdfd5a6d3a8482e6d0398ff16640e52982e90d3

SHA256
e97d3632c3abf7761829c0bcce56fd77f8ba60563b1f73eb13b2400424db8d4a

SHA512
f4a19b8ebd10f966c2a33810560546bcd0a8eb5231fcf718e06123b9c324d0bd5e2219ac00a9a3bf128c34063a002801646f0771458145426e3aa2577e9d8077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a2fc149c3bb618f451541107f3a5c30

SHA1
9632ac4d93522a12c616327be9cfa26b5481c331

SHA256
da5a9a70a769feed2c3881a3d93bb93f15e2a75b2ef010386b9e2eb979038d32

SHA512
fa1113d190eea7128971855bcc331c3a3d3f9c238f5a950342ee20d143e671b47401fc8f08b48e0e7cda6871ce8d8dedb54c1f30cad00eab18ca0c8c5c840692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
ce3b03dc4f746c2eaf015fccfe41ea64

SHA1
7d5ab5f15f3acf7bf7343bdf34acca29b38f3804

SHA256
7eaf8188ca17ae0d4dced7f8f87ce56ae19d5d0b3f679351dfabcd5380458833

SHA512
d3746dab7edce1e8a20b8fc1fcabd10345bd882881043130fdc1d38b1da23de02baea652e7b83e62cb5996c807f06d59529fa26d6575482a1f9eea5afa8418f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
e636f77d42e130b425675abbb76df2de

SHA1
dd4d9dbcf11bcf71176b583a2326d966942155ae

SHA256
a498044a3b28bd5c694ba6649e14d31910a5612f717d456d4e8803af69e43e1c

SHA512
21d08449c5ae9df104f91b8c1c1c5cfd4e106ab228af2bcc1350da336635e76468a409b5a73931c1eaf090dfa8dde565f3396a40ada1f3cb820d0bb13d1598db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
010a5ce59273faff1dba73dcf52f8f9b

SHA1
425f4380498348203fee7cb84e53e8c2287fd3b6

SHA256
8b6dbc06e1e3497a34bf6a2a47c907339bf97078f66994d414b506c77b5f9bbe

SHA512
a299a7aa038a8717d8d174810694bd98fce699d15940c458645e9222eed8948cde351d390f38b81d4259fda80519bcdba4ee701032a381f956829ecd7d0609a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581b24.TMP

Filesize
872B

MD5
0a30115fc0ee86b5494232696471275f

SHA1
394f6138d3d387718d9a3493ff6da3d16197463c

SHA256
22a50b2246af3b7ae6da7609bf8c921e76a6a95786d0aaeaa27d1d92874e76e1

SHA512
03c39b3903d66856fbb174cd5c60d553ef2661c4c677a94e99ab3db0117ea2fb64e6fc8686d380693e52ad26737f85bad605b608767023321ea6af25f90bc644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a10a60e81a33bb7a7097a07facb749f1

SHA1
5bce37c9a60b907241ed71b57154186011452b3c

SHA256
0390347e63f86114f0cefea6477f9e5964c7f1bb0075db68fe4138265c816108

SHA512
bf7b79cc77184ae9541ba3b3e79c40fad175cd3cb22627369fa53ece5ddd9cd3589225b7ce4926e85bf0461344c112bc0f0a3a920753540c2618ddfde932ae04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
30497935cb611115ad93ce6d1225e905

SHA1
622a64431b1fc67bbba6d206eb2af0593f79b066

SHA256
e398dd0de46b4892795a0c787c9bf891d8db568211417331bdf506b1cdb83454

SHA512
27490d90afcb5162694e7d5cc4c773e52f288a8859a7ba4e2666b9dad19b77eb7e6a5f03f5a7004e240c68a1a268a11d9c8bf1cd56d6f6433023125cfaa52a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CA4.tmp\6CA5.tmp\6CA6.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe

Filesize
100KB

MD5
7be6258c77371eb559eb6ab86fe39b07

SHA1
46722e003572597055d17ca0a0a264fbb50e2811

SHA256
2502fdba070ded6a7b8ea3661f8a1bcf9bf9bd74193de7be1198ab4f3e4e05e1

SHA512
9c5bc3a70b231278b507e1ef6922e4f4eeee9d778698645d8983ce3a603a7ea582fc997d4bad411c834ddd4b328e7b2622a52cf6ee878f0b7ab8ebab43e91ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe

Filesize
1.1MB

MD5
4a28734d620e9056a682eafc8737710c

SHA1
a1b4df9b836eccb5ad5d8a0cc68cc804974caf9a

SHA256
7207545041f9270d787ef09e158c2000745dd4dba1caf227d83d7724eb5cf8d3

SHA512
28c37df4fb6a156f90ef11b83c04db859d1cf1c4c2f58f9ce1a322570ae57ff40482b0fbb6264e4251f0a3ff88fb0c30535e708bbe7db14ab39aae10b3970415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe

Filesize
929KB

MD5
63d3af4d87fd6bd88bca6df080a6bc3e

SHA1
0901ab28651cc427d69d5e691b2a6e2c2c2a74de

SHA256
6240c21f824b1bb46ab1112d11c3c40c836cf8be79e36b19aadb336b3d3c4fc9

SHA512
0b8974ae1b6c9f4b4c9b9408b747e89f9ab5d08195614012168512b9e492752d153d101aad4cec402d25372983d284b7b538193bf182fe5d1814a1a78210c2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe

Filesize
746KB

MD5
dc46125496cffd68e5ae4857f373af0b

SHA1
9996ed7d0deba475f70c435886644544b6e47e1f

SHA256
8eba8cee6a721e574c8930cbf03a7a0e8d8989db43ea31106493e07ac3f9f996

SHA512
388884836cbc59e6fb1014f430e349274f9a83f6981b3df90cfe177108cda31cafbbdecf406f61ae921fcc01e4baec40a4beae17d93e8158d33240db0bd80c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe

Filesize
459KB

MD5
a38ce3e2dc246d8e40f95186737c588f

SHA1
87eb3f865fdd506f345d1d586f4d8c4d490f669a

SHA256
c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e

SHA512
9b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe

Filesize
452KB

MD5
edc0c4302d8a7a49cc3f7b9f2e3ce9a9

SHA1
0159e3b33bae3c07f84b3e9ef132d589fd87133c

SHA256
fdc7f7a30e32be19f90e770c4a31b87e62c14a2dc553b5ba653a62b90b9860be

SHA512
d7e8dc43ee5362aaa98bc5f7480d04755299cd4997a026ed1143bd34ddac6761083b4e6dfb9812649f5c9f9df6148ae1bd40c6ca3386a664e955522e8e9770fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
\??\pipe\LOCAL\crashpad_960_JMKDPIUBBCSQGULJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1040-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1040-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1040-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2804-61-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-41-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-49-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-51-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-47-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-37-0x0000000002660000-0x000000000267C000-memory.dmp

Filesize
112KB

Download
memory/2804-36-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/2804-40-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-38-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-59-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-43-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-45-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-35-0x00000000008B0000-0x00000000008CE000-memory.dmp

Filesize
120KB

Download
memory/2804-65-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-63-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-53-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-55-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/2804-57-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4356-77-0x0000000007BB0000-0x0000000007C42000-memory.dmp

Filesize
584KB

Download
memory/4356-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-87-0x0000000008C90000-0x00000000092A8000-memory.dmp

Filesize
6.1MB

Download
memory/4356-78-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/4356-98-0x0000000007E50000-0x0000000007E9C000-memory.dmp

Filesize
304KB

Download
memory/4356-93-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

Filesize
72KB

Download
memory/4356-96-0x0000000007E10000-0x0000000007E4C000-memory.dmp

Filesize
240KB

Download
memory/4356-91-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download