redline | hxxp://mediafire[.]com/file/t2h0j8d157urq4i

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mediafire.com/file/t2h0j8d157urq4i

Score

10^/10

redline @soonumb7 credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@soonumb7

185.215.113.22:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1708-330-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 6 IoCs

pid	Process
5736	Launcher.exe
5656	Launcher.exe
1092	Launcher.exe
5144	Launcher.exe
2276	Launcher.exe
436	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
6	mediafire.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5736 set thread context of 1708	5736	Launcher.exe	132
PID 5656 set thread context of 5620	5656	Launcher.exe	136
PID 1092 set thread context of 4504	1092	Launcher.exe	144
PID 5144 set thread context of 872	5144	Launcher.exe	148
PID 2276 set thread context of 3864	2276	Launcher.exe	151
PID 436 set thread context of 4300	436	Launcher.exe	155

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
1264	msedge.exe
1264	msedge.exe
2440	identity_helper.exe
2440	identity_helper.exe
5792	msedge.exe
5792	msedge.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
1708	RegAsm.exe
1708	RegAsm.exe
5100	taskmgr.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe
1708	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	1428	7zG.exe
Token: 35	1428	7zG.exe
Token: SeSecurityPrivilege	1428	7zG.exe
Token: SeSecurityPrivilege	1428	7zG.exe
Token: SeDebugPrivilege	5100	taskmgr.exe
Token: SeSystemProfilePrivilege	5100	taskmgr.exe
Token: SeCreateGlobalPrivilege	5100	taskmgr.exe
Token: SeDebugPrivilege	1708	RegAsm.exe
Token: SeDebugPrivilege	5620	RegAsm.exe
Token: SeDebugPrivilege	4504	RegAsm.exe
Token: SeDebugPrivilege	872	RegAsm.exe
Token: SeDebugPrivilege	3864	RegAsm.exe
Token: SeDebugPrivilege	4300	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1428	7zG.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe
5100	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2904	1264	msedge.exe	84
PID 1264 wrote to memory of 2904	1264	msedge.exe	84
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 5048	1264	msedge.exe	85
PID 1264 wrote to memory of 1336	1264	msedge.exe	86
PID 1264 wrote to memory of 1336	1264	msedge.exe	86
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87
PID 1264 wrote to memory of 2528	1264	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mediafire.com/file/t2h0j8d157urq4i
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7108 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16836336866836594777,14035721024655356886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5760

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Software 2024\" -spe -an -ai#7zMap12694:88:7zEvent26986
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3996

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4504

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:872

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

C:\Users\Admin\Downloads\Software 2024\Launcher.exe
"C:\Users\Admin\Downloads\Software 2024\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Launcher.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
54758638183b1f0e9b1310fb17c026c6

SHA1
f8ac3d78496f44bba9f68b40cc463964b7ad4eb9

SHA256
a77066557f80edcdb12a4c7588a3c88bbb282ee30f93dc6b4f7a71c0b93a342c

SHA512
86e7762c96643b55cd8fcf674aa85dd4ec11b2c6019d7e936461dc81a702b95136e7a352b63028b8e6d975b06c3edcbc62506e5ce8c3ae31801a14abc6460a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8d65fa3de59f7a525713b75bd6bcba2e

SHA1
db96f71303ca36fc09e16201536bbc8ce2ec3059

SHA256
e56bfc78427095cca2468b1b2005fa7be7dd4d8f01d22d6d1240feee4eea3b66

SHA512
f0beff5e76886a714d3b43be5a22371b1d7404af279928400a0e9a23ff431a4f28629602cc2dc5375f80cf8166b9c6fe49213311563bed11e8be97ce2307780b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
0ed3bbd8305cfacb7b1d75dba2d9fa27

SHA1
65c9ecf65161a115bab70d3c15d7020663237ac8

SHA256
32eede3c12b6c9d2489eae37fa3fce4c301fae05ad1d9d562d300d45e1a5721a

SHA512
5902cb25b73bfd1d9d71bf74af1945581c3d329c3a68869dbd1755701821f8e1b3e99291a22fc72a7a9e64967d9ff634a3cb739d87a67b6e250b2d9b06488e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
201640be1d7d3015cd4764d3ad20ac11

SHA1
1da4e09125fd1d4014f188802d7fa202eb32021a

SHA256
bf13ccfee5e2666fdda4717a6fa11be7e9df2b39ec1d8ed018a6fe0402ad2cda

SHA512
c9a87cfdf6797e3638e261d15a20755636202300e901f693abbb7f9329399a5c63b19ead1d3994de0698f70df52029cfab74f8b104c4beba2fa6c17e7ec093ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a9ad15490e6f85b9601f372a474ec2d9

SHA1
55ae1ff2957ee3df4f10a64203327122f790dc3e

SHA256
7abcc8d37acf0e15cf1a54a69aed2b90441bf8434ee08a66004b1b04e2fe27cd

SHA512
840a9b098f74897e05af189e97005cb34928964cd58726c994c18cbc6181d5cfb63ddec45bdd608db70e7c828f053f11bec54f213873deb86c0ca2453e5b686f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
7041ca9a120815aa2cbbff9de641277c

SHA1
4dd723a31e793c5c27ae9633b2f9e16a3e6ca1de

SHA256
6a327591cb7be325fcaf2e43332f37b670c985dfd116a868796623b59bc74b92

SHA512
43d4f6a900714dfae1d2c1d363a4cc38fc6c3582da67d2a58bbd824d1fd1f3521963c0fbbbd04e90c931754c5d0e4bddd5a708ff376ed2c30922a9aa84e5c19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ece831b7d7ec7055303067155fa91b72

SHA1
60110352361a0ee2e32c9ab01d805cac52225e78

SHA256
a1921362c67744cd3f4563fff1f090ce1769f18bb72e27268b349f33e5dbc0f1

SHA512
e82ad706e36b193d9783a8af0fc3705df5d6b46e198018fb499b14e3ebc497f0436fda74311c86492b761f5ffee587b03c3f444772321d5dfe7156e7447b233d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586aac.TMP

Filesize
2KB

MD5
1be2d95578f78294065d455e0481ac35

SHA1
9300f9f5fe57646959425096882d54ce247ebf1a

SHA256
4939ed8fef1b6e9555413b664e2669c34bc0313352665790be94789f811768cb

SHA512
1ff80b7c3ede527f32d39ebf970d568b3e75a7d8fd00ca2c40c21519a8c4f1f3b61c69f6a3f69a4699b8895441786393ff60e9de1f9e0f7bea98431d5df7a115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
08e64e24ebfe546c896fb577bfdd304a

SHA1
8b5066963b382e38cefd202ef809f6cadac92519

SHA256
0fa90a633e2c247f95f728618f33802fcee7dc11673de2bc6cc3bcdcdf6f3cb3

SHA512
f8ca157b18c151e3477be11b4d8e4ce973e5bdf05fb46cf1a1ed5e61063d470c69918d0fe870d6eddb3753d9133db6a526686363fa8fca60960414e73e546d0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2108b547aed188a214ffb8f69c52c57e

SHA1
66ed824a0320f6c19e27e3180adc40e23dd6e3a7

SHA256
492ad8f6917bea333afe74ff900034657b60fdbd1dced3415b9385a2fd3abab8

SHA512
3367689d8659a89f0ecb2d9e85ad266f7a4c462a004331be73d86aa2ae330118f8993ae8ad20d838f1dcd98000ff43f7ebfc3fc2fb4638e10fbfdcf198ec20d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5fbe954152236913e863a1e6fd94834b

SHA1
0585ef9f606d8bb098734fbfb0632be72dd0f74e

SHA256
c9ab7d2dee0f2c5b944e50f6c011a5669a8c62f9436c1aec2327100beebf76c9

SHA512
8162d4e8b9e7a68c143f6aa965a72c860bca8b05dcb2896c3e446cf73c39e33bfdaa0d6a3e3869c8a2802ea70391e65c216f255809ac1b32a202c78ce727d87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBB1D.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4182098368-2521458979-3782681353-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
09605592a467273df4b1b4645781a8d0

SHA1
8dfaef01c2f5d2c2d99bfe1dccb634168b4909d2

SHA256
24505e98db3b90c15ded1936c1cd6bdd452d408dd48d41f94295906a7e047664

SHA512
8b78363160d8d32fd7676dceb310536ced9e9e02f73c9a6f56c3a526d179031cd00783a440b5d1f386fc27f9ca59f684689f4f0b3392d850e4aa3ebec73ffb60

Download Submit
C:\Users\Admin\Downloads\Software 2024.zip

Filesize
11.1MB

MD5
7020223d2faa5cf2fbe21d10fce6ec2a

SHA1
086262c13a19d1cab6faaf43bb36751b2603388b

SHA256
48d94c328f2ba267b87e182a84cca9e5ea1704987e5c4db0930a5b54693da677

SHA512
406544e40c19b9711a3046fbcbd911491bc99ef2e6b50cc022005d3507859d65cf886a149843b60e534a98b9fe876b649c0b8385cd1ad0bb9edd09479e6fd53f

Download Submit
C:\Users\Admin\Downloads\Software 2024\Launcher.exe

Filesize
313KB

MD5
f40c5863142a0d6044f2c77716376bf7

SHA1
530a0ea2cb3d50b3bf1570d628ec1606474e454e

SHA256
975e53ebc3dc0fc9d9e54d85fbf8355920196967d9d715e1d153de1880638a5b

SHA512
53efb3e40fec85e429f9271516d1f9d49176ab0c03d3061725e3f2ffea4570f60867b423146eda87fdd86d66fde5cb67e33ce93acc15b45860b8819d1e772239

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
005fd4b8d22884279a8bab98d2152d08

SHA1
beaa4a1d63386b1c1d3da6c014ac6bfd9c429c69

SHA256
7d6e2c8ee5f2f4e31072389d337a182db97b987bda3f7ca1dec51903cc8e3bf1

SHA512
a44bbeb069719787a717514dcc3f1b28f9f47098c16e16f5b6c7c0618eb3793f935e037644b5a32ec82aa9221333034ca1589c447af83a7f9aa3f2de39ff1db5

Download Submit
memory/1708-334-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/1708-377-0x0000000009AA0000-0x0000000009AF0000-memory.dmp

Filesize
320KB

Download
memory/1708-373-0x00000000098D0000-0x0000000009A92000-memory.dmp

Filesize
1.8MB

Download
memory/1708-330-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1708-333-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/1708-374-0x0000000009FD0000-0x000000000A4FC000-memory.dmp

Filesize
5.2MB

Download
memory/1708-335-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/1708-372-0x0000000009170000-0x00000000091D6000-memory.dmp

Filesize
408KB

Download
memory/1708-352-0x0000000005E60000-0x0000000005ED6000-memory.dmp

Filesize
472KB

Download
memory/1708-353-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/1708-356-0x0000000006EE0000-0x00000000074F8000-memory.dmp

Filesize
6.1MB

Download
memory/1708-357-0x0000000008760000-0x000000000886A000-memory.dmp

Filesize
1.0MB

Download
memory/1708-358-0x0000000006DE0000-0x0000000006DF2000-memory.dmp

Filesize
72KB

Download
memory/1708-359-0x0000000006E40000-0x0000000006E7C000-memory.dmp

Filesize
240KB

Download
memory/1708-360-0x0000000006E80000-0x0000000006ECC000-memory.dmp

Filesize
304KB

Download
memory/5100-278-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-282-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-283-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-284-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-285-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-286-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-287-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-288-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-277-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5100-276-0x0000015E0C2D0000-0x0000015E0C2D1000-memory.dmp

Filesize
4KB

Download
memory/5736-327-0x0000000000420000-0x0000000000474000-memory.dmp

Filesize
336KB

Download