gh0strat | bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
Size

2.4MB
MD5

7f9b612b05a19b5c2c1a1776cc620aa6
SHA1

bb80b801a946c0b73a7d31144b266bbf08e1e15a
SHA256

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e
SHA512

4f0e7a0b6249f51901426c8e33da1d5b5d909bd3aa9a05a1a0458d9af10445131f042d42f4edb3c1cf8cae532d20f3ab15c01e299dbf973e0021de4b87196ffa
SSDEEP

49152:409XJt4HIN2H2tFvduyS1meyboddPSkqeGD+RWk+K:dZJt4HINy2Lk15N7PSkqeGD+X+K

Score

10^/10

gh0strat purplefox discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/640-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/640-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/640-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1912-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/640-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/640-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/640-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1912-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 21 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
640	RVN.exe
1516	TXPlatforn.exe
1912	TXPlatforn.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
552	msedge.exe
3420	RVN.exe
4612	TXPlatforn.exe
2908	TXPlatforn.exe
2440	HD_msedge.exe
4684	HD_msedge.exe
3932	HD_msedge.exe
4680	HD_msedge.exe
1848	HD_msedge.exe
4812	HD_msedge.exe
4916	HD_msedge.exe
4472	HD_msedge.exe
4612	HD_msedge.exe
3416	HD_msedge.exe
2712	HD_msedge.exe
1176	HD_msedge.exe
4040	HD_msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/640-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/640-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/640-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/640-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1912-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 7 IoCs

Processes:

msedge.exebf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2740 PING.EXE
4900 PING.EXE

pid	process
2740	PING.EXE
4900	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

pid	process
112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1912 TXPlatforn.exe

pid	process
1912	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RVN.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeTXPlatforn.exeRVN.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	640	RVN.exe
Token: SeDebugPrivilege	4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
Token: SeLoadDriverPrivilege	1912	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3420	RVN.exe
Token: 33	1912	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1912	TXPlatforn.exe
Token: 33	1912	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1912	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe
2440	HD_msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exemsedge.exe

pid	process
112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
552	msedge.exe
552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeRVN.exeTXPlatforn.execmd.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exemsedge.exeRVN.exeTXPlatforn.exeHD_msedge.execmd.exe

description	pid	process	target process
PID 112 wrote to memory of 640	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 112 wrote to memory of 640	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 112 wrote to memory of 640	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 640 wrote to memory of 4772	640	RVN.exe	cmd.exe
PID 640 wrote to memory of 4772	640	RVN.exe	cmd.exe
PID 640 wrote to memory of 4772	640	RVN.exe	cmd.exe
PID 1516 wrote to memory of 1912	1516	TXPlatforn.exe	TXPlatforn.exe
PID 1516 wrote to memory of 1912	1516	TXPlatforn.exe	TXPlatforn.exe
PID 1516 wrote to memory of 1912	1516	TXPlatforn.exe	TXPlatforn.exe
PID 112 wrote to memory of 4792	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 112 wrote to memory of 4792	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 112 wrote to memory of 4792	112	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 4772 wrote to memory of 2740	4772	cmd.exe	PING.EXE
PID 4772 wrote to memory of 2740	4772	cmd.exe	PING.EXE
PID 4772 wrote to memory of 2740	4772	cmd.exe	PING.EXE
PID 4792 wrote to memory of 552	4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	msedge.exe
PID 4792 wrote to memory of 552	4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	msedge.exe
PID 4792 wrote to memory of 552	4792	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	msedge.exe
PID 552 wrote to memory of 3420	552	msedge.exe	RVN.exe
PID 552 wrote to memory of 3420	552	msedge.exe	RVN.exe
PID 552 wrote to memory of 3420	552	msedge.exe	RVN.exe
PID 3420 wrote to memory of 1300	3420	RVN.exe	cmd.exe
PID 3420 wrote to memory of 1300	3420	RVN.exe	cmd.exe
PID 3420 wrote to memory of 1300	3420	RVN.exe	cmd.exe
PID 4612 wrote to memory of 2908	4612	TXPlatforn.exe	TXPlatforn.exe
PID 4612 wrote to memory of 2908	4612	TXPlatforn.exe	TXPlatforn.exe
PID 4612 wrote to memory of 2908	4612	TXPlatforn.exe	TXPlatforn.exe
PID 552 wrote to memory of 2440	552	msedge.exe	HD_msedge.exe
PID 552 wrote to memory of 2440	552	msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 4684	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 4684	2440	HD_msedge.exe	HD_msedge.exe
PID 1300 wrote to memory of 4900	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 4900	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 4900	1300	cmd.exe	PING.EXE
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe
PID 2440 wrote to memory of 3932	2440	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
"C:\Users\Admin\AppData\Local\Temp\bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2740

C:\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
C:\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fivesixseven7.github.io/J-r3i9
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff284c46f8,0x7fff284c4708,0x7fff284c4718
5⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
5⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
5⤵
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
5⤵
- Executes dropped EXE
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
5⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
5⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2116,14315272198623333020,14052849951483836924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
5⤵
- Executes dropped EXE
PID:4040

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4.4MB

MD5
461b1bb4379c1070899d5252f5589e31

SHA1
8efe2cbf4dd9ebbd5a933dc710a89bde0bc5f65b

SHA256
87a71a4139122efef583859354744c92d6c28d1e006693a8c5cd7169ddd76aad

SHA512
496549cd9a7f43138f29377f343c8e171bde57d2cb984d10cbfc472cd39668476cbd47f9dce62928b486e4b5a189a0628df79ce2d6e851ccde8347509825f3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f126af13ccc0a757480b4a9c461a00d8

SHA1
46dc30aa188bb76c8eff8baeb5146dc2840e39e3

SHA256
e9e07397938347f74ce9126d2136118e02891c1ec458bf9509d0652f3c6fc336

SHA512
e75321d85d8234ee97fd3b7d81a0c3cde5895a96f4913d731a73fde66524a24d2d520511eac3c80119e528dec8f2145b4ef6a17512c5bd49ac97bf45d4b4504a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df32ccefdfe6d3fa588155a73241d721

SHA1
80da3ec050b7af1d642bb3c886824c24c6fb61d9

SHA256
5828279949b3579be35765e46115bc99905aba17645c1339114d2dcdc3a94240

SHA512
a9cc305b7e352db632f2548260cc9204ade424d3dcf976bbecc79b496375d297e3959889249a6876449694e20ca7c04ce458ba4def9ecdbebb00138f082f4053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d138bbca599fd787a33d6e9945b291bd

SHA1
2a0763f3f0274cbbd1b0791c992fa9bd1bc81968

SHA256
161ec5373555403eddd3159e19da61a50bc651f993a9de8196aeb247334be0e9

SHA512
550cc7127dd83b6bd08f8615202eaa309f38aa58c92229e83d6a996dd6263b38b888aa80f0a20c3d631aca2622d196196e921a7a0d332aa509f89a5f872ddd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
45e5622ab244146009703db5abba3904

SHA1
a740bd11767d3c0139fe3cefa6643db8f340a423

SHA256
33025464414d0f8063fefebe23d0d35160bc211dbc550c5d7ebf931d1e3bfd1d

SHA512
591bdeec24020a90e9dd3353e5104b52f3f9b66c1129f4ae376b28d9b9701c559378e8b7e3e5a633dacf9d53276076776d7115135cdd6236620c1ccf1dbb6b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Filesize
1.1MB

MD5
5d72f35f0181067a2baba946713a727c

SHA1
b59cd908b93335d689f3ac51c87a3a4835d7e6ce

SHA256
21eb6ca2ba0533e6cafbb740e90e3850dc1cb223119100cfd68704152806ec5f

SHA512
6267d08e5c50419f4f60af4f4c8f7cc42f5e61e963de409ef5aecc51b4c222e1eb2044907a5553d82a1e0b335981738ade01daf372506e5b5a55ed64fbbcac41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\??\pipe\LOCAL\crashpad_2440_JLVVEWMWSXDXDGLC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1176-256-0x0000021375000000-0x000002137509E000-memory.dmp

Filesize
632KB

Download
memory/1176-225-0x0000021375000000-0x000002137509E000-memory.dmp

Filesize
632KB

Download
memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1848-223-0x000002E97FED0000-0x000002E97FF6E000-memory.dmp

Filesize
632KB

Download
memory/1848-254-0x000002E97FED0000-0x000002E97FF6E000-memory.dmp

Filesize
632KB

Download
memory/1912-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1912-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2712-203-0x000001C38A200000-0x000001C38A29E000-memory.dmp

Filesize
632KB

Download
memory/3416-202-0x0000020E45E00000-0x0000020E45E9E000-memory.dmp

Filesize
632KB

Download
memory/3932-121-0x00007FFF43EA0000-0x00007FFF43EA1000-memory.dmp

Filesize
4KB

Download
memory/3932-222-0x0000022794D00000-0x0000022794D9E000-memory.dmp

Filesize
632KB

Download
memory/3932-227-0x0000022794D00000-0x0000022794D9E000-memory.dmp

Filesize
632KB

Download
memory/3932-253-0x0000022794D00000-0x0000022794D9E000-memory.dmp

Filesize
632KB

Download
memory/4472-187-0x000002565B6D0000-0x000002565B76E000-memory.dmp

Filesize
632KB

Download
memory/4612-224-0x00000236F0360000-0x00000236F03FE000-memory.dmp

Filesize
632KB

Download
memory/4612-255-0x00000236F0360000-0x00000236F03FE000-memory.dmp

Filesize
632KB

Download
memory/4612-268-0x00000236F0360000-0x00000236F03FE000-memory.dmp

Filesize
632KB

Download
memory/4812-160-0x0000022767B10000-0x0000022767BAE000-memory.dmp

Filesize
632KB

Download
memory/4916-166-0x000001DA5ED60000-0x000001DA5EDFE000-memory.dmp

Filesize
632KB

Download