Analysis
-
max time kernel
299s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-06-2024 17:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tlauncher.org/en/
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
https://tlauncher.org/en/
Resource
win11-20240426-en
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
website ip grabber.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exepid process 3744 website ip grabber.exe 1488 Lokibot.exe 4476 Lokibot.exe 4664 Lokibot.exe 3856 Lokibot.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1488-1181-0x0000000002C40000-0x0000000002C54000-memory.dmp agile_net behavioral1/memory/4476-1184-0x0000000002B50000-0x0000000002B64000-memory.dmp agile_net behavioral1/memory/4664-1188-0x00000000006F0000-0x0000000000704000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044 upx behavioral1/memory/3744-819-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/3744-851-0x0000000000400000-0x0000000000476000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4752 628 WerFault.exe SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe 1516 2716 WerFault.exe SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe 2688 1944 WerFault.exe SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe 2908 2776 WerFault.exe SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{E15CC22C-0C95-4E97-ABB2-A3BEDF71FC78} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings msedge.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 98984.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 506645.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 263790.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 870466.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeLokibot.exeLokibot.exeLokibot.exeLokibot.exepid process 2304 msedge.exe 2304 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 2452 identity_helper.exe 2452 identity_helper.exe 5004 msedge.exe 5004 msedge.exe 3752 msedge.exe 3752 msedge.exe 4660 msedge.exe 4660 msedge.exe 4540 msedge.exe 4540 msedge.exe 1112 msedge.exe 1112 msedge.exe 1112 msedge.exe 1112 msedge.exe 3388 msedge.exe 3388 msedge.exe 2024 msedge.exe 2024 msedge.exe 2452 msedge.exe 2452 msedge.exe 1488 Lokibot.exe 4476 Lokibot.exe 4664 Lokibot.exe 3856 Lokibot.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
Processes:
msedge.exepid process 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Lokibot.exeLokibot.exeLokibot.exeLokibot.exedescription pid process Token: SeDebugPrivilege 1488 Lokibot.exe Token: SeDebugPrivilege 4476 Lokibot.exe Token: SeDebugPrivilege 4664 Lokibot.exe Token: SeDebugPrivilege 3856 Lokibot.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe 516 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 516 wrote to memory of 1032 516 msedge.exe msedge.exe PID 516 wrote to memory of 1032 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 4020 516 msedge.exe msedge.exe PID 516 wrote to memory of 2304 516 msedge.exe msedge.exe PID 516 wrote to memory of 2304 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe PID 516 wrote to memory of 348 516 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tlauncher.org/en/1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e7046f8,0x7ffa9e704708,0x7ffa9e7047182⤵PID:1032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:4020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:1956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:3340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5692 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:12⤵PID:3096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:12⤵PID:2148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:3928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:3140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:3204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵PID:1268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:82⤵PID:3844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 /prefetch:82⤵PID:1040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6716 /prefetch:82⤵PID:5016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752 -
C:\Users\Admin\Downloads\website ip grabber.exe"C:\Users\Admin\Downloads\website ip grabber.exe"2⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4040.tmp\website ip grabber.bat""3⤵PID:3800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵PID:1152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:4568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6940 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4080 /prefetch:82⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:12⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:4076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2024 /prefetch:82⤵PID:1568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1408 /prefetch:82⤵PID:4024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,3111604854383022795,15289805808992055462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\Vulcan_IP_Toolkits.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\Vulcan_IP_Toolkits.exe"1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"1⤵PID:628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 4402⤵
- Program crash
PID:4752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 6281⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"1⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 4082⤵
- Program crash
PID:1516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2716 -ip 27161⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"1⤵PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 4042⤵
- Program crash
PID:2688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 19441⤵PID:4896
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\6e1012baff064382a77ec7268b735a43 /t 5116 /p 45601⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_ddoser (1).zip\SerenityStresser 9.0.0.3 - Cracked by RoN1N.exe"1⤵PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 4082⤵
- Program crash
PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2776 -ip 27761⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lokibot.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025Filesize
69KB
MD54f9d58547367f284c0fa5c840c00b329
SHA1afdf5a998830ad8bea4d57ad8cb3882ac911b43f
SHA2563104d7911ad5190e95f4bcc647740dcc286325ca7a57f46510cd7970aeced0cd
SHA5127d21bdf059b4cbb5a1203c8c7333ea91118bab3b6d935f59e7e89637eb31d2a28d69033ce8501431dfbcccdb6df1f05d86cc4d99af01c68270a5577b795eb350
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026Filesize
351KB
MD571d40a4243c8e5075e027b5f593a07f4
SHA1867a21ceccbabf7395ad0dcf49c67d0b68cc0798
SHA2560e7d329bfb5f255e551db44eec91587621b88afbe81be1c7557f7d0699901ef5
SHA5122fc6c20e84e1dfd5790e927a9628a8c7facf316691ee63f790019cd4de864998155962035d2f588d01f70b812de1a36ca1655d8bd95b38f9d019b5a348e31dfa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027Filesize
134KB
MD58696b3ecdb1f0690a20540ffa1f497c6
SHA1cb8399657c3304a30ebd06e60648c1ab8d2c6676
SHA256cd026eddad5f87c35960e4614c03d43be7a1b119249a508e40d40c62a8790997
SHA51210919f0466336a759eef92deb02b410c5e6d85a2517fe2f3915ed46c22174db7e1218903063496ab7ff09ff80d542d10d8c49754f8438c5a16728d83b5b83c27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044Filesize
225KB
MD56520d9ab650c992b25c6467324baa2b2
SHA10a1f8a830228eb8f6229fed60b1171b2cdbfa5c1
SHA2561100b197992c499e5ae8d484ab83ef06e20e46d4f74847e2f838c98ee1c0caeb
SHA5122d8be4db599f735869fc5e9f0357fb5559e828c551399eeee7b9530850bd23577d27d0554e13ceb43ed3c9e7eb933e5509c2bee8408407f01f966e6ca858609b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045Filesize
7.2MB
MD523c3066ad3017ec278c44c0b36d36b97
SHA1e483b66cfef3458a6a290aab324c788a451458ef
SHA25689ca73227c8aa89ef8b8c6991518268adf8191850fa7aec05548f60339293651
SHA512d30a889dce6b63d9d964fd3bd52e50eb1774d774971a07457f19c964398352d8d0080ce75ea85482cabdb04d7ee8b3d0515726ab64f69ff235fd561d0c42ead3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046Filesize
1.4MB
MD5473eca3ac6347266138667622d78ea18
SHA182c5eec858e837d89094ce0025040c9db254fbc1
SHA256fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053
SHA512bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD508849482d77d6e52e5f99656c2acf96c
SHA1c58338f05323230264f179fb15fe3068471ee19e
SHA256e0442cd5ceb8825764e35e38451316fe8d985c2cbc6d8af3ed3f8252901d188a
SHA5122acf43197db7d9346b41f94ef5daa175684219858478bef3d9236c42def20f7dc58deaddbdc229a47e88d2dbc188d1143c14f885339c80b962ab8274bc660b6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5192d1dac21561b6159c13ba2b37e4f51
SHA19a3ce9e8d1c1536aa685946ea5c3fe6bf3102827
SHA256fc38053dedc3552993697f5c8c15cc00a05ed5390ec4f8a72359a95bb7768eb6
SHA512ff9dd963ae46f9be54fa330a9bf237838af6c9288c2f156b30e3904a9b9671ea813f16cb3bfc75833f164952d1885d1f2df307beaf076d4ba261078a53faa42f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5ba150ea2e47baf32a710118876dd582e
SHA19fd66852b9abfb88b2abf1d0eae3c54fdddef447
SHA2565818d6154db43007db55dc4ddb6ecc8c776bebb1013886db8728ce8327066eb5
SHA512a460cbf74bbd9c97044d9e7f7306cf25895d91f32c28fab51a7c213e2ee55b46ea50b723d0a41c091c199b9cc414ab33c1e18738ee3793853f6a50c10b14f2d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5bce6816f0f94f71e958344b90f0a4647
SHA1de5b7dca37e8efd23fc41d58489d5fa7a7cd2b7d
SHA2562e7b5aa7fc927aabb538d4b02c4e9b750b331b3c7e383a1f33c12d01334acea7
SHA5128f6e9e09bc2da0bec98b6c9e49c87fb94ccf764485a59a656ea05784cd3e5126cdd52ff67e60dcd5177e96aa60d3bc1c532874378407c4e2970ef01c8839aeee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5513a48e8317e3324731496c7cf6d5f6c
SHA105daed72f99f06472d50c6492d78903b0b6f0b6a
SHA256492fad2f7cbc77440b0d8a64981691f17442ecff58c6b5e2aeb661797798a4b7
SHA512f10723e60fee061ff3d6eeb05393fdf844afa5cb20c96ea0807a95ac67cc1be1a2d0df1932be8a03223ee51ac847e001ed0601badc0c8e163ff4a5c6d7c829ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54a14e66e50887f5ff8c7196747305d7f
SHA165b20e7846c3a8dbca9df51129927a051ca6a320
SHA25687dcacaf316f00804c1b31a476037dc93cc3139300285a3b1a044d0f75cfec85
SHA512481c79ffe3eb3af4e500a72be381caddfb5a7c28f2c544a8253128d4cb08a6067f5e09bceb88286a31e3239e71e38ab1bbb9c9f8b67834e135bd970c8228839e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5c400500613962811117d972106a6ef2b
SHA174eb433e629864e6435dc33f29da0281b945704f
SHA2565e0e20469b6a128144e0dc992da9230795f55d4f4fe49022c8276417dc9f1a24
SHA5122a9139be642c7ebe6a4c6be1e922a34fb7959f3a3ebb596e6e6500b8447f058b206f3a9f0da74a5e2582c06984cee0162e41ce78ecec8791a36b65358a844ad1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5e55791f36e30166f9b4e325fb218d50c
SHA1662aaececb4798147c2d7f9f5c3e062aaf95f17d
SHA256b1bebe78be7cee5b37bc028d9c9a0b91856130cdc1ee6d204a3285f015476957
SHA512f9e5d5fcd2633dfcc42a6eb335ee2533c37bf42991c6ce763ededbbc7f5ae8532338f9ddd26933291cb2b0b753806d98cbf5d850c14f148b161184d589451e79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5f13f1a7a25b6fcf4ce6c4d11de408ee2
SHA184c77202185087c14ae00bb64b82ffc140db30ff
SHA2567effe07ad57c7594cbb1feae0594340cfc8a12c779fdc48c87d983f6ff1b5d90
SHA512bc054aec8bc01fec7198c3e2a407bdff386f8d5049eed29c2eb241a1d7aa17d4756651e2d52a5ba413b97d8f8e01ef6b783914e8373eb1e9cc3db18cb773d1ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5a36f7426276671853008bf0b61c87acb
SHA1d00f494a72b498c634517e0a93b4aa02267e41fe
SHA2565052d2310198b98368c1b6740e41ce5ec0593dd9b49926c0c12e1866cddb6ca1
SHA5125e25cdfbe4900e623e0d008f2a47769ddcf3f80eb4d5a8fd7b66ba50b9c1d76dc80af6deb3d6a226f9ecec0b273fcc93a8669a1d4a3711619a7e6fdbfa426601
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD555b41e9a4c7a72f5d02da03e741e5ce8
SHA1c4b19a7422d20656d91a8c060c835c025e63e378
SHA256011caaa4631d82a05535cb1cb36eb5e1dd612bd56b2ffff81d06f6516277be57
SHA51271aa50df187e2e237e0fe2b1d4c8bca4bff5ceebe635f57692e99251b2dc3771c673bc094681b23c8946872b5edc1e94e467f6f652db16c989cb6dfb5787ecbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD52081831712f8cd37b63b511c93318acb
SHA1f55299f9351a8959ba78c1246176075211774759
SHA2566f397bbc77ff5ab92c5b42c398d41ce084adca5f58f23f3f6028258988e9a37e
SHA5120ad67ae837130ae7f88ddff4ad192e00ed0b6a4ddbdb23e1efc020103752d98548511a7725d6669c458d6d9e833dcb85dd7bc8823c8ce29a71780d43593c3eef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD528126eaf9e746c70ecdbf0f4ec8e876b
SHA12cf917b2c8417e811f260cc2194b2a022221babc
SHA256c28c62912d1a0fde332f7dd5098c642a1b0efcc6b9c475ab327bc576bee40990
SHA512e06a4a448bc0e88ff9cba1e655cda8d475e5ad3968f724bf76fd38927f137fb0fb3be3e79ab0fc7060083c5dcb5cae34275e7876174359c1f98ef6588fb291d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5a6ffddd5159d4aaca0032ac2624865ac
SHA1a133f9d77a1143255c0571fa094677bd00d36a2b
SHA256ceecc15ede6080ecaf44350673dd26abe659b0c64d76c0544d6c51b3236f4705
SHA51277bc5e750e2348281cff609584815af76bd9d5aa82df0823cbb61b095049969231e6ec2c8a63c7e070a2b25191005136d5369de9ddc55f64a804b8b395987418
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a91fa7a64d00005e086631658142174c
SHA17cded6d0ff2014168b26f9daeb3cd870a9db569a
SHA2566349b82906fb01c387a45d8792795303766b58ce99194113f4f93d5469d1f5c1
SHA5122d21e83690983f55c9e83aa787d04221d807aef4560dec932aede6ca98778324407a9a121904908e07979617c945750630dca65c839dc7da7ae7c0eb757a46ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD53227067f78e5841a1e7645f4527cd0c3
SHA178279962b1fb08a2a6f222b43c984346af6dfbfc
SHA2565e0fe58f9ea580aada7623df9943ab1b6b00e8607e311e169be727225f496638
SHA512aa9ff11f903d1cbe4f3035b71be11bd71647f52c95e432d87925e7e44b33c979a850ab59111a58ffaf1c1466bc1a2fb122ebe6b161c8008ed78884ce626096ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5732829df4744f351e8f3648a903c4bf0
SHA1e14036539e168fae36c506fb7b18f77f9dc63e2b
SHA256454dc9e81431b950435aabd2b07bcec4f0c59fbf8352788e5a0ccf46a4bac4fa
SHA512ec2b545aa7b01145dff333b894c6037713f3ced14022422027a529d8c0d27a73db327e861271f8dfdd841544cb7df4a1a2bde1c31ad3bb231c79789c9cd2c9cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c90a2461dadf3f65553a4a8e4ad8ef09
SHA1ededf5aac6862bb1bdb0f9c867a8caee6d0c10b1
SHA2561b31cf5ec2a727344c0629827610085a1b35c378ff02ca39bcbe39e72c1a70a3
SHA51290925a8fb39ce931eb355af3ab0d3f775f5d00c8fb79bba362fec41a563c7aea9117f061f30ad0dc5ac61dfea716a9c052ff54791e852d34b70e3a48b8bbba39
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e97354ad800858fc7c695af2149f35c0
SHA10b2739478de8f7eb87d7aa88bba2d9e504c8a338
SHA2561eac5cbbd5b183bd460907d34fafe2e6408005f990379039801b228027ea48b2
SHA5125281a796365c7961e2f11d8c9961f00c4caf630f406d1fd33878daf7cdad59e24615095ddbb188a9186dc45bdbae44f1d20f901f8eab412a415526399cd33119
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5e440bf73aac56c25cdd214ae0190eb09
SHA12503b061ebe1164ef5635f40424c313e475b6656
SHA25659a5a9d405ae3228cc07c1902c0212f94315c783480da7916f761c3d50f63970
SHA51295bb86384c489b1cd3f5359ede2ab25b3aaa749ff0f06f5da461b2a7e7e4744c6af6e2f8edc5c895a0b6c0e78ce438aafafa993371afda05f870f6e6b0dad117
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5245437a657937ec035c249383626fb44
SHA13a4f190b174d26ba8f93ed9bf138706093023dd9
SHA25644ccafb2408b44b4983e885bd7810f3ce941c63cdaa9e2d8bf0c011e08cd5bfa
SHA512f0f46ee33541bf3b10f9bfcc092cae2f8ccfa8a74db8226f72d7ef98350b10caa779b38c93f1c435855d2c11403c6caa7236adb2d53eee1d9599c0c1fc0e297c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD580345c93ed05c30387ce4b4bfb49e39e
SHA17aa164df99495aae3cada7724365d6f0fc91957f
SHA25641eabe4ef70a417f8cc8c355f4b46c5afa69f2363fc2f23d3e9270f9bdefc520
SHA512826fd9d069d12302c6fad736a2ee2e70ad96c2b58a442e4e5c9e9b2b1887e303a9d60e8b7503dc722cc273048a06ac7975a92cbd5bee05934138f358cdd5ed2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579b36.TMPFilesize
705B
MD5c54d3c681b13e1c21a08acd905742f1f
SHA17224e9e8007a76f1647494d7480f00a24008c2e6
SHA2561077cdaf41dbdb1422593cf2769a75c1bf3a89bd9a5c8f56c1ec7f586db03d47
SHA512255e8cf4ddf539f90bd49f06a85dd5a37de7d8e43017b936401be044716d26107ef87971432d75da42c8cf7bb39f98b10b035ed67fa47eae0fb08f1140145164
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b78cefcf08c3760f511bdfa20891d640
SHA1fab8b29a333fe293a512b8184e8203ec8df80c35
SHA256eecb570f3adf659a63476f5d2b205ae03a71cb105a4551ebbc5cbf1f69a880a7
SHA5126d8786e1e061165dbe9fff187ce26159c38086d8cd1116f0b340a604ff3d496e5eddd3f8b95156c26b198a29127c76c5576a604693b5284545d871fd1db62105
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD575e61b7afe7731114db8838451cefa75
SHA1b0c09f0fc9e313cac0d578a409efe40623c68d4e
SHA25634e312f30baac56cd9ac47e2394056c2d2ae8dc4d9bbc9f11351f1b1e0c426cf
SHA5122698f0a22dafc63e2fecca6d7cf87461f36ca20b26730f023c00a184c62da1a1b78d8867d0dfd3769bee980efa49906da92b8333e06fef75a97e111f11e4677e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58448becb94e6edd2e1a98f8b8f6913e1
SHA1ed88502430d6545a114c23a46214267ac0299731
SHA256db2e65fba3f3a0402b2a21cdc373dcc7dbf13157f12a92e5fbcd7d1cf04e85a9
SHA51236353c98b74b715ddb675e02b243d2cb4588d15c73e3f2c7f9eedd030442fd638f922d6d297851addb6322f6da1a231e57071e96d6d901da2a90504ac7e811d2
-
C:\Users\Admin\AppData\Local\Temp\4040.tmp\website ip grabber.batFilesize
484B
MD5de825eb742f2d9cb06edb6a19cb54a54
SHA177b92f377f4b79fba5ec793eb80c573d2b906e58
SHA2569b141c2fdea8e31f8ce501c8517f1915e98ee12be3e67fe629f122b1f6e3e32a
SHA51269ad990c825adb7892cc7e164c61eb983b4d5e0928b9acc384a089e99971c38a51327bf18bcfca3016b8f0f6acbd41bccea2d96b2a495d92df12c4a141e53fe8
-
C:\Users\Admin\Downloads\Unconfirmed 98984.crdownloadFilesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
\??\pipe\LOCAL\crashpad_516_DACAQBOVCIBOAMNJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/628-957-0x0000000000CE0000-0x0000000001128000-memory.dmpFilesize
4.3MB
-
memory/628-959-0x0000000000CE0000-0x0000000001128000-memory.dmpFilesize
4.3MB
-
memory/1488-1182-0x0000000005870000-0x0000000005E14000-memory.dmpFilesize
5.6MB
-
memory/1488-1180-0x0000000000850000-0x00000000008A2000-memory.dmpFilesize
328KB
-
memory/1488-1193-0x00000000064C0000-0x0000000006504000-memory.dmpFilesize
272KB
-
memory/1488-1192-0x0000000005860000-0x0000000005868000-memory.dmpFilesize
32KB
-
memory/1488-1191-0x0000000006040000-0x00000000060D2000-memory.dmpFilesize
584KB
-
memory/1488-1190-0x00000000053F0000-0x00000000053F8000-memory.dmpFilesize
32KB
-
memory/1488-1181-0x0000000002C40000-0x0000000002C54000-memory.dmpFilesize
80KB
-
memory/1944-963-0x0000000000770000-0x0000000000BB8000-memory.dmpFilesize
4.3MB
-
memory/1944-965-0x0000000000770000-0x0000000000BB8000-memory.dmpFilesize
4.3MB
-
memory/2716-962-0x0000000000C90000-0x00000000010D8000-memory.dmpFilesize
4.3MB
-
memory/2716-960-0x0000000000C90000-0x00000000010D8000-memory.dmpFilesize
4.3MB
-
memory/2776-966-0x0000000000F80000-0x00000000013C8000-memory.dmpFilesize
4.3MB
-
memory/2776-968-0x0000000000F80000-0x00000000013C8000-memory.dmpFilesize
4.3MB
-
memory/3744-819-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3744-851-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4476-1184-0x0000000002B50000-0x0000000002B64000-memory.dmpFilesize
80KB
-
memory/4664-1188-0x00000000006F0000-0x0000000000704000-memory.dmpFilesize
80KB