agenttesla | d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
Size

858KB
MD5

1c0e94075d35e0751f28d9051b783a47
SHA1

e3965ce4f88efaf02a6442ef2cf4c46a7dbd4fc7
SHA256

d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b
SHA512

a0603b79920fdaeb1925e0cfa559904c9215db6e5f9a5040a538c4538ea3407f37484ef5ac52c2cf05cfe376fe673855da8bc2708990f77683ac043cfa5d6bf1
SSDEEP

24576:/EN973phvt8tmUdkw1xG8fFjGMaOnO+pwFL9N09PPR:/EN973PvEL2wHBODLcP5

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral2/memory/624-1-0x00000000004E0000-0x000000000053E000-memory.dmp	family_agenttesla
behavioral2/memory/1124-165-0x0000000000400000-0x000000000045E000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	mighost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	mighost.exe

Executes dropped EXE 4 IoCs

pid	Process
2568	mighost.exe
1124	mighost.exe
4628	mighost.exe
2504	mighost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-0-0x00000000009A0000-0x0000000000B3E000-memory.dmp	upx
behavioral2/memory/4692-54-0x00000000009A0000-0x0000000000B3E000-memory.dmp	upx
behavioral2/memory/4692-81-0x00000000009A0000-0x0000000000B3E000-memory.dmp	upx
behavioral2/files/0x0008000000023536-152.dat	upx
behavioral2/memory/2568-153-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/1124-170-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/2568-233-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/2568-261-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/4628-317-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/4628-389-0x0000000000770000-0x000000000090E000-memory.dmp	upx
behavioral2/memory/4628-417-0x0000000000770000-0x000000000090E000-memory.dmp	upx

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4692-54-0x00000000009A0000-0x0000000000B3E000-memory.dmp	autoit_exe
behavioral2/memory/4692-81-0x00000000009A0000-0x0000000000B3E000-memory.dmp	autoit_exe
behavioral2/memory/2568-233-0x0000000000770000-0x000000000090E000-memory.dmp	autoit_exe
behavioral2/memory/2568-261-0x0000000000770000-0x000000000090E000-memory.dmp	autoit_exe
behavioral2/memory/4628-389-0x0000000000770000-0x000000000090E000-memory.dmp	autoit_exe
behavioral2/memory/4628-417-0x0000000000770000-0x000000000090E000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 2568 set thread context of 1124	2568	mighost.exe	117
PID 4628 set thread context of 2504	4628	mighost.exe	132

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
1020	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2140	msedge.exe
2140	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2568	mighost.exe
2568	mighost.exe
2568	mighost.exe
4628	mighost.exe
4628	mighost.exe
4628	mighost.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2568	mighost.exe
2568	mighost.exe
2568	mighost.exe
4628	mighost.exe
4628	mighost.exe
4628	mighost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 4692 wrote to memory of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 4692 wrote to memory of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 4692 wrote to memory of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 4692 wrote to memory of 624	4692	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	86
PID 624 wrote to memory of 2140	624	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	89
PID 624 wrote to memory of 2140	624	d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe	89
PID 2140 wrote to memory of 4832	2140	msedge.exe	90
PID 2140 wrote to memory of 4832	2140	msedge.exe	90
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2520	2140	msedge.exe	91
PID 2140 wrote to memory of 2316	2140	msedge.exe	92
PID 2140 wrote to memory of 2316	2140	msedge.exe	92
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93
PID 2140 wrote to memory of 5068	2140	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
"C:\Users\Admin\AppData\Local\Temp\d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe
  "C:\Users\Admin\AppData\Local\Temp\d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
      4⤵
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      PID:1396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
      4⤵
      PID:2032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:1224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:2600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
      4⤵
      PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:1
      4⤵
      PID:3316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
      4⤵
      PID:1684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15438190848455933867,3345934905517307987,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d8bc00a22800a98b9b9d64506366f35f27254fc4dd4e2d5f43f601a91975db1b.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:4940
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568
- C:\Users\Admin\cdp\mighost.exe
  "C:\Users\Admin\cdp\mighost.exe"
  2⤵
  - Executes dropped EXE
  PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:4868
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1020

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628
- C:\Users\Admin\cdp\mighost.exe
  "C:\Users\Admin\cdp\mighost.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb28c946f8,0x7ffb28c94708,0x7ffb28c94718
      4⤵
      PID:2988
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
65KB

MD5
c74489f38af9c35da06e303efdd81bf8

SHA1
0b6fe1b83b0e67e9494854ed3340b9f2048ce868

SHA256
82de249fcefe94d3c9ef4ea1c7e79964db15c77da30f06fbdf838ede96d01342

SHA512
b187cdae13496a6a727ae9387f95dba488cd9e9a2c370913c5d58630c9c46e13483c4f943d13710288b02e5a27a4c81faf6014be77c36606f2c522f675551c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
476KB

MD5
1078c2a1a1965caa396d3118cedda6f7

SHA1
1196393650e261397065eb85644b25ff8e1920a6

SHA256
da2403a1c64d35ab57253793f83a82f816db7daa786143b32e2f5b472e1eb108

SHA512
f93eb339b70440c832f1b59d08058870c0aa666cb5e3d7eb5a50ebef132b1b337392fe952c88699dfce67454fa3d326e3e37854dfb1e87cc277a216faae73870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
f57bd672fe614986d4123ee65ef4f1df

SHA1
2cc726dbf325b3a303602098110a3a0906c03ba1

SHA256
6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d

SHA512
a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
870b357c3bae1178740236d64790e444

SHA1
5fa06435d0ecf28cbd005773f8c335c44d7df522

SHA256
0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e

SHA512
7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2c942a9459f5e6e3_0

Filesize
297B

MD5
01a4fb4fa99fa6b3fc1772210dff195d

SHA1
02696e2b4b4398684e514fb2b7dde6c92d2a0ae8

SHA256
d70e53e60524e12f69295ed6bf59316bc9ab60acd8d24aeb8bacf7f2d1320f47

SHA512
5be9dcbbbbd2914617b4873aa20c5b7bd19a11f9943b0dfbf598d8dc320dd155d5148fe0ab7bb2474e1667090b5f08dc62e89988c243dcf99b60057112ab7ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\429c91b03600a6b9_0

Filesize
187KB

MD5
7b0ae974475b7f9fa18e9dad8a688151

SHA1
583d21507c4eb2f6d113d3e80ced7d67c5f2f22a

SHA256
6b3b5e6d1f8c15df94bc752778d85d12c4958fb483dbd4c5913273bda37338c0

SHA512
819f481058e3c7bf15484c6875f8bdb0ac2f95e52abff63cda818de9ee67c7a735efb0de2e23cc2658e21346dcf1ae1bdc231541fb8780a28e1b8ec333933826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
db3f3e824aa41e58ca068ec712dcdb6a

SHA1
e4719e8e4053854455cb8d6e92daeeed8c944d15

SHA256
e362d7659b35801e0dfb9193cb3beb18566a9c72a3f15fe06e02b54336804b71

SHA512
1ab6345a8d409cdf62804dbcd8c435fd1a831bf4ec33da1b692efe5de1c0f3ae46eeec88e375c89d76ce9ac205ae4c80d460cee168e3868afb21d1947e6da4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7a81d57b2b99eefd_0

Filesize
1.2MB

MD5
4901626c18e7a47b8f51229d1351f1ac

SHA1
f3391d9abc347de73afd91fb928d89338d06096b

SHA256
f506ef6b05a63f37d098b097fac7ffd79d834dcb74c6f68c57d000eab0804559

SHA512
e5dc907fdedb8edc0487ac0160e1bed39fbacc474e12dda4fcab96c38047abda66ae1438624a17d2043d52a4983c1e3b047f69a7837f1c0a5f610a754e131e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\87e2211e76df2362_0

Filesize
1.3MB

MD5
c312c167d663312a308812f29d139987

SHA1
8c544662354afa2c841a3bb886e9fe7b4e349524

SHA256
aa46d6d0b683aeaa34db181ffa7c3f0b4187c34c4d017c17f05ede973803791e

SHA512
8d586cb4c7e6ce6a9dd896307e2bdc4b406bd0921d481e5c53f0570d914584906109ca999aaebe06764792c02620ca2d8072857a3cd0aa12f7ccf6470779fd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c89910ba9e5dbdcb_0

Filesize
1KB

MD5
8c24594121ffb1b2c0041f3087c3d044

SHA1
b5af7b3926ff35c3ec8847c7e68cc0f5dfcbcd64

SHA256
9fbc227e9259074ff65d4b138405ed590aefed36a86710fc1c0ae587e0257420

SHA512
0402e6eead2293b20c7ac6c985d1c0ea5b64984e6c7575faf2a6207afa9e59c3d03c3cfd389a7c4776be4222f6817e9b8227fd8509e9b0ac0d6ca9b68cbc7202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
5362bf3c982a9fb754d6847c6091eb80

SHA1
0285d29dd56376e51bc6a90896d897431d81ca67

SHA256
7a8beae6110879fbea53a2ec6d4978460f6aedce3e4886462ba8ac14592a3d3a

SHA512
32f34f8360fe8610af9854584d1d9341044c5c65ac9d7a35dae146049d1f7c35b87c779f21cfdd95f33632859d464f4b51c0bd04b76b16909b4db260a84b71eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
dabe4d7e4c03af156770425186b7bc98

SHA1
2a5590b5274e4db0bbcaf9e1d484ee73db424100

SHA256
5f27932796874c666a53ad70a60506a907cc20377b1bfc4c58c8304b8c7c470e

SHA512
0d47eac2cb253c3c3937c67db291fd2c7b85a3797151d3c8fa4d1f7b42a890bfbe51ecfe67f3640d89dcb2ad235996e8ca49285c4e8635660afc3f13f51dc9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f483d71c5335afd7eae394ddd8d7ea8a

SHA1
76287fac6acf9133a3b0e0a35cff3990afead7d7

SHA256
63f47341099a3668beec2d2371b45b8cd3451c1d634419bf87965a731cc390a1

SHA512
17cc851eb3a94a4722d5c18e0efc2ba64e2ba7d5302d748eca75bc5fd1c5968b7faa4bc168138c1c035401dacabe35a887413f80cf6a27b92680c4c042390766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08211c3b0614cb8d0b12a2cd68a320f9

SHA1
55d8fbd51acf46548b6b7440377f070ce8f23068

SHA256
a18fd7a55da5e36da8f3f2fe261f19f0c021cc03722bb0ce4a831217081fc81d

SHA512
2c9ccfc527e73bd1050f168d502f56e68c7916dd520b377aee9f4197e9e88e201f6b70adeca570aad844eef7f6beb293e01c8cf9506644850e1961e1081bbeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
965087e52c955356f8981f432e50328c

SHA1
048fa4737ce08bda1ab2ebfc36f5da06c2469c0a

SHA256
da2b70ccd6d0dd2c16e3da447e7cb4c418e7af2eed5883cb5b548b2e5c9b0282

SHA512
5a3f7a987a9755508b6a17f1e636da2abf5fdab69a06b41f9613433f5c3810990cc17083d6e791828725e8f66531bc52584115a5d77fac8673287692548049d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a431d1075ca60b15eba7b6dde78a8713

SHA1
6228a334600ec4b86fff8cb4d13b3e0b107f8ddd

SHA256
befe25c0df6078cf9d7d1a37bb7ea07890df8009e6aa7b5fddc85879d37b5cb7

SHA512
befbd4a00dc7399f1660a6eb98f68cccb321afc2b75207b2218d9faad4abc6fa9ced4ced587ede4773f6811df46b0a73b8e4df4cc0b3dce7e25b3f72b2da78d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6cf45bb60a727a5aebcb90eefc062cf8

SHA1
a4dcfc7ece357303960009430a2cf2b2f62043ba

SHA256
76e775b10862dd4ff2a6e11dc02c06e71a42a80b74e6fe5e06bc0c717b3f36d1

SHA512
286052db61b877d6023313eccf3b9f7bb428b7d329c7411ff08a61748baf727a34995923b18f7e62c8968a79928947a5742bb6def0d83076e86a5186562cc099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9c50e06ba2ebc337d5757151ea30272f

SHA1
f3542999f6949cab69afe2e5d8b972e81850cb08

SHA256
56daa449c3dfa3d3c4f9b9eaa6964fa8a734e64dda04acc86b52933dd5f79fc9

SHA512
b2805f9ee2daeea78e3759d65cac7c20b32a9be0b53b731e27221b4b2d9c66ca456e7debc978a140860fde3d711cf181de75d483ee8290a10f8a2f4d0bcebaf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
f601d28f8b2a82b431ad1319a22ef496

SHA1
e7541899e385d53449b6f51b1f4d0d95229af5b6

SHA256
e848f0d0d0b98e2e4cef99db807a1ee49368b65aff2949697cb7b226a8c9ef98

SHA512
0f78b6891449048333ce9de5313788dc6029400d6384e7ad11d58fd1575ede94900a94b6755a3940f578c8900c7dd33acd2edc13585639705154ea417c6b7717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
722075c90d1a4fea3edfd74bd098f769

SHA1
db272afb1f9fee2f753702842cca5d5da95e1b15

SHA256
7b349d7222f57ff9216dbb3348edc0be164266dfd6537365970123e9a89e9d73

SHA512
4418db46d4ea0f9e5c69826f96412cbe0fbfcf8567b338cd826c36c16f4d5e331d09c9a032eb44b86196b55e62726d9c259e8052bc53dcfb75ee9715320ee79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
8873a5bb89dc00eabdc0cdd573e348e0

SHA1
c807b45f9784cabe1cc5da37cf9885481bf0f5ff

SHA256
f71eff22ec427f69170eb45cb7bd224bea6df4862891bd0584e0fdc04177fd2b

SHA512
c629c0ee4ed5d1b5e93b14a6651216fc6d56b697c3a30b25475d5b209ab86156d4ca99bfd1b9fe9ed8a681464eff9662f2bb891e27581226c484f07285f32fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ffe78343c96c508d63a1bce330a19eec

SHA1
77804c5a2800bba8172f3fcc4487ef7572f02b22

SHA256
23e5bf4ccd3dcf646b7dc45b9f4a89d1c1203276460ef1cc31ea711139ab60f4

SHA512
a6ed3caf80fef13999edf51ff00f25c98a9ed87442cb5a7ec4a9d9b81dc6164c3ae3929eb77ef0774aa24914c72c3eabb8d9a6e0aa1e449c8df7c1aff45ba562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5859a4.TMP

Filesize
371B

MD5
9e6a71a79e2d0323c8f911968f7fa833

SHA1
b467eb6c2509f0e56cf3e62cb8b922e51aeabb77

SHA256
b8f7b8382001546590ee043c7d6b9edb17947fcf099abc2bc9d74f8884e24a71

SHA512
c0b0d8cdb557bb8615a4d9c015b1df1d1338c4071510e4e92776a6d37040d0dfb88335e1d3111881f6a33cb5209bbd6a839d9efe2eddece73c0594cbbb5d1c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
192010a608835eb119c6e7f66c862440

SHA1
81a23a2c378792137b4623464596ee19fef0486b

SHA256
83aaae45db7560a400137a3ed0899308de42336ef9929bd4080bfe740f9e86f0

SHA512
3b3cdfa307c9ffe18a21dc623181379e9a2f052d4d1ae6787b913788c0ef087672471af32e335b80e46f94de267b3a7fde9471437bcda7347ab95f5e5dd48af3

Download Submit
C:\Users\Admin\cdp\mighost.exe

Filesize
858KB

MD5
b098ebef2969f1e5966115ba08be6849

SHA1
d194fcec04d42bade519bd8ba1723ad14d43a7f1

SHA256
a08e4cb3de2901ad76a9d321cd2d2c2173a19aa3dab4bfc14ddfecb339f6bddf

SHA512
4ab4c37bded881bd2b3365a2500bee102674b394a9038f1edb0e3f9ff2c80e44c9ff06b570930f0834b234b09d1dbb68cebfca19a30a7b18ab300b9ab06d49a6

Download Submit
memory/624-1-0x00000000004E0000-0x000000000053E000-memory.dmp

Filesize
376KB

Download
memory/1124-170-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/1124-165-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2568-233-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-261-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-153-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-317-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-417-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/4628-389-0x0000000000770000-0x000000000090E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-0-0x00000000009A0000-0x0000000000B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-81-0x00000000009A0000-0x0000000000B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-54-0x00000000009A0000-0x0000000000B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-6-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download