Overview
overview
10Static
static
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...2).exe
windows7-x64
10uni/Uni - ...2).exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10uni/Uni - ...py.exe
windows7-x64
10uni/Uni - ...py.exe
windows10-2004-x64
10Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 06:23
Behavioral task
behavioral1
Sample
uni/Uni - Copy (10) - Copy.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
uni/Uni - Copy (10) - Copy.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
uni/Uni - Copy (11) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
uni/Uni - Copy (11) - Copy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
uni/Uni - Copy (12) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
uni/Uni - Copy (12) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
uni/Uni - Copy (13) - Copy.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
uni/Uni - Copy (13) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
uni/Uni - Copy (14) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
uni/Uni - Copy (14) - Copy.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
uni/Uni - Copy (15) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
uni/Uni - Copy (15) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
uni/Uni - Copy (16) - Copy.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
uni/Uni - Copy (16) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
uni/Uni - Copy (17) - Copy.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
uni/Uni - Copy (17) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
uni/Uni - Copy (18) - Copy.exe
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
uni/Uni - Copy (18) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
uni/Uni - Copy (19) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
uni/Uni - Copy (19) - Copy.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
uni/Uni - Copy (2) - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
uni/Uni - Copy (2) - Copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
uni/Uni - Copy (2).exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
uni/Uni - Copy (2).exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
uni/Uni - Copy (20) - Copy.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
uni/Uni - Copy (20) - Copy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
uni/Uni - Copy (21) - Copy.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
uni/Uni - Copy (21) - Copy.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
uni/Uni - Copy (22) - Copy.exe
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
uni/Uni - Copy (22) - Copy.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
uni/Uni - Copy (23) - Copy.exe
Resource
win7-20240508-en
General
-
Target
uni/Uni - Copy (23) - Copy.exe
-
Size
409KB
-
MD5
b70fdac25a99501e3cae11f1b775249e
-
SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
-
SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
-
SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
-
SSDEEP
12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai
Malware Config
Extracted
quasar
3.1.5
SeroXen
panel-slave.gl.at.ply.gg:57059
panel-slave.gl.at.ply.gg:27892
$Sxr-rpL8EItHN3pqIQQVy2
-
encryption_key
Lme7VBS3l58VwLM69PNM
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Signatures
-
Processes:
schtasks.exeflow ioc 25 api.ipify.org 31 ip-api.com 468 schtasks.exe 13 ip-api.com -
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral32/memory/2188-1-0x0000000000D20000-0x0000000000D8C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exepaAgV40AbqGe.exepid process 464 Client.exe 3976 paAgV40AbqGe.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com 25 api.ipify.org 31 ip-api.com -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exepid process 468 schtasks.exe 4896 SCHTASKS.exe 2068 schtasks.exe 5700 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110326" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "426681139" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "428740084" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "428740084" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{44E64EDE-20A9-11EF-A2D1-FE2E36E26D58} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110326" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110326" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "426681139" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110326" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4940 msedge.exe 4940 msedge.exe 2592 msedge.exe 2592 msedge.exe 1272 identity_helper.exe 1272 identity_helper.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Uni - Copy (23) - Copy.exeClient.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2188 Uni - Copy (23) - Copy.exe Token: SeDebugPrivilege 464 Client.exe Token: 33 2580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2580 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
msedge.exeiexplore.exeIEXPLORE.EXEpid process 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 5260 iexplore.exe 5960 IEXPLORE.EXE 5960 IEXPLORE.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe 2592 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Client.exepaAgV40AbqGe.exeiexplore.exeIEXPLORE.EXEpid process 464 Client.exe 3976 paAgV40AbqGe.exe 5260 iexplore.exe 5260 iexplore.exe 5960 IEXPLORE.EXE 5960 IEXPLORE.EXE 5960 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uni - Copy (23) - Copy.exeClient.exemsedge.exedescription pid process target process PID 2188 wrote to memory of 468 2188 Uni - Copy (23) - Copy.exe schtasks.exe PID 2188 wrote to memory of 468 2188 Uni - Copy (23) - Copy.exe schtasks.exe PID 2188 wrote to memory of 468 2188 Uni - Copy (23) - Copy.exe schtasks.exe PID 2188 wrote to memory of 464 2188 Uni - Copy (23) - Copy.exe Client.exe PID 2188 wrote to memory of 464 2188 Uni - Copy (23) - Copy.exe Client.exe PID 2188 wrote to memory of 464 2188 Uni - Copy (23) - Copy.exe Client.exe PID 2188 wrote to memory of 4896 2188 Uni - Copy (23) - Copy.exe SCHTASKS.exe PID 2188 wrote to memory of 4896 2188 Uni - Copy (23) - Copy.exe SCHTASKS.exe PID 2188 wrote to memory of 4896 2188 Uni - Copy (23) - Copy.exe SCHTASKS.exe PID 464 wrote to memory of 2068 464 Client.exe schtasks.exe PID 464 wrote to memory of 2068 464 Client.exe schtasks.exe PID 464 wrote to memory of 2068 464 Client.exe schtasks.exe PID 464 wrote to memory of 3976 464 Client.exe paAgV40AbqGe.exe PID 464 wrote to memory of 3976 464 Client.exe paAgV40AbqGe.exe PID 464 wrote to memory of 3976 464 Client.exe paAgV40AbqGe.exe PID 2592 wrote to memory of 2812 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 2812 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4292 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4940 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 4940 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 3036 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 3036 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 3036 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 3036 2592 msedge.exe msedge.exe PID 2592 wrote to memory of 3036 2592 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (23) - Copy.exe"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (23) - Copy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (23) - Copy.exe" /rl HIGHEST /f2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:468 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\paAgV40AbqGe.exe"C:\Users\Admin\AppData\Local\Temp\paAgV40AbqGe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5700 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni - Copy (23) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (23) - Copy.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x408 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa971a46f8,0x7ffa971a4708,0x7ffa971a47182⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:4292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:3036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:5064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4664 /prefetch:82⤵PID:1252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2268
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:82⤵PID:1592
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:4508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=5728 /prefetch:82⤵PID:5460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5784 /prefetch:62⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:5764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=5940 /prefetch:82⤵PID:5936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8020959952845075066,10913813856337832051,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5536 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5368
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5260 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5260 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD554929d49151f3d1deb92d4882fd7f29b
SHA174fb1bea4c7ba9b9c69aacab601ad211cc80e12d
SHA25639e5885ca8868a5612268f987e7007fb20526221c11af4e62426bbab4fdc2141
SHA5123900823e9765f7cde1d6148c9d9de8079805d30f421728cf675e1c1264440be1a037394edc9c1e0a4497d2658d7897784a96062b6eb1b829ee1245fadb83087d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b737991b5b11c437ae8d74c16e0076ab
SHA138c38456d396cfdaba0e42fe01677c48fd9600c2
SHA256b3dfe2b09360cb316eaa02f953be0c0c797d4e1efc75cb5fec4f75d9345869b5
SHA512ff83dae6a2bef6bead1f35fe38ebb2d1d8cefd68092583a73be1b0277b35c4f3d54b9b79509a8b3b8ec7871abe4bea2032a7327284b5fdf7a0709e07001ea9a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD587d696decdfd21cd3b2c018af3126a40
SHA14eb04b402bf38aae52cfabbbedc23486bb93d5b2
SHA25657ffd8658262e0f336aa1fbebeddfb43836a612bdfd18fb3a32e4d6845a6a35c
SHA5120580109b9523e30016d608600898c9d60078922e7db1ce306cc3173c3113874de52661fe248cd5d8acff2fd1fea79314122cd81f5058a96290f5dac9a1c770ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59fa5d1e0d7bebbd3e2fbf2e26ab18af2
SHA18d5d09fe0403b09f988ee44f8fb14d7dd5e616ca
SHA25683b986d7c9689f90564a4ae6cda4a82f51f32457550d2dc3a76442114718a698
SHA51266b50ad40f11708aee578287c2da713bed1e1b9a99577a09b55695a35f8afde99195abed83fdddb77f3eb6d2bf6630141e1f52b228d7988bf9ef2105977ce97b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD509f845bc88ce283bf96ad42083bbdef3
SHA1b3f0e94bdde4c5eaf7d365e90ea71ec68f629685
SHA256ec76650280160ff3823e547909ccb702da4aaa1634a415ea1b1c71f4552fca70
SHA512cc66645548a6b717c7e19fbf266dcc570a3f0ba394bb94c929019758933fbab8edbbdbbd5892b72a9829ea421372ece6cea4e07fd53b980e02e71b5e584d14ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ce4a1bfaeae64d31c94ebbfc66106cc3
SHA1ac44eceb4e7007708fbafed46138a3778570c84e
SHA2561a4c8a0e683cb7e1b192783bb0563d823c469a3590c8abf06bcd68c1197f9ea7
SHA51267f1cb90eb7e731fc5f49e7d70abcf767634eb9f347e0e81d33751cbe6d0c1bcd5023cfc78ea7eb57ba19eef0e88ee106b2d59df52754e6cfb132d382fb2d63e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52cd615d7c43042093d48263284682dc9
SHA1dc2b9d75377fc9c28c100f14f4ee79368d953f32
SHA256b46293039693634681be71693dc1168d0ead1a5e2839299f28a678d67a92e1c7
SHA51252f306884cb96b9524319f862565771795d374a78ee0fd3ec7328400e7fbdf467f035a34f0e26d2f7cb0d2181c24014995871383b7324ce71da10a1f7318cca8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ed823bc3e93ba3b49ce120552267fe71
SHA12b0a74b4679806eee0456553402ce110faf8033e
SHA256e68f41a07fcb782109e49e451418c2880829820076540b38a4e636a8cc75daa7
SHA51258134faf7388eae89e4581e93ec2aa490da7c4d52f74ce0648e5e6c5d3560b67abe96016c0c734bee9f4b31d0f43665b9a4b9c5fcb1f8488567fd77336648f06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD560c1e756abef444215b45599c4969701
SHA181336fe6e1e4bdad85a0e2878cf38b66dd66d8e1
SHA256f772816457b96035e7090eb011372a0a4ffbdadb142d0126cc67336760b28b9a
SHA512f0e3c267872eab0ecb6e47dd60808dda1ca135ed35ba7b12ce5c63658efbb79ef8f8cb8b8d2b38f68fcbacbd383034b7fa7c2018bc30a993866762f47da0ae8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD534e3e82bab649767711cd4eec952d482
SHA15821d07f8d5df3ae1944695f1ebca72ec815ab0f
SHA25667061835e2f3496ea89852c7c6a099a49ba877f5ec8785e7a5628c86d2112806
SHA51294e1956a73ee8c56bd57f200ce8424f17051419f9db5eef466f71f8a2d730119761b382da67bf24bc1215f98d71eb8edc7f7c5dadb82494e5019fbffeae6c7fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD548ccac5e97ed63978bf70679922825b7
SHA1c1e11f4e42318263b0d4525e9ba8c28a9c0e210d
SHA256373b3f6136080d829f6e8ec52bef1f22d3c8bd0dc638fe49fa3fe7d171fac9d0
SHA512c4a068c0ffc2065e55eba4d2f9088499c316bab34fb6c829bc08e512c425730396570a3bdcec8869a43fc1d60dea4b91599ecc10338bb96ac27e31a448863c35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c03c627e47bae91d48ccc0a4279e69f
SHA10b22a47e16636b66fa9bce6d891f95294f350d44
SHA2568ccf37d9265215ccb2771924e443ab8452e4aae2c8f44ae2a2192a804465a59b
SHA5124c394d5e1302a4dcad9f9bafcc107fa5d5ea5fda482ff404d7463d232359e6eeedcba3d2cbccf4101f78a4e1e080c294fef8cf49b9d401b7b3aa33762df27966
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54fb2b7c8e1c99df960dea4ca82a4f614
SHA147e21332e85d3e7471a7ab4ee35a785bd0bf42ba
SHA256ff045924024bba61b931095124fd706e7310808107021dedff17a7eecbb9906a
SHA512c871e434765322bf5d1333e33c16959474aad15d5a908cf785c56b7be490281a37201185b7031e3bddc687949b10c7ad85990a49ff16c7edba440148e8e18212
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD554f1caf742a43f223981bd74312c62e3
SHA16870926b2514fdea9098337f0e7de468a5f4403d
SHA256047ad1f2bf28f51ce3be87d1fd751bd925733619ca00ccd32d6bb73346864e40
SHA51276603e0aeeae33af8abda565fa47f9269d667b9469fd2f720e5c2033e5b9f19f496c0119a15342419af4a71c53b8f0f7bc8603e9d6984ba052e301d90971fdfa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD575ea909b821d83da4bdf5426fd93221c
SHA13efff9640029c4536ee29a43aedc7050c37f21cd
SHA256cee921cfc9c041a5f79fbc80d710fef0d03c31d59a3c6a8520e1641fd235336a
SHA512ba03269fb686ccb304ace217ce22c19c50e0f9ca4701f4c5af52fe39e63d392b1abc4e234f7b242440412bcd39cb620328b04b79ef1b6d60a72cf851d1b782f1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6202.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Temp\paAgV40AbqGe.exeFilesize
277KB
MD5dac0c5b2380cbdd93b46763427c9f8df
SHA1038089e1a0ac8375be797fc3ce7ae719abc72834
SHA256d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6
SHA51205cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
409KB
MD5b70fdac25a99501e3cae11f1b775249e
SHA13c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA25651ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA51243f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
-
\??\pipe\LOCAL\crashpad_2592_LTDDITNSZEWJKMONMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/464-19-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/464-17-0x0000000006960000-0x000000000696A000-memory.dmpFilesize
40KB
-
memory/464-86-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/464-13-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/464-12-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/464-18-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/2188-0-0x000000007538E000-0x000000007538F000-memory.dmpFilesize
4KB
-
memory/2188-5-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/2188-4-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/2188-3-0x00000000057A0000-0x0000000005832000-memory.dmpFilesize
584KB
-
memory/2188-2-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB
-
memory/2188-6-0x0000000005CF0000-0x0000000005D02000-memory.dmpFilesize
72KB
-
memory/2188-1-0x0000000000D20000-0x0000000000D8C000-memory.dmpFilesize
432KB
-
memory/2188-15-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB