xehook | hxxps://github[.]com/MoncleCompass/Best-Blox-Fruits-Scripts-2024/releases/tag/v3[.]7

Analysis

max time kernel
112s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MoncleCompass/Best-Blox-Fruits-Scripts-2024/releases/tag/v3.7

Score

10^/10

xehook credential_access discovery execution persistence stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
185
token
xehook185786249114074

Signatures

Xehook family
xehook
Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

Powershell.exePowershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3716	Powershell.exe
5936	Powershell.exe
4504	Powershell.exe
4564	Powershell.exe
5088	Powershell.exe
3716	Powershell.exe
3592	powershell.exe
1880	powershell.exe
1520	powershell.exe
2036	powershell.exe
5696	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

1730219211654.exe

pid	Process
2036	1730219211654.exe

Loads dropped DLL 1 IoCs

Processes:

1730219211654.exe

pid	Process
2036	1730219211654.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
115	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

1730219211654.exe

description	pid	Process	procid_target
PID 2036 set thread context of 5716	2036	1730219211654.exe	155

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeMSBuild.exejavaw.exePowershell.exepowershell.exePowershell.exePowershell.exePowershell.exepowershell.exeSetup.exepowershell.exePowershell.exepowershell.exe1730219211654.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1730219211654.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 11 IoCs

Processes:

explorer.exemsedge.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{314D4389-F8C1-42E7-8418-EDB2355C720D}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exePowershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePowershell.exepowershell.exeMSBuild.exe

pid	Process
948	msedge.exe
948	msedge.exe
3492	msedge.exe
3492	msedge.exe
4600	identity_helper.exe
4600	identity_helper.exe
5072	msedge.exe
5072	msedge.exe
4564	Powershell.exe
4564	Powershell.exe
4504	Powershell.exe
4504	Powershell.exe
5088	Powershell.exe
5088	Powershell.exe
3716	Powershell.exe
3716	Powershell.exe
3716	Powershell.exe
5088	Powershell.exe
4564	Powershell.exe
4504	Powershell.exe
3592	powershell.exe
3592	powershell.exe
1880	powershell.exe
1880	powershell.exe
2036	powershell.exe
2036	powershell.exe
1520	powershell.exe
1520	powershell.exe
3592	powershell.exe
2036	powershell.exe
1880	powershell.exe
1520	powershell.exe
5936	Powershell.exe
5936	Powershell.exe
5936	Powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe
5716	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Powershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePowershell.exepowershell.exeMSBuild.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	4504	Powershell.exe
Token: SeDebugPrivilege	5088	Powershell.exe
Token: SeDebugPrivilege	4564	Powershell.exe
Token: SeDebugPrivilege	3716	Powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	5936	Powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	5716	MSBuild.exe
Token: SeShutdownPrivilege	6092	explorer.exe
Token: SeCreatePagefilePrivilege	6092	explorer.exe
Token: SeShutdownPrivilege	6092	explorer.exe
Token: SeCreatePagefilePrivilege	6092	explorer.exe
Token: SeShutdownPrivilege	6092	explorer.exe
Token: SeCreatePagefilePrivilege	6092	explorer.exe
Token: SeShutdownPrivilege	6092	explorer.exe
Token: SeCreatePagefilePrivilege	6092	explorer.exe
Token: SeShutdownPrivilege	6092	explorer.exe
Token: SeCreatePagefilePrivilege	6092	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

msedge.exeexplorer.exe

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe
6092	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid	Process
4184	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3492 wrote to memory of 3184	3492	msedge.exe	84
PID 3492 wrote to memory of 3184	3492	msedge.exe	84
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 4436	3492	msedge.exe	85
PID 3492 wrote to memory of 948	3492	msedge.exe	86
PID 3492 wrote to memory of 948	3492	msedge.exe	86
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87
PID 3492 wrote to memory of 1224	3492	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/MoncleCompass/Best-Blox-Fruits-Scripts-2024/releases/tag/v3.7
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb61b846f8,0x7ffb61b84708,0x7ffb61b84718
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10928715479054718617,14755269744537167939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:5660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1696

C:\Users\Admin\Downloads\Thunder.Launcher.v4.7\Setup.exe
"C:\Users\Admin\Downloads\Thunder.Launcher.v4.7\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3252
- C:\Users\Admin\Downloads\Thunder.Launcher.v4.7\jre\bin\javaw.exe
  "C:\Users\Admin\Downloads\Thunder.Launcher.v4.7\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1730219211654.exe"'}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1730219211654.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\1730219211654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1730219211654.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
1d8f74e42cb1b6ddead77f382bf8cd14

SHA1
75a03355735430e11c16904f7244d75a00cc02a5

SHA256
745a553f88df0f636ae699fe410d23a841047b07175cd38315d8517ca34c4793

SHA512
aa3d98abc7dc7d274d25aa6ffe52b2b1397036886ff38e7a6b2caaed58e10571cd9fa6149583ae6421ca0ec0a63218ffdcfb5cb9392992a63ea66e5d79780172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
165f0ae6485f82bd32111467c28b9787

SHA1
e8c911f16c067d10ea02c8057f6651a0e15f1f10

SHA256
a792d4ccf6a393f189032e6b9891db2592a24774f9e9c4156644200526d61e1c

SHA512
790ec12614fd8818d3fdb3a8cea671f8abb903580decc4352b29f66abf16dfe9a1f53652d8fe8ec04803bfa6df0bb5825a7fefb726ae5b0fd755e79e9e368b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b98fee3ffeac13e14dc12c7a38d21d81

SHA1
3d51874e9a9ead59feaa509f78b9783b8c7f0480

SHA256
0784617da606e8c94551de5830a168f648d88df62129421e35717524bf83afa1

SHA512
0ab87632aaa259b7813d15ae381ed51a81adc18efd6e674200fd52f9740b1f0c6c1136aa61192fe3e0d17660efdb5b15e02b691a090d9d1d554998df6471c0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
30322550d9f9c54f345ea1c71f3b2e8f

SHA1
b5a3cff2995147279c2bbed7c03b2280ecb286e5

SHA256
4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

SHA512
261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27e2a1112963751fc7e9aa8c6e743e7b

SHA1
bc34ffe5b867a4f3068ca630d6f104097ffed740

SHA256
2fe4b5e4cf21089c4633bb00d844fa01b65ab3155045e9bc3e8c18364953b3b8

SHA512
1fd8db98c7c731c433e84d10a569a48b636fffc110dc5ca8394c3a99bdeaeaa33d2eddc2ecbdaa3998fbdb3bc2e3fd715dc4915ba31f792955fe702810597e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
364082260d0bf9a0af9d8d7c54534255

SHA1
ae2b3df5cd93b987b141e8cdeac07edce75415d4

SHA256
3ce8ac230b1ea9fd975fed8bcc71e7247d00d4e60929c4400638b4ef2c8412e6

SHA512
c10958563d50be659f42ffe3433107b7b695406a1f2c57f590c0bf12857527e89a5a899da178153654caa5cc0f1a9aee3725cb72876646fb0a87015a440c067e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ede6005451575d2740cf11edf843a444

SHA1
e93024eb2e148696d803a98bdfc452be4a5b59f1

SHA256
2075466075171c34c1dfe42066d8a42d8acd7b7a78af68498fb6bdc15cfb3dd7

SHA512
9e5c15500437626027ef47f4b3cd205d120278a7a50183edae37a26efc1fa66f8f1419c5ae8220582550a9ddba17b9257e5ab81950cf17c956065133395c72ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
7ab7c91cc5a355a40bf6f421ed34c41c

SHA1
a7e22c164091560c0450073b642d655ab5d0104e

SHA256
660b2f012057815077ee1386ca89c10338442f24865fd6d8edd951dc8f180f08

SHA512
588bbc0d443ed221282d95b8b2ab3ead5b6a781ddb0de9810514a0d831a51337a6349a5402c0cf4a53b8b4bd6a3d3440607ca48913f693b6d40e6371be09210d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMP

Filesize
870B

MD5
1d192ecbba55f29ed0bd4fc4be02c461

SHA1
7baf906d0453d8adf9acdf58397b38a4b58597e3

SHA256
a8a93fba98f73b46264eecfe317bfc2aa6da904570acc9307d1887fa6220ab8b

SHA512
c7588f6eb2647f8d5cfa62a2e0e0c8830db312866a4491124e124a41727f5bbb165db1ad13ca6cf4aa279bee37e206d29437194fa33b50a9f49c5d4e69cff222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b9eeeb15a48622c54676bda999dd8713

SHA1
0a461dbd6f336f7ae701460736b6e0f9271fc38f

SHA256
86aac8c9df274fde6059382c9bdc4a481693f3794e117b80cb0caa1a88eb4d4e

SHA512
b79097d9747b5d2f8469f22c5f48e3c68b8e23b77fae0d8e0f7dc62f7c1737a670ecce2085c892c1cfbf8e5a0b86562fd602e89188f88a3b15ef09624c672e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0245a5ac84ab06b551c31000026ca4b1

SHA1
6034a869644576e835b7d5e458096ee63bb14c7e

SHA256
f75ec881481594b2d9f3d23fe712da71e1cb3294b89f157fa950596772b7f759

SHA512
8aaaacc5ddc504dcd33c9d35867d0a1413c6a8c45d38ffcbc908804c38233d307217ed648dc08d482eb3601f379b35cbba906c79584e24b23ffdfbc6c593ce09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d5457830bdcb64b6129405572af6477

SHA1
c1c41c06867202a43a9811c54ae1abc0b09c09f7

SHA256
5ac5274439960b763a2a7866577b562efe14fe190c689b3d52ef0aedf74eb213

SHA512
b78fb9b023db3a18bfc15fa7ae9b51969eaccbf62bb7977aaf56cb8f8a4e2f884066bf2085b1845d122b3777eaa0f8041b987beaefff3572845e02fd6478a7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
f27c9c4f7128e5efa0b2fb84def647e7

SHA1
8ad9fb8bd4e0d591afbcd3fbbd41028c2333ba43

SHA256
c841be165ac15e2d1a3559ac5f2d3d36e9edd10658a4e1c1c7e9f8d037e4703e

SHA512
f293efbebc78c2ed1f58de3c73531e6ee42f5b64090bce7f85454abfbaefd7b21792031ad784012d92924ba516bc163cc7e8ffece2f605da80f515aba2d83bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2afe8e661c72bc7b54d6d18e7db67611

SHA1
7f6407ea9a77f617a0be97ef73f56ec03881bb47

SHA256
d1090de7b966b7fbc1f2e2d0104da6a68d887cc74105bd000b5c8be3cfcaee98

SHA512
30bb1c009fac2d393a5a928882935e719aa0daec4fd8a191925b40054f276996006c00f225b97f4b83e8585fb3f303a04d708a73d4362cd0509853e0f3f768e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0e87a801d99ee0d52ab8ae6e256b1b09

SHA1
0eb13554507e6918942e6f174ab8487a77010bbf

SHA256
91d53d9b5ae7384d338eb5c462e0226d2b0be6afd07ec874a14029b233411360

SHA512
7a9300c5c230fb3331f46b543148e4dcd38d9d721f692db10ef4fcb0d11ae4d0954dbc5c80e9c1efb1aff79f47e887062d16291573a2518878f612edc2c6cbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
285fe78343f341122527b014092118e3

SHA1
af5114c7e9341976ec54d6f44e5516cbd8aaef18

SHA256
a97af8964450c1fa98164dc304ef5d30fda15cd02707f2ba1c15160be2f6e572

SHA512
7f0fa7508be364172548bc2cab596f47dcaa222a571f309abd02f6bd8accb35fb5cd22e0c38fafd6dece6df8d525c450d1943d9826650412c9a4f912d4726363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e6438f487baa87658940aef52e1b9831

SHA1
80b09713353e0b48b624f5488a1fffaf183910c7

SHA256
f5ec7a143a71221165d9cfb783089b7fa1e3c78e2c1a7fcbd41bbefa5b0c5748

SHA512
078508e61272f71637703e0a6b5bba2562029e79d1b9de30013541d8d36b32a81e8ea39582c9cc7cff3d2832a13a739ea6d1be87e46b8c19d006f40c3ee82162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
95ce1c8d1f80e4fbd93e060f8df53eaf

SHA1
0c8673264b31f89ff82c82d063dc16c9bc96cf90

SHA256
a042b538a90fcfefe2109e1cd73b37fcb68a5327ed673a83a00632631a93be87

SHA512
d49a99a602e24fad738004926420dc711e1117c59739eed3365554a7e06ba52d4fb6826255816eaf840a373896a33974940eb0283ae0a8f19e79669d1ec5c83d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
01e653ed161159f6b7f53d00dcdcefb6

SHA1
778433fe9db588f4a746a69089a47e003aecd561

SHA256
c93a3ed1c5a8ea41b1c471cfb7bc7613571815cadcee4a95e71ecd348112579d

SHA512
3a316406a1e1e9a097e5fb0f79fc275e6920240ed18fe1821f07fa541476b2f2f172b1dcb5d5dd2798779f794e61d41326902e98eafd3d51ec397a35fd1be8c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133746928307635623.txt

Filesize
75KB

MD5
a94caad95c37498886e4247e3771d7fe

SHA1
88289017f23fbe64cf4cf223e50abe953d27c785

SHA256
90e0b7c882f4d05322ef42ea6ae4bf2475992abb5a5f3bdba96d05fa4c07a9c9

SHA512
3a064d5bd9a5392a5987cef215eef65815c43d7682dfe904e24dc5b39aa176fc01d8419e16d323a546ed60d68b570c5675260d3f19509da2975d1692bed9ce97

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\80AM9X7C\microsoft.windows[1].xml

Filesize
96B

MD5
c839a1973d3feaead377ea2dad131fe6

SHA1
252758616792b9b2f10bc460c84b1c1eba75ea04

SHA256
efecd8d483398a6cb569af17e66cb0ba1ca4b9c65f4a697fc7642cc007fc3ccd

SHA512
fee6ca3d2ae272b0f1f291e98830215f2ac138747651be78325ab7c1ba3f01f72cbfed4c886853caba45f16c59c78543a87a5f872b2c1f85bffa3a4e11bf50e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1730219211654.exe

Filesize
226KB

MD5
1c83b86ee49577920f79e0175f56a480

SHA1
1ac4ef5a1f9ca34ac229bc26cdc914e38173c554

SHA256
72a88efeda156c7304c5c8bd090dcb011ba3dfbbe91f5511969ba8eecee32843

SHA512
d4b4ec415e92617548e863422f653b97460be182205871bf7526fe872d110e8ac17b60472d8351bed62e20ee584424816eeafcafe69ce096596ee044e1df022d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqqwyrik.w4v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
351KB

MD5
a7e9d0bb0687ba84a60b387a2a6fa8d9

SHA1
d224cf061e302d82059ff9100f40b86b0cbbbc31

SHA256
7704fea9664704d6cf2aa277e30f58c71b8a5f50c957d519896450a4f81e3dbe

SHA512
185f52af9930a03dbccd3c160e4f6d3eedacf72999933b44c36268e45d233b617c36190c05d63211a9d0e99d448d03e5c927fcc2700d6b5244c987cfe33def88

Download Submit
\??\pipe\LOCAL\crashpad_3492_ROUDEKVUPHBWGQBS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/864-612-0x000002697EEC0000-0x000002697EEE0000-memory.dmp

Filesize
128KB

Download
memory/864-588-0x000002697DB00000-0x000002697DC00000-memory.dmp

Filesize
1024KB

Download
memory/864-604-0x000002697E5B0000-0x000002697E5D0000-memory.dmp

Filesize
128KB

Download
memory/864-593-0x000002697E900000-0x000002697E920000-memory.dmp

Filesize
128KB

Download
memory/864-589-0x000002697DB00000-0x000002697DC00000-memory.dmp

Filesize
1024KB

Download
memory/1520-479-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/1880-446-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/1880-447-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/1880-457-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/1880-458-0x0000000006E40000-0x0000000006EE3000-memory.dmp

Filesize
652KB

Download
memory/2036-561-0x00000000026E0000-0x00000000026E6000-memory.dmp

Filesize
24KB

Download
memory/2036-459-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/2036-560-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/3252-247-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3592-495-0x0000000007740000-0x0000000007754000-memory.dmp

Filesize
80KB

Download
memory/3592-491-0x00000000076F0000-0x0000000007701000-memory.dmp

Filesize
68KB

Download
memory/3592-494-0x0000000007730000-0x000000000773E000-memory.dmp

Filesize
56KB

Download
memory/3592-469-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/3592-496-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/3592-497-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/3592-490-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download
memory/3592-489-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/3716-352-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download
memory/4084-673-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4184-574-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-347-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-277-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-284-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-525-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-523-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-312-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-318-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-326-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-570-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4184-573-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4504-353-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/4504-356-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4504-394-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/4504-395-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/4504-354-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/4504-355-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4504-357-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/5088-398-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/5088-397-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/5088-396-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/5088-399-0x0000000007C90000-0x0000000008234000-memory.dmp

Filesize
5.6MB

Download
memory/5660-753-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/5696-555-0x0000000005920000-0x0000000005C74000-memory.dmp

Filesize
3.3MB

Download
memory/5716-568-0x0000000000760000-0x000000000078C000-memory.dmp

Filesize
176KB

Download
memory/5716-577-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/5788-754-0x000002A2E8E00000-0x000002A2E8F00000-memory.dmp

Filesize
1024KB

Download
memory/5788-755-0x000002A2E8E00000-0x000002A2E8F00000-memory.dmp

Filesize
1024KB

Download
memory/5788-759-0x000002AAEAF40000-0x000002AAEAF60000-memory.dmp

Filesize
128KB

Download
memory/5788-769-0x000002AAEAF00000-0x000002AAEAF20000-memory.dmp

Filesize
128KB

Download
memory/5936-533-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/5936-544-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download