growtopia | hxxps://mediafire[.]com/file/fv9veoyx2lf2x66/GX_Image_Logger[.]zip/file

Analysis

max time kernel
141s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
05-06-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file

Score

10^/10

growtopia xenorat evasion execution persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

6652 powershell.exe
5756 powershell.exe
5744 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
6652	powershell.exe
5756	powershell.exe
5744	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

Ilkdt.exeWinHostMgr.exeWinErrorMgr.exeSahyui1337.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exeWinErrorMgr.exebauwrdgwodhv.exe

pid	process
1932	Ilkdt.exe
420	WinHostMgr.exe
3256	WinErrorMgr.exe
5344	Sahyui1337.exe
1424	KeyGeneratorTOP.exe
5128	KeyGeneratorTOP.exe
7296	WinErrorMgr.exe
4500	bauwrdgwodhv.exe

Loads dropped DLL 4 IoCs

Processes:

KeyGeneratorTOP.exe

pid process

5128 KeyGeneratorTOP.exe
5128 KeyGeneratorTOP.exe
5128 KeyGeneratorTOP.exe
5128 KeyGeneratorTOP.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

257 pastebin.com
1 mediafire.com
3 mediafire.com
5 mediafire.com
18 pastebin.com
180 discord.com
248 discord.com

pid	process
5128	KeyGeneratorTOP.exe
5128	KeyGeneratorTOP.exe
5128	KeyGeneratorTOP.exe
5128	KeyGeneratorTOP.exe

flow	ioc
257	pastebin.com
1	mediafire.com
3	mediafire.com
5	mediafire.com
18	pastebin.com
180	discord.com
248	discord.com

Drops file in System32 directory 4 IoCs

Processes:

bauwrdgwodhv.exeWinHostMgr.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bauwrdgwodhv.exe

description	pid	process	target process
PID 4500 set thread context of 800	4500	bauwrdgwodhv.exe	conhost.exe
PID 4500 set thread context of 6388	4500	bauwrdgwodhv.exe	explorer.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4220	sc.exe
3096	sc.exe
6252	sc.exe
6372	sc.exe
6328	sc.exe
7112	sc.exe
7732	sc.exe
6408	sc.exe
7500	sc.exe
1876	sc.exe
7116	sc.exe
7088	sc.exe
6316	sc.exe
6900	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

7832 schtasks.exe

pid	process
7832	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

explorer.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\GX_Image_Logger.zip:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\GX_Image_Logger.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeSahyui1337.exepowershell.exemsedge.exeWinErrorMgr.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exepowershell.exe

pid	process
4664	msedge.exe
4664	msedge.exe
4272	msedge.exe
4272	msedge.exe
2088	msedge.exe
2088	msedge.exe
5964	identity_helper.exe
5964	identity_helper.exe
4532	msedge.exe
4532	msedge.exe
5344	Sahyui1337.exe
5344	Sahyui1337.exe
5344	Sahyui1337.exe
5744	powershell.exe
5744	powershell.exe
7048	msedge.exe
7048	msedge.exe
7048	msedge.exe
7048	msedge.exe
5744	powershell.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
420	WinHostMgr.exe
6652	powershell.exe
6652	powershell.exe
6652	powershell.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
420	WinHostMgr.exe
4500	bauwrdgwodhv.exe
5756	powershell.exe
5756	powershell.exe
5756	powershell.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
7296	WinErrorMgr.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe
4500	bauwrdgwodhv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

msedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Sahyui1337.exeIlkdt.exepowershell.exeWinErrorMgr.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	5344	Sahyui1337.exe
Token: SeDebugPrivilege	1932	Ilkdt.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	7296	WinErrorMgr.exe
Token: SeDebugPrivilege	6652	powershell.exe
Token: SeShutdownPrivilege	7976	powercfg.exe
Token: SeCreatePagefilePrivilege	7976	powercfg.exe
Token: SeShutdownPrivilege	8156	powercfg.exe
Token: SeCreatePagefilePrivilege	8156	powercfg.exe
Token: SeShutdownPrivilege	8020	powercfg.exe
Token: SeCreatePagefilePrivilege	8020	powercfg.exe
Token: SeShutdownPrivilege	8072	powercfg.exe
Token: SeCreatePagefilePrivilege	8072	powercfg.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeLockMemoryPrivilege	6388	explorer.exe
Token: SeShutdownPrivilege	7084	powercfg.exe
Token: SeCreatePagefilePrivilege	7084	powercfg.exe
Token: SeShutdownPrivilege	7060	powercfg.exe
Token: SeCreatePagefilePrivilege	7060	powercfg.exe
Token: SeShutdownPrivilege	7140	powercfg.exe
Token: SeCreatePagefilePrivilege	7140	powercfg.exe
Token: SeShutdownPrivilege	7100	powercfg.exe
Token: SeCreatePagefilePrivilege	7100	powercfg.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

msedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

GX_Builder.exeGX_Builder.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exe

pid process

752 GX_Builder.exe
380 GX_Builder.exe
1424 KeyGeneratorTOP.exe
5128 KeyGeneratorTOP.exe

pid	process
752	GX_Builder.exe
380	GX_Builder.exe
1424	KeyGeneratorTOP.exe
5128	KeyGeneratorTOP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4272 wrote to memory of 2168	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 2168	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4396	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4664	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4664	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 484	4272	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff865043cb8,0x7ff865043cc8,0x7ff865043cd8
2⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
2⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
2⤵
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
2⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
2⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
2⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
2⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
2⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
2⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
2⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
2⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
2⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
2⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:1
2⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9280 /prefetch:1
2⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9456 /prefetch:1
2⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9604 /prefetch:1
2⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9784 /prefetch:1
2⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9792 /prefetch:1
2⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10096 /prefetch:1
2⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10224 /prefetch:1
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
2⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:1
2⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:1
2⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7304 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=9288 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7024119594438690316,13561308793751732264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5196

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:420

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:6304

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:7104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:6328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:7112

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:4220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:7500

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:7732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7976

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8072

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8156

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GMDTJRUT"
3⤵
- Launches sc.exe
PID:1876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3096

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:7088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GMDTJRUT"
3⤵
- Launches sc.exe
PID:7116

C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
2⤵
- Executes dropped EXE
PID:3256

C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7296

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp500A.tmp" /F
4⤵
- Creates scheduled task(s)
PID:7832

C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
4⤵
PID:7748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff865043cb8,0x7ff865043cc8,0x7ff865043cd8
5⤵
PID:7004

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:380

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:6228

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:6324

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:6252

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:6372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:6408

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:6900

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7060

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7084

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:800

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
Filesize
207KB

MD5
e955953b801c04327c1e96c67dd3c618

SHA1
f9061d3780f153e863478106bf1afd85132bccb0

SHA256
e8965a2d52ef25918ebee58ab6971745d396177a7943acf1ed53a65bb4dddd45

SHA512
6318ff1eb838954dd73dab5ed891d47f4f39089fa5e899d30183c32269c5620bd09d169af4cf8303e3d5c2ebab23cfe9ae5d9fa5c3281023abb009f66a25782a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f4da68f57f594540f2914a8f35182787

SHA1
5056e02835cd54fd8e0657b8fa9f0f71777182fb

SHA256
87ddb4f93005d8ff4664978dd3566b9c0a4681d32923ec88af6ac128affcbeb8

SHA512
5286258a3d555c3643bee67cbd4a1a80471643fe8d8ce4b41171866d425055a0643c16d7ae6a1a4d9ebb8a9744a5f5ec5869eed7fb8d60202ddac6b6135d02a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
11KB

MD5
fc7c227f349a3ae70f79a17b5d3e41c3

SHA1
9f81b88cc571f9006bf2675e230fcce50fcd8962

SHA256
6fd36a214c3c736ee2481230e68bd9499e030f45460d096965a1b082e1780953

SHA512
f4982a9c7135ba19510605fcb3292aef229b9fe1c8fdfa967ef073aa5ccaf79885e0f6a9b8c833864f6f55a08134e706a8730e8ee20857e2105edd0c20c5ef80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cac62097c76ad0440c0727d24b77458d

SHA1
9ef114310c67f1932da11a41efd21dd4b4c5c63a

SHA256
78f4c868b3998ab91894540cd2ae3021c0153911958dcb651a604414f80b1e7e

SHA512
d3c42181a47a1b3c4ee46f69d0a84f0cd793528812ee7de3443672e3575036cc303f0b94994936346e1eb2106f5105e36f3aecd628c37bcf79485e09cbbd7549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
5a66c29e63e494d683ca0c8649823b5f

SHA1
3024e695902dd6ff22212bdc85f900bc7ddd0544

SHA256
37ca4c6869e084ab4fab91e5c4cf37460b67af3037907254ff774363ef562da4

SHA512
82e531320eabe82b932f31f3501abfc29aaa5a2d1da1a508fab7cdd5f134462964758c0cf9f591c01d2ef3a530dddb3ae95a0f1e446e9de083ee090f0d9c0d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
86dfc3682c8df8363e1a51000d11edca

SHA1
e6c2424af5940db23d03ef5ddcfb1a1b9635bc1a

SHA256
1fd4dd270d58560f7e04edd23993e7bb4daf4d6cc776ed6c6ff63248cd0f8016

SHA512
3512b9ca1be229bd2e883e5c9cf87c9c186293a650261fb0fc4f8666119ca08b2cd1ccdb9b18d4c210662093d9aca245824617b281bf9a6594d70715e2015084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
76bcffc07dc5f42fb964559c6e435d29

SHA1
4ae95a24cbeabe4ae68cf997903fef0529547db1

SHA256
0e9d68a70b63a28b0d24a1fc4e69680bceacc7a2dc61380b34c7968dda68ddb5

SHA512
087f7dc5683a2c306f38183ccefe4581e4a3c5abdcdeba59b90db83b2f946911c94cbb96f1e4561f8dda280a07e89a5e5f71a515cd84a250e735baddc5e305aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b788.TMP
Filesize
2KB

MD5
10c964c7a3eb00000dc31795b6d553c3

SHA1
c74db179f6c0c9cc4866b7cb82faf44ee8596768

SHA256
41b57bc4d509154e3f835c4db1da672ab7018366e9b953e1b635b711c456900d

SHA512
72636b973f88b4ba6f051b4f71ec76aea5c01b6f3c8d2f962b26bd5826406a5eb9a0e872dcc2dc74af7a94ee90754775104d21995260059d4bf3966f2e61969a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
21208fb9666577888efa11bec92e4da4

SHA1
e4a3ba8f944ee53598fa1a5007d666fc647f3a23

SHA256
e429c91dd21c74f5a88e314af9aa975524d03059e76c8c9d9ad764d66dccede4

SHA512
18833e9501a97a9957a949541019cc5fddcb9a08c2c93e2ac98d305876f91a2517241c9483032582c44263bb88c6dc67abf836f4d50b1e5fce077f3d9d38458f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a340d71359f5b739280166bda3386856

SHA1
1938a0875f891de327401a1c1b6dd057d9510be1

SHA256
164a03a9f0d467c9d0cd29ed530e40b187c4b44dba972202bfdc7aad865b3c60

SHA512
8fc2aa09b10fe16cd62bf1cfaaf0b819ed9442361395a7e3cdc6285b953638dfafc484f1a9bceacaff6f6e49eb07caf614f821ea4a266784cdabdb4f26c61ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
222e855bb48e1a2a0a8985c8b9e59549

SHA1
f7834c1185d08906b9777a73e705d9e96afd264b

SHA256
a688b64c52c870d78163fadba27c7dfbb50a3fd13c26d185cc830156bc8b869d

SHA512
404add7781c1b52177c8f00db7b887131b1659f795af1d845229d68baf62942d7e78a5610ac547e1f33847284eb684674ca610d1152f5b69658261a86212e5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
Filesize
6.9MB

MD5
bd0e4823fbfed11abb6994db7d0e6c09

SHA1
8694f5a67686070fc81445edebef8ead6c38aca8

SHA256
a83dc0d4764f8e41e061dd4e331f341b09cc994fc339fed2445692df7b98affe

SHA512
37f7e77407571c8f4ac298a4580610b0787e7cf8c8993e6816895a1caa71e0c4d97b72f525b9f054071fbf14bf9e87c48c67b39dcc01448213a995d036ff84e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_bz2.pyd
Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_decimal.pyd
Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_hashlib.pyd
Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_lzma.pyd
Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_socket.pyd
Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\base_library.zip
Filesize
1.3MB

MD5
44db87e9a433afe94098d3073d1c86d7

SHA1
24cc76d6553563f4d739c9e91a541482f4f83e05

SHA256
2b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71

SHA512
55bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\python312.dll
Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\select.pyd
Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\unicodedata.pyd
Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icsgbqks.j0a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\GX_Image_Logger.zip
Filesize
11.6MB

MD5
0320cabde39fe61ef6e6aa1a30aa9304

SHA1
f8683922467ed12c978216a480646da2736b43d1

SHA256
aa094222e49bcf065d68a71ae3ee75b23d6117b991b48a6dc26e38187fc43e76

SHA512
b6892e282a7687019b4a52c467c6d94c18bfefd84aa296c3b478443e0a6773112cdba0a59e78ea935da16df2a82228f5495dcc5ca47179ace275fac976373141

Download Submit
C:\Users\Admin\Downloads\GX_Image_Logger.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_4272_OMPQSEZAPZRFTENK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1932-470-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-478-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-463-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-524-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-526-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-464-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-512-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-466-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-461-0x0000000004E40000-0x0000000004EAC000-memory.dmp

Filesize
432KB

Download
memory/1932-468-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-454-0x0000000000430000-0x0000000000466000-memory.dmp

Filesize
216KB

Download
memory/1932-488-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-496-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-500-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-472-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-522-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-520-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-518-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-516-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-514-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-510-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-508-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-506-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-504-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-502-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-498-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-494-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-492-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-490-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-486-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-484-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-482-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-480-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-474-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/1932-476-0x0000000004E40000-0x0000000004EA5000-memory.dmp

Filesize
404KB

Download
memory/3256-455-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/5344-456-0x00000246CED70000-0x00000246CEDC4000-memory.dmp

Filesize
336KB

Download
memory/5744-2132-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/5744-2129-0x0000000007040000-0x00000000070E4000-memory.dmp

Filesize
656KB

Download
memory/5744-685-0x0000000005940000-0x0000000005C97000-memory.dmp

Filesize
3.3MB

Download
memory/5744-620-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/5744-462-0x0000000005080000-0x00000000056AA000-memory.dmp

Filesize
6.2MB

Download
memory/5744-1648-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/5744-1344-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/5744-619-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/5744-2119-0x0000000075140000-0x000000007518C000-memory.dmp

Filesize
304KB

Download
memory/5744-2118-0x0000000006DD0000-0x0000000006E04000-memory.dmp

Filesize
208KB

Download
memory/5744-2128-0x0000000007010000-0x000000000702E000-memory.dmp

Filesize
120KB

Download
memory/5744-2133-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/5744-2130-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/5744-2131-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/5744-457-0x0000000002970000-0x00000000029A6000-memory.dmp

Filesize
216KB

Download
memory/5744-2134-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/5744-621-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/5744-2135-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/5744-2136-0x00000000073D0000-0x00000000073E5000-memory.dmp

Filesize
84KB

Download
memory/5744-2137-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/5744-2139-0x00000000074B0000-0x00000000074B8000-memory.dmp

Filesize
32KB

Download
memory/5756-2205-0x000002763AD50000-0x000002763AD5A000-memory.dmp

Filesize
40KB

Download
memory/5756-2197-0x000002763A790000-0x000002763A7AC000-memory.dmp

Filesize
112KB

Download
memory/5756-2198-0x000002763AB20000-0x000002763ABD3000-memory.dmp

Filesize
716KB

Download
memory/5756-2199-0x000002763A7B0000-0x000002763A7BA000-memory.dmp

Filesize
40KB

Download
memory/5756-2200-0x000002763AD10000-0x000002763AD2C000-memory.dmp

Filesize
112KB

Download
memory/5756-2201-0x000002763ABE0000-0x000002763ABEA000-memory.dmp

Filesize
40KB

Download
memory/5756-2202-0x000002763AD30000-0x000002763AD4A000-memory.dmp

Filesize
104KB

Download
memory/5756-2203-0x000002763ABF0000-0x000002763ABF8000-memory.dmp

Filesize
32KB

Download
memory/5756-2204-0x000002763AC00000-0x000002763AC06000-memory.dmp

Filesize
24KB

Download
memory/6652-2174-0x000001FDF6150000-0x000001FDF6172000-memory.dmp

Filesize
136KB

Download