amadey | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe
Size

1.5MB
MD5

4f11ba58ad2b2738528568c7623fbf29
SHA1

5a89978533d94218333c20bf4f979c5b2a1681ea
SHA256

862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532
SHA512

ffaf6de18d47be108b89b517faf0b05af73cf75c1da576b2a01ddb7fde1d1ef78a28823cb0caab0fa090290114ec789a9992bc3af6cbdd198f1a9d978ddc4eff
SSDEEP

49152:1oiLfVHW0hY0kFQfkflI/+sGTvRaK9n9:SyVHWCk+8flI/M9

Score

10^/10

amadey mystic redline smokeloader 04d170 plost backdoor paypal evasion infostealer persistence phishing stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral13/memory/1864-46-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/1864-47-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/1864-49-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cU6Gh2.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4352-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Zg0HN0.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5Zg0HN0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

Processes:

jD1kV90.exeKh4mW34.exeQK2gb52.exeoW0tg77.exeJR8DE73.exe1tS28Vc0.exe2Ea7851.exe3oT95mp.exe4Gm820sR.exe5Zg0HN0.exeexplothe.exe6cU6Gh2.exe7jn2Gx64.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
2676	jD1kV90.exe
5024	Kh4mW34.exe
2400	QK2gb52.exe
3632	oW0tg77.exe
4680	JR8DE73.exe
3052	1tS28Vc0.exe
4132	2Ea7851.exe
836	3oT95mp.exe
2180	4Gm820sR.exe
3788	5Zg0HN0.exe
4944	explothe.exe
4476	6cU6Gh2.exe
4700	7jn2Gx64.exe
6488	explothe.exe
5824	explothe.exe
4796	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exejD1kV90.exeKh4mW34.exeQK2gb52.exeoW0tg77.exeJR8DE73.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jD1kV90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Kh4mW34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QK2gb52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	oW0tg77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	JR8DE73.exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

Processes:

1tS28Vc0.exe2Ea7851.exe4Gm820sR.exe

description	pid	process	target process
PID 3052 set thread context of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 4132 set thread context of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 2180 set thread context of 4352	2180	4Gm820sR.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3oT95mp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oT95mp.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oT95mp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3oT95mp.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

980 schtasks.exe

pid	process
980	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exeAppLaunch.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2040	msedge.exe
2040	msedge.exe
952	msedge.exe
952	msedge.exe
4556	AppLaunch.exe
4556	AppLaunch.exe
4556	AppLaunch.exe
3896	msedge.exe
3896	msedge.exe
6964	identity_helper.exe
6964	identity_helper.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4556 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4556	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exejD1kV90.exeKh4mW34.exeQK2gb52.exeoW0tg77.exeJR8DE73.exe1tS28Vc0.exe2Ea7851.exe4Gm820sR.exe5Zg0HN0.exe

description	pid	process	target process
PID 1472 wrote to memory of 2676	1472	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe	jD1kV90.exe
PID 1472 wrote to memory of 2676	1472	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe	jD1kV90.exe
PID 1472 wrote to memory of 2676	1472	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe	jD1kV90.exe
PID 2676 wrote to memory of 5024	2676	jD1kV90.exe	Kh4mW34.exe
PID 2676 wrote to memory of 5024	2676	jD1kV90.exe	Kh4mW34.exe
PID 2676 wrote to memory of 5024	2676	jD1kV90.exe	Kh4mW34.exe
PID 5024 wrote to memory of 2400	5024	Kh4mW34.exe	QK2gb52.exe
PID 5024 wrote to memory of 2400	5024	Kh4mW34.exe	QK2gb52.exe
PID 5024 wrote to memory of 2400	5024	Kh4mW34.exe	QK2gb52.exe
PID 2400 wrote to memory of 3632	2400	QK2gb52.exe	oW0tg77.exe
PID 2400 wrote to memory of 3632	2400	QK2gb52.exe	oW0tg77.exe
PID 2400 wrote to memory of 3632	2400	QK2gb52.exe	oW0tg77.exe
PID 3632 wrote to memory of 4680	3632	oW0tg77.exe	JR8DE73.exe
PID 3632 wrote to memory of 4680	3632	oW0tg77.exe	JR8DE73.exe
PID 3632 wrote to memory of 4680	3632	oW0tg77.exe	JR8DE73.exe
PID 4680 wrote to memory of 3052	4680	JR8DE73.exe	1tS28Vc0.exe
PID 4680 wrote to memory of 3052	4680	JR8DE73.exe	1tS28Vc0.exe
PID 4680 wrote to memory of 3052	4680	JR8DE73.exe	1tS28Vc0.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 3052 wrote to memory of 4556	3052	1tS28Vc0.exe	AppLaunch.exe
PID 4680 wrote to memory of 4132	4680	JR8DE73.exe	2Ea7851.exe
PID 4680 wrote to memory of 4132	4680	JR8DE73.exe	2Ea7851.exe
PID 4680 wrote to memory of 4132	4680	JR8DE73.exe	2Ea7851.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 4132 wrote to memory of 1864	4132	2Ea7851.exe	AppLaunch.exe
PID 3632 wrote to memory of 836	3632	oW0tg77.exe	3oT95mp.exe
PID 3632 wrote to memory of 836	3632	oW0tg77.exe	3oT95mp.exe
PID 3632 wrote to memory of 836	3632	oW0tg77.exe	3oT95mp.exe
PID 2400 wrote to memory of 2180	2400	QK2gb52.exe	4Gm820sR.exe
PID 2400 wrote to memory of 2180	2400	QK2gb52.exe	4Gm820sR.exe
PID 2400 wrote to memory of 2180	2400	QK2gb52.exe	4Gm820sR.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 2180 wrote to memory of 4352	2180	4Gm820sR.exe	AppLaunch.exe
PID 5024 wrote to memory of 3788	5024	Kh4mW34.exe	5Zg0HN0.exe
PID 5024 wrote to memory of 3788	5024	Kh4mW34.exe	5Zg0HN0.exe
PID 5024 wrote to memory of 3788	5024	Kh4mW34.exe	5Zg0HN0.exe
PID 3788 wrote to memory of 4944	3788	5Zg0HN0.exe	explothe.exe
PID 3788 wrote to memory of 4944	3788	5Zg0HN0.exe	explothe.exe
PID 3788 wrote to memory of 4944	3788	5Zg0HN0.exe	explothe.exe
PID 2676 wrote to memory of 4476	2676	jD1kV90.exe	CompPkgSrv.exe
PID 2676 wrote to memory of 4476	2676	jD1kV90.exe	CompPkgSrv.exe
PID 2676 wrote to memory of 4476	2676	jD1kV90.exe	CompPkgSrv.exe
PID 1472 wrote to memory of 4700	1472	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe	7jn2Gx64.exe
PID 1472 wrote to memory of 4700	1472	862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe	7jn2Gx64.exe

C:\Users\Admin\AppData\Local\Temp\862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe
"C:\Users\Admin\AppData\Local\Temp\862a8f43d1bd92e93fbfad58f9943a043f45ae975ab50181d393ffb2fa848532.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD1kV90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD1kV90.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh4mW34.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh4mW34.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QK2gb52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QK2gb52.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oW0tg77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oW0tg77.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JR8DE73.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JR8DE73.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1tS28Vc0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1tS28Vc0.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ea7851.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ea7851.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3oT95mp.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3oT95mp.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:836

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Gm820sR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Gm820sR.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zg0HN0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zg0HN0.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:4840

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3696

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:1216

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cU6Gh2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cU6Gh2.exe
3⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7jn2Gx64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7jn2Gx64.exe
2⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38B3.tmp\38B4.tmp\38B5.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7jn2Gx64.exe"
3⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
5⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
5⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
5⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
5⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
5⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
5⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
5⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
5⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
5⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
5⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
5⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
5⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
5⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
5⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
5⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
5⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
5⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
5⤵
PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
5⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
5⤵
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
5⤵
PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
5⤵
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8128 /prefetch:8
5⤵
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8128 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
5⤵
PID:7060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
5⤵
PID:6276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1
5⤵
PID:6348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6172 /prefetch:8
5⤵
PID:6364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
5⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17597658208088464204,9627643080188672944,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,17370298491136700217,17344377872800768867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa96b946f8,0x7ffa96b94708,0x7ffa96b94718
5⤵
PID:5416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
70c376a68dbcbaddd2e7ced223f34e67

SHA1
0bfa2352c930f6128c36d6537aed09e9bf80759f

SHA256
95d36ecbbcd35c6c27f3a930620588247c59d2580d597dc401d63edc961e8cae

SHA512
ff010f06f229f8a7500b25dba79bce389023329de5e84dc0e374b608e63c8ee597669818e1d486089622824f1da26ddd38e4648fa0f5644823627f3165fc3045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
836dbe1d41b2b581a19e63601484ffc6

SHA1
83aee8d0d660b79949ce8c582d32d125cbcee685

SHA256
e0fd999212b963f94d71c0e05ced265707b906839170a99c17533feec917c236

SHA512
f9d623927cfb78fba65abac2542ddda03adc9af4b019a515916bfbf792b89d6fe6c8b9f5efd976210e818f2c407b4df8757e8f7c161de41e54bc62522f89aa83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b3133ca7ef23d80c4949d58cb5891a6f

SHA1
23c26ff834e33f17acd5cd5203aefefb1317a53b

SHA256
c8b9e46bd43c11a5ebc4974d190f71c70e2df6d09b61e9e989e50ddfcccdc83f

SHA512
70ef820b27801e4708abb80f4c9e5411da9d764c87b6ae9ee633a67013e23cc072e8b5330c93bd235f9195dcd059ed3d99ed91e979d4fd33feec144b47fb33eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b72228a401755e2252b88e5a100d1e7f

SHA1
6e2afb1ecf58d643b08d72a6376d1de4078e6286

SHA256
c766123df171324d2f975111d11df32b88cada400e55715df65f090394c47efc

SHA512
1702941128dc7f6b0493195a7af1565f4ae1984471a7b12695f89ea9e453350b41bf87e12ee6865cd7efecd567b5f3501de320fc77ff425d71c9a3c9a0f932e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5c3d55fb8575a4ce52b71d15925c5563

SHA1
78013cae0904f8de8bccb2e1b9221efd2379bc04

SHA256
ec7628757284f354bef9b5df43bb539f1bbb8023027ee5fdd7cb50f5765e816d

SHA512
d1e5d1eac58325764a215ff5dd4326764e93996a674ea46ca375c7c21b33fd97edd32b871c4e1e9c9acbda9fac6d90b448619e7228fbcee448d8119307998a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00b30edd7932fcd9d7e97e9886df3878

SHA1
ccf6c4fab0ada9ba804dd1afeeca06c97410c26a

SHA256
264085ae1ccdefef36f670062b4fbfe3069273e2d02ab976df0f144188854de2

SHA512
a7c22619d0c73e717eaee791b50d49176ed6300be6dc1fa194514169767e1a334a9a07ebf769b170f4d0eaab47a9c5b4b7387422c3fa3b0405a5733863b803d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b647ef4c353a02a5867cfa143eacb692

SHA1
dfc9d5cd0c1b8ca33e7b48e68f5328bb5e1b7ea2

SHA256
6fb3a76f60e36b9c691795e6783e5c8d110bc8d4b696f4954d1b8578556f3773

SHA512
83ad6fe6fb54d1bfaa14ba3a801cdfcf32576e3a0f699fff8fbe1216ce5d4a35c4f62b45b07ccfd644e190b6f4e8997b25c88926ec12503e89354da966d0b3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a48321040cb7ac54f1046225249d1e62

SHA1
6c3f1e41b2bf5df1a5ab7ba7f2d2a15d3d45bf6f

SHA256
c2b6b3176223a9913f1985c766170afec28f110500455b300f2c919adc7d0488

SHA512
dc6fdd0f0f6529e76773aada5df38390ff57ce52b801933e69dd0a6e88a156ab379ded2d7c1f7085196f3bf24bb25333784570f2d9443cded39423850bcc48e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
655c264b137e493610dbc9682e9895fa

SHA1
4892f94731d2334aceb37926e81251a9933716d3

SHA256
4144ff227e0610ae51deb86be9ead4c2cd5c112139dad00857777bc1468f7318

SHA512
b53e99564432a198aaced3e194a3d1475f203f4b924288238f084a5a51c75ea7a82244e7b76f1f9d29be2d78d1574f313a85cfb33812e9270bf0950f892df27e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
d8bc3d42b0b692c4d87766ec2cd16c6c

SHA1
ffc0e47dc452ea8edbb0a0f11abb68a83213be86

SHA256
036f891958646905827dd29d55c743f65e8c7c42b7b6a33107b48b4f4fbadb85

SHA512
341e1a741a55355c14db8c3a0d8670fec8bc2548d09cc32faf39c7c13ddc79e8693b460f6b460edf584cca4fba299d95f6fd69e29b107ef950251d6412f3e6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
82B

MD5
6f40edba14c68027ce7ffb81f18ac713

SHA1
4c7b9c2d702c84af6a7c3eecc2b7cf7cdf58b97c

SHA256
f1978eebf6b8ec20829898cfc802cbca338f81dbd04c059128a79d3e8a6206bf

SHA512
6fb03ac2b4123566affdda44a6b2a46d17f82983384c8365730dd2026e226d8de7564f24e76a973b587b37232f97e2b1059524c0389187c03658a3a2c71255d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7407a5981d69a5e2eb75b86232c4aff2

SHA1
e3140c5a65dc12b588483b4690f0d291b0a578e9

SHA256
ee944c168f42ec933725eb449436f32d4615897caa322f213351fa19764c8a28

SHA512
f084c595f693a87bb48b9bf0b198f26e1db05c44d76bb5f7958b961b2e62a2977006d24c7d015403455eedfdbbec2dc5c1c93b2dcdd79080cd1be77c2f3d2120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d542.TMP

Filesize
48B

MD5
70cd5b14546a13602eaf90188dd4309f

SHA1
1872c3534963908e43f1135f72048c020bae9c3e

SHA256
3333dfde38bc825d15865c6af8d76dafb9aac2a698a6008ee21119acdfa340d2

SHA512
8942117648b8bff7994212020fb66b74bccc75a74f8753405d34c2f82319ce8ed7a73150df5e776b4faf4db25bedd549c9f713c1f892c7d935b87784cbe376a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
51cf5997ebe85cd1a37814015e680e9b

SHA1
685c0f6638cb354dd9bfa50ca89b504172c35d57

SHA256
d8706bf0362ea5a94513d205785effca832938a17ab5d258d48fe339d1a72e31

SHA512
71da15362b2ca957c82edf185ece6fe93bf8cb0febd347cb823a23f35c4269ef24fc9a19ce755999ef7cb2591cb0144d634396ffff32222019bb20bb08918dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a4d5b407f351b8e73a0c11d099a336de

SHA1
45fd16111bcd68032638edeb968b8dfbcb262498

SHA256
1143da1ce6261de35c3d9161fb862f42a07d28a066d7750c8626c3af8d411284

SHA512
c5fe474a8ff3cab5d40b4e4680c2cd2acff6a6e2e23d2e4dd82e23fe1996acfc88a32b19014b50dd30e9ff69263af777a0f644735be455f0c47eff3f487dd10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
95862b2066973a845a77f291ea3546f6

SHA1
3cdcb888ee575d9c61038d63a11fccb4abbe9918

SHA256
0cb08faf7373d8049cb5f6b0e3e4a09177280a8aa03573e2105c7c7e9bee3ea2

SHA512
c0cd513509f9aca3b7359d002f965082ab7dfa934bd6759b6e60229c7151f633a1f37b34ff5d30a7ef822fc2038e2989827c326f2c685b4d1c187a9780dd9bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a1fbb03c1c34df5409085184436f094e

SHA1
df2307e8c1d2df1e942c6fa5b6a359766dbd0cc5

SHA256
1ce13ef9771c0a5ff26fe3f3ff56495b3ecd5ab790e6abebd7f840f5338dd494

SHA512
57902f687ec50302262c9d85af32b0b3675d9322fe1c59eb59645141713dcbba02c8284649fe5663cc9ad151e77d5935bb642fc78223430a2fd0ebcd238041d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578d9a.TMP

Filesize
3KB

MD5
f3ec8d8dc8de6c73ed15171b02006340

SHA1
7bea2aad71c9de1fe011099f2d76ec900d0d1ef2

SHA256
2bf6857a5c73e4d09e8c03d166a21dbb239f059a48d097fa40e9c1e08c9abec6

SHA512
3332166fbeedacb2e094552386e95606666507e8254cc26e522e7609645c15b531896d52eb3e92fdeab67a28b31d4c3c44d10c5ca3471500a7f50725b6a9da3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aef7cdb2c9b6d9a920beace7629d718c

SHA1
1dba6113e2fb24e0e480e7431a192d7dcd8bec66

SHA256
e17491e0597d1d358e48ad516e3ff453ff6740f58785b37c0352980ebfcad31c

SHA512
ed5910c6aa708a9bcf0c4d5229f6ba59a69e3e1ebf7c30a49158c26948a743c9bdcccf306e385c517ff272af17be0f29d95dae859db4859761222c51a1b1b4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ef6a000e8f2acc811edf88baedb30ae5

SHA1
85ba5e76051681145894b2b8301c1ea88dfdab0d

SHA256
d0095c34d5cbdc45944d3cdf7859e725e0a22b3e8c1a77929e2de3efa409d614

SHA512
80d281738d0eecff68cef0cdd9ec06fce1e8b7691ed1988563592195bbf3494a1e3631fa1ddfc67432f479a1690d4dd360c0ea7e597ca59c18f9a940e1216793

Download Submit
C:\Users\Admin\AppData\Local\Temp\38B3.tmp\38B4.tmp\38B5.bat

Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7jn2Gx64.exe

Filesize
89KB

MD5
9a662cc34745ba5b113d597fa828b0a3

SHA1
f8f0d5b50901a8ac5d3e6de7e7732468f636660e

SHA256
3dbac8ffce36a456249657ac0c21a63c4b0cb5f5823b2d4a21825d798be359f7

SHA512
1cd20ef8c3ad8832bca8e11e6514365505b62345c8285ce35e7eb7f0533a83a56b8754b966920b8c15af9d5fb4ae37f985b3256bbd39425e2c2496ae0543ec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD1kV90.exe

Filesize
1.4MB

MD5
a9bafa24a8ef8994760e132d6ff8fb6d

SHA1
1dc193f27a2fa141472bb0a608f9bd27ad220b38

SHA256
84a35f8151997e6dd4bd8e8432acf5b73f048c7a9bb08d4209c249ac85d6e54f

SHA512
c251a760bfc08ca8375814b57330a30f5e89ff000fb2a4782fc58b15362e11bc050a5a70ebf2474c73e3c9522d3618297651d77170803183dbaa21125158c041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cU6Gh2.exe

Filesize
180KB

MD5
daa417447c6bfb8fc2625dde02cd8488

SHA1
4438b6f3c99974cf56f29f746ad9d3e0fe258367

SHA256
3842f13f12ab1ef714099ccb2aab4a68b87e546689925679c2ba7645215bbf78

SHA512
266341b169372d88e26461c022cf39772e20af365e483b677b320cb489828947a2946d3201cc70d5d198ba03b5f68b5341a28c7b47c703ee8622b35f16bf6411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh4mW34.exe

Filesize
1.2MB

MD5
4439de6436f1808372c26ca3c2037a09

SHA1
dd7b4bf3193fcbeb00de9e29bd12f3bfe12532ba

SHA256
c6343f0be94eb74764c51ddeea3cec29d8cecea75afb1b2752f87cfd282a666b

SHA512
57d4dfb499c300d2c2dbf478df22583ff2713044bb6af24480172ab1e5d3c7cc3404914406a3a0aa69e4bb5afa0e89e80d910882f0642b1b4b1fb65c5b49f6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Zg0HN0.exe

Filesize
222KB

MD5
4bce828cd5b294ea4994cf250b07d991

SHA1
c9113358b8f95fd1e36305c9b46f7abf3fe1108c

SHA256
193f662c7dd04fb7bd96bf0abe7ddf0e1e05317c755ca0a1b568a71ad33b77de

SHA512
03d5070c328f72621378444324838536a0a45e6ac1cf7505e4c69b4a65d58ddf5f86a2355bed0bea2e2ec60b101d9e40499f84283fad27d51c07ba3f681a1ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QK2gb52.exe

Filesize
1.0MB

MD5
f0a8026b4f84f76870860a2a10aef2e1

SHA1
7e70f93294fe596a0cd0cab94bd06d0dcee61a64

SHA256
001a274f6a97c88e7a50fdda02f9668b1518b873549647815d3c5248ec53d9f6

SHA512
097d2f47cdb3d985f0ef82c53804e848b40ae3b2781482219485dd1619bc55517aed7299838f8d5691183ef84a254045f6e1bda7ec304b2716af1bdb6ad3ee3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Gm820sR.exe

Filesize
1.1MB

MD5
70d93c5837db1c0ab4099fb03592b816

SHA1
100798fcff18296912a589752455f036c62a8ac9

SHA256
2cda46f9fdc424a364303ce33467d740b948e5b6569780bc6ca2a881f11deae9

SHA512
3a6af46096576b7ca557d7ac86c1abbb77e496badbec614b15de0c8efc99abf5a78508cf191651d78d3f93b00ac156a0b315c7d5c1ed637ddaa8f77deada3b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oW0tg77.exe

Filesize
642KB

MD5
917d26eee45e5bed067165f1de70d037

SHA1
bf2e35e1170500261d315f8982e1ff59d19a729d

SHA256
d97f4a77f67f411ce7e29bf9b99568aeb8563b8bf81f426bfceb9d0bf5310be1

SHA512
5337440e97aad870a54f11238c28576b27bd4c1f80ec064e9ab7421b73355ba09f112bc53d31e87caee41883d3c5bf9d78021f20cd2d2c247914cdebd44fe704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3oT95mp.exe

Filesize
31KB

MD5
d25020b345228c7be7ecb5d11f3a8b24

SHA1
931309b8e8ad76066423547f7add26873762548d

SHA256
ada617d090bc521cbcd89cc9dbae3f13232c048365a62c5540994fbcdf242b71

SHA512
7e3705ff187278fcdd8f0d6a63241e3c057190a465c9dd4d023e4057348dfe234bb4f8f92a4cf47aed78f41e80eaade3580cfcb126367a2b8c469ea7155cf82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JR8DE73.exe

Filesize
518KB

MD5
959deed2023fa10083e190f591afcc34

SHA1
59efb9465bc3975b72b6cf36fc0e30b978eb6684

SHA256
03bf617620d6b944b807843b540e8817960a07eaea96ac83bc3c5183ab5b19b9

SHA512
436bd77ed47200e5163ed44365077d5cc87aad375cbb10c5fb7fe2448211116ac4ef08b8cd8144d83b8b89372d1874c98dc1ae7fea9795a462e55c9916767fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1tS28Vc0.exe

Filesize
869KB

MD5
e6270b2176593c780f60f15be104dcf3

SHA1
fa6eeccb0a75b8f8f3c20f8e83c926c16bf81f5b

SHA256
c3b3423a5dc83c6360019635e6fd454cdc1a574bed1e571fbbacc9a3b98cedd9

SHA512
80c182ac6f57a8e3b36c3800698dfb4919b33816921b1451bc46a688deeaeb0a6e59ff67931fd786c9465afec8627e06f27bf64c559b33a22c208cd1988c239b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ea7851.exe

Filesize
1.0MB

MD5
f1dc91d40a8241717e8ab836b981c317

SHA1
8a99952151b83fa8a4b3de7e1df6e28dd65e7c41

SHA256
12c957bcda6959ac3d5b471cd5c3a697571193445dbca865dd88ba2828cdd328

SHA512
ead58d474651850d6f5942511546ea11784b5c848a00176c85614ede28eee4e7102589c795fcfb53124da96063e7c44581ba3a48e630f7f4b5990bcdac3f076b

Download Submit
\??\pipe\LOCAL\crashpad_952_AJEBLGLSULEFFJHF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/836-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/836-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1864-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-85-0x0000000007850000-0x000000000788C000-memory.dmp

Filesize
240KB

Download
memory/4352-78-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/4352-82-0x00000000086E0000-0x0000000008CF8000-memory.dmp

Filesize
6.1MB

Download
memory/4352-66-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download
memory/4352-84-0x00000000077F0000-0x0000000007802000-memory.dmp

Filesize
72KB

Download
memory/4352-70-0x0000000007640000-0x00000000076D2000-memory.dmp

Filesize
584KB

Download
memory/4352-86-0x00000000078D0000-0x000000000791C000-memory.dmp

Filesize
304KB

Download
memory/4352-83-0x00000000080C0000-0x00000000081CA000-memory.dmp

Filesize
1.0MB

Download
memory/4352-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download