phemedrone | hxxps://github[.]com/Dvdf45tyv5y/help/raw/main/name[.]rar

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dvdf45tyv5y/help/raw/main/name.rar

Score

10^/10

phemedrone discovery stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7370990677:AAFRG5SGghnaK_mDZqGyrOAkScygRIFkkzQ/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

super.exeSelt.exeSelt.exeSelt.exesuper.exeSelt.exe

pid process

5636 super.exe
5920 Selt.exe
5320 Selt.exe
3052 Selt.exe
6016 super.exe
6012 Selt.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

21 raw.githubusercontent.com
24 raw.githubusercontent.com

pid	process
5636	super.exe
5920	Selt.exe
5320	Selt.exe
3052	Selt.exe
6016	super.exe
6012	Selt.exe

flow	ioc
21	raw.githubusercontent.com
24	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

super.exesuper.exe

description	pid	process	target process
PID 5636 set thread context of 5844	5636	super.exe	RegAsm.exe
PID 6016 set thread context of 4296	6016	super.exe	RegAsm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5888 5844 WerFault.exe RegAsm.exe
5208 4296 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
5888	5844	WerFault.exe	RegAsm.exe
5208	4296	WerFault.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exesuper.exeRegAsm.exesuper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	super.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	super.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{A08A398E-2938-44CD-9201-E6B6E4606AE3}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 431878.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 549983.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1760	msedge.exe
1760	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
860	identity_helper.exe
860	identity_helper.exe
2544	msedge.exe
2544	msedge.exe
1776	msedge.exe
1776	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

5548 7zFM.exe

pid	process
5548	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe7zFM.exe

description	pid	process
Token: SeRestorePrivilege	5076	7zFM.exe
Token: 35	5076	7zFM.exe
Token: SeRestorePrivilege	5548	7zFM.exe
Token: 35	5548	7zFM.exe
Token: SeSecurityPrivilege	5548	7zFM.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe7zFM.exe7zFM.exe

pid	process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
5076	7zFM.exe
5548	7zFM.exe
5548	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1032 wrote to memory of 5088	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 5088	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 2836	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 1760	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 1760	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 3500	1032	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dvdf45tyv5y/help/raw/main/name.rar
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa198346f8,0x7ffa19834708,0x7ffa19834718
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15994898235075309111,9284629542395028775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6052

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\name.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5076

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\name.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5548

C:\Users\Admin\Desktop\super.exe
"C:\Users\Admin\Desktop\super.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1096
    3⤵
    - Program crash
    PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5844 -ip 5844
1⤵
PID:5884

C:\Users\Admin\Desktop\Selt.exe
"C:\Users\Admin\Desktop\Selt.exe"
1⤵
- Executes dropped EXE
PID:5920

C:\Users\Admin\Desktop\Selt.exe
"C:\Users\Admin\Desktop\Selt.exe"
1⤵
- Executes dropped EXE
PID:5320

C:\Users\Admin\Desktop\Selt.exe
"C:\Users\Admin\Desktop\Selt.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\Desktop\super.exe
"C:\Users\Admin\Desktop\super.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1060
    3⤵
    - Program crash
    PID:5208

C:\Users\Admin\Desktop\Selt.exe
"C:\Users\Admin\Desktop\Selt.exe"
1⤵
- Executes dropped EXE
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4296 -ip 4296
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\super.exe.log

Filesize
137B

MD5
8a8f1e8a778dff107b41ea564681fe7b

SHA1
08efcfdc3e33281b2b107d16b739b72af4898041

SHA256
d09cdd05da4e3e875d3d5d66c542404519759acda2efa7c00ca69aa3f6234de4

SHA512
a372330793e09c661e6bf8b2c293c1af81de77972b8b4ba47055f07be0fcdfe5e507adbc53903a0cd90c392b36fe4a8a41d3fea923ad97fa061dbef65398edf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9bb16aba-7981-4499-a5c6-fc18a9146575.tmp

Filesize
869B

MD5
4e7ba3af3569250ee11e587b3ce7fbb9

SHA1
3f891a67b27d79d0ffe9ece948a7319f3f2edf52

SHA256
b791da8c2c26e65629e0e046b578e03b91e9c6127050ae34b752f927b3a44527

SHA512
e354693c43ee3eb2ef218992beb7624af72cc33463d039a38f37a71b3dbf8063b9004be7b3e57c237369681054d002f068fcf109576283a8e0b49feeb2ff1e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
58756d99d2376dcfbede6057dd25a745

SHA1
76f81b96664cd8863210bb03cc75012eaae96320

SHA256
f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa

SHA512
476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
6bfd372d430a80e7624cfc4d66b84edb

SHA1
d4bc3e31e4ed8ab7fe996c6c735d76882698a269

SHA256
21026fac40e54387e077813afc2395c4b09e1cf98595d1e8860e7838ff073c2a

SHA512
b8dd13fe601121276fd33a1095cfebbd7893620dd17e29cdc67281ce1d645f8841cb8b55102aa41decfab1814a6ce346b6d1ac64781515681c68747bd264df9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2e10e4cdb70a1daa867c3962f6df216b

SHA1
c63891448212234c04e767f176408bbda646d83d

SHA256
05d0086fe0b926f72e5a6ea78a6a27b3d0659187abfae7e4c7caf4cbe28a73e4

SHA512
59d9e1fc9be4f841042dbaf1fe5348a0363abdded4f97855d73a9512418fcacd03b2830efb000f68010fd333be1b76f64df7b3ee9f3c27246e538fcf0811ad2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
82b60d06b8a3dabe6ddfcb3afc372303

SHA1
99da6b49b1a4bc6cfcce547ae939a2d055f483f0

SHA256
29901a58d22337cae00bc93cbb6131691e519db6e5fd5a00ab5a616e789a7dac

SHA512
27417f6683f173a057ec68add39c6ce0c8c4787f9b752b05716d677b373596266115ebaa714735e0899bf61d7ffb58e871e5e86d78140187437cd3a454981557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f066e3306a4347282d06b010ce5889f8

SHA1
49d98862a42b1cae7940cf469c0dfc9df31b2f6f

SHA256
5eb4d59a52506d53670a723cf5650ae729664462a157fef8abafe8535598afb5

SHA512
2b78856155229d8781c00435cc1e14aac552c4eaddeefd5101fe102b49147b7086b645587ac96556468d546ef915919dc625abbfb1834737c1017111c78bc511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
046713b0eb671e79127fb358b12f1a21

SHA1
4ec18a8fb87c25a0486aceb10582de9658b51eca

SHA256
ad3eae5f7d969d24c1486bc607384107efa1bf1d0b86d790e834ba40ff41385d

SHA512
fc16a6ddde380a104e1dc3b806feadabee208c2e06477dfa4daa4d1b96be1ba9e8606d176f1c0f8044e0b98b27b07e03ea1172ec66ec29694d4034bdc581af2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06a0d590087a054a3be7fcaebe5de099

SHA1
6dc7669af32ef362c1dd84112b37ce9f0c23c306

SHA256
ae56719054cd42a632138f3c35c96c1f0fdff4b4392e0480becf8109d413854c

SHA512
f480c4e7d3d92e7c321dcb9d177787f52775c1c3043a8f55ad308d995610589e3ddb84a9ca9be163d11eb1c439ec610d3227b77439b7241239a908c187e08fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
911e7c2e822e3a3d3dd7468cf736b747

SHA1
35ade3aa670f9bf7c3cce8a610f17bbb5e44ffd9

SHA256
1027f250b530eb4895e37186e9c5caef29f5368715cb94f38051a2ded08b9ecd

SHA512
0006229d4a7d6b2a5313c157c442b5517ec51d0dbe2ee04db484c6e19fbde43ef194bb8590b6505d6f73e1758416c95cc2da4013b9ed02d8011a35869594ffff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b8c1742afd4f7a521cf4725e6669b015

SHA1
299755e624e89a30e1f8d4a06d533b2c70134383

SHA256
f5d60a9658585d1b247efc61979f9c08d1b3fef8ae64d1d0b17663abedc0e097

SHA512
730ea723df634a175657949b7a707afa69804ef3bb2cbaa45b35a147af3d1ff165b1bd1ba8b5f9fcc45f8a0953d75981d59899592e3e7c29aed68c26c38509f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
71ee6276614ecc3a3b7dad3ed69f62fb

SHA1
0406c51f4276878de7dce0a9ff1130661981eb50

SHA256
1173192660073700a8d140c76b69f4f76b18083bc92c05ac1a8d463c548ef948

SHA512
b49f8bb3ad08fa612ecf572b4bebfdb704cb698b516eeed46b0a7288f04543d8757a3f15fe40f88c7736482fc11a5d9a13a416df1f8bdd04abda37717a6327ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f07a.TMP

Filesize
871B

MD5
709a8492272bd035bc202db0d8ae9500

SHA1
5df7b4477e71e82790cfce84f184e46d6ddb978f

SHA256
847105839bedad8027313fbcf5cc1ceafe5e622ad1bc7fa6deb0950219e6825e

SHA512
226b9258586fd0aba76eb2f7f52f81b2351ab2811c0026340512cad25943b0199aaede5c996e49a1fee8fd0518a9162f9625a7b0aa0dc6e88cf6e460ced6c79c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18bfdd3401d329b37aef2847116a8874

SHA1
0d1808b28413584223664a3af58d46c362cfddfd

SHA256
115dc88e339f04b0eb7c4ee4eb1350a0f78f231e6b1d7e521a868768a4bc789e

SHA512
ce3e9b1f0cd97a131b3f8db3f4aed98c74646f28fb798e793a01d2a75c50bc06d477e5494e7b3c14efc99bd20a0c410a4e92eb819e753ee2ada20533cf7daa90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
841e3364f806a34cfcf7eff4a322a47f

SHA1
6821df2f1524fc71754c2b26d344e3e5366f4423

SHA256
c4a6b365bfeaa41b5df5199a318b8becff381973866639ebbcc24b44e79629bc

SHA512
2d9e7662305530547c3842fc554211102dfdbfd71bea19f12251a64e9c394c3c80b31b764b4375c2fc5c8ba21ab08e8adc2257b2a4ca361f866b3a138d35460e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ba9b9261c8d955728011c71ab403ba4

SHA1
08de3d5601a0831cab3a8a4a1855d6dfa900df1e

SHA256
923abe4db100e23356364dc02e17d11b81a99015ed5e6bc7a42009b672ce5b6d

SHA512
200d80dcf8368a6d88a2946e7707c945e7741d47557122c74436b04c47ae68953b1d19c61236513a17b0991bbece0fe567ebb9e0c8fdbd003e0b59dccaa30374

Download Submit
C:\Users\Admin\Desktop\Selt.exe

Filesize
2.5MB

MD5
4c6a33821759feeec94c9b91c6bbe75c

SHA1
f4b9d0400c4ab75c943c9b4b5e1fb6d53aff42c5

SHA256
b32d12f17f133444d4b36a35c003ae4ef7161a39af429b5fda3ed62691a72148

SHA512
921e9891ea9972b064ddf0e30e9f3a50450aa848fdd044ee2cd081a0a7ef36429d077aa2b1b53dd6751ce57d4882172dfdc9c9ca213505ae4dfbd8ec62c1f72f

Download Submit
C:\Users\Admin\Desktop\super.exe

Filesize
126KB

MD5
88eabfceb39398335c6a1a855c9c9cb2

SHA1
05df702e580724bfa02424bbcd02c144f3cecf86

SHA256
44bdfc05878127acc3f37fcdfc7857d50ca9fa80598f76415561151ace72fb69

SHA512
56d86ba7074b71884777595752ffc37f25bd6c3d55fd2d6156253db58affb6e87d12e69239d5d9a9d1f6892b587d02f527d8a2ce3f545ce488f1492019b22359

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549983.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\name.rar

Filesize
2.2MB

MD5
63bb000126860b7ab818544ac957fe04

SHA1
8e0afc4dfb39f943648969cec51a5477941942e9

SHA256
6783a8253f39850ac4568c4a8be02d99586a99f7bcf837e16b3cf797d5636de8

SHA512
508b09725304f797cebc08e4da01d663f797a62bc9e8988bd4d0564262903f73dd8efabf9d87569ee149a8e4eb2652b69cac8932bb5dfdb7453365f2692e1a02

Download Submit
\??\pipe\LOCAL\crashpad_1032_KKWLNOULMZDMMMBT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5636-592-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/5636-589-0x0000000000D90000-0x0000000000DB6000-memory.dmp

Filesize
152KB

Download
memory/5844-594-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5844-596-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download