Overview

overview

10

Static

static

10

Infected.exe

windows7-x64

10

Infected.exe

windows10-2004-x64

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 21:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Infected.exe

  • Size

    63KB

  • MD5

    d1642320b4b4733552b78f746ccc2287

  • SHA1

    bc473457b7a95e6bf31f87645ee021041f818afc

  • SHA256

    2bb00b6059c1b0dacc9e952ccc1f819b09542f17eda7994a40d7ea361935ac34

  • SHA512

    680c7ecfadd4203f673db5fd4e7d245bda57cc3aa49cd52cf9cbad3dfc0001331d206e90a255f2a1687bab5fbb482fa4cb288e167fd39287cdcaa5c11bea2542

  • SSDEEP

    768:iil3pYNlrm78RIC8A+XjqazcBRL5JTk1+T4KSBGHmDbD/ph0oXz60m1avA74Su4V:Dyr0AdSJYUbdh9i15ju4dpqKmY7

Score
10/10
asyncratdefaultdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

147.185.221.23:64395

Attributes
  • delay

    1

  • install

    true

  • install_file

    sigma.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1284
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4412
      • C:\Users\Admin\AppData\Roaming\sigma.exe
        "C:\Users\Admin\AppData\Roaming\sigma.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3332
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "sigma"
          4⤵
            PID:3740
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /f /tn "sigma"
              5⤵
                PID:1444
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.bat""
              4⤵
                PID:4416
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4492
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca21f46f8,0x7ffca21f4708,0x7ffca21f4718
            2⤵
              PID:1244
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
              2⤵
                PID:3476
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:888
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                2⤵
                  PID:644
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
                  2⤵
                    PID:556
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                    2⤵
                      PID:1440
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                      2⤵
                        PID:3956
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                        2⤵
                          PID:1276
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
                          2⤵
                            PID:1760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1116
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                            2⤵
                              PID:2076
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                              2⤵
                                PID:2512
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
                                2⤵
                                  PID:984
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                                  2⤵
                                    PID:3956
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
                                    2⤵
                                      PID:2772
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
                                      2⤵
                                        PID:912
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:8
                                        2⤵
                                          PID:4280
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                                          2⤵
                                            PID:2976
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2028
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10397938759905647085,10422467658024191594,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1084
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:3936
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4560
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:372
                                              • C:\Users\Admin\Downloads\oh nannanan\oh nannanan\Mandela.exe
                                                "C:\Users\Admin\Downloads\oh nannanan\oh nannanan\Mandela.exe"
                                                1⤵
                                                • Modifies WinLogon for persistence
                                                • UAC bypass
                                                • Drops file in Windows directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:4728
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k taskkill /f /im explorer.exe
                                                  2⤵
                                                    PID:1548
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f /im explorer.exe
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4280
                                                • C:\Windows\system32\AUDIODG.EXE
                                                  C:\Windows\system32\AUDIODG.EXE 0x500 0x2f4
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4480

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Reconnaissance

                                                Resource Development

                                                Initial Access

                                                Execution

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Persistence

                                                Boot or Logon Autostart Execution

                                                1
                                                T1547

                                                Winlogon Helper DLL

                                                1
                                                T1547.004

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Privilege Escalation

                                                Abuse Elevation Control Mechanism

                                                1
                                                T1548

                                                Bypass User Account Control

                                                1
                                                T1548.002

                                                Boot or Logon Autostart Execution

                                                1
                                                T1547

                                                Winlogon Helper DLL

                                                1
                                                T1547.004

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Defense Evasion

                                                Abuse Elevation Control Mechanism

                                                1
                                                T1548

                                                Bypass User Account Control

                                                1
                                                T1548.002

                                                Impair Defenses

                                                1
                                                T1562

                                                Disable or Modify Tools

                                                1
                                                T1562.001

                                                Modify Registry

                                                2
                                                T1112

                                                Credential Access

                                                Discovery

                                                Browser Information Discovery

                                                1
                                                T1217

                                                Query Registry

                                                3
                                                T1012

                                                System Information Discovery

                                                3
                                                T1082

                                                Lateral Movement

                                                Collection

                                                Command and Control

                                                Exfiltration

                                                Impact

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  ba6ef346187b40694d493da98d5da979

                                                  SHA1

                                                  643c15bec043f8673943885199bb06cd1652ee37

                                                  SHA256

                                                  d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                  SHA512

                                                  2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  b8880802fc2bb880a7a869faa01315b0

                                                  SHA1

                                                  51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                  SHA256

                                                  467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                  SHA512

                                                  e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                  Filesize

                                                  288B

                                                  MD5

                                                  a4489a755e3acc7c2687319a198c5db4

                                                  SHA1

                                                  81444728a5f715da133b57c2c5eb1b737abd78ed

                                                  SHA256

                                                  5c30384944ff68cf0c6fc0e754f8533153da9494b6ff078e866475e16bcdf2a2

                                                  SHA512

                                                  46575c5fd46b8549b8c2524e28ce627d375924085a3f6f435d90d914c5d73491b585506d8804c4dda5e3cf7e0f803e9f6c9182fac9f1446ee9f74fd256956336

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  461B

                                                  MD5

                                                  af0acc97d7c1d56dc86b748159bf1140

                                                  SHA1

                                                  e27b348abdd79394051eb3b3a146d41f94535046

                                                  SHA256

                                                  ad42a6d87fdbb119c9cbdbde9396e914041da2bbe343c3285799316d03efa6c6

                                                  SHA512

                                                  85fc428d1c44a137a08764a5fae822511c08ccb4e774583e7209c3bb97870356982ab624a157a7abbfe37ce88fe52fea4a7dd843c345dddd7fd12dff01130722

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  e225de790cfee3c1d72e92991809d432

                                                  SHA1

                                                  5eb40310d01de964ca57cdd3c16d0df3138e4732

                                                  SHA256

                                                  76c3d02da182e77bd9302a87e66eff99728ff283d9bd15bd558cf6769ced5620

                                                  SHA512

                                                  c77ae961bae0898c37511c49f8939b6eea08cae66c7bc6faceecf8b69e32a844d927777b955aa62a0e94f8b7951f6e35f22070353cb5ec913dceb6f2839581c0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  e028913d92b268bca0bbc7f3e92a1991

                                                  SHA1

                                                  71c23ce255185ebb066506010bdad8aa2c3c704e

                                                  SHA256

                                                  19243a580819dd3c9377e2cf2116987f435e2e7731f7e5b389db78d1980eca76

                                                  SHA512

                                                  173240c2096ed3ad80255400c4b679edd1bb01f5fc0fb0316d70578df335f85bae3716b6aba2a0fecf2394276784b66b2616bedb5387b20465724205ee6f42b1

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  cf18978ce4e35aa61868c378b0e6faca

                                                  SHA1

                                                  4c97de06bfbae475aa54de667d61057cebbce0bd

                                                  SHA256

                                                  7a1ec7bb618c8e8beda871a45b84bc54a3e2752bf73522f59fe800404619d153

                                                  SHA512

                                                  d1275d2f6335952311ac22285fc7030ee78a0493da130aed9922c66579d5bbe7342f67ab0c0d6a804f8d7cd92c7c14e25deee3bac0f321839988365b88aef107

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  5dd23e041bb5e308a08112de0ec18324

                                                  SHA1

                                                  71c7da7ed10a1fee46c5b2ef875f5dce5e1f6120

                                                  SHA256

                                                  2c32479a7325d4cb1ab3e7ff2a08e86b09f71697ce9524565c8bd6d7665a8bc6

                                                  SHA512

                                                  29bdab09ceed4b1f3527b735766f06127f006f5ae939d9da3232dd912ebfdb84edeeecf60db318c954fc1d030259182c54c15033c31d274038d44ea17928aee2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  569084733d53753c3cb2870900c0d99d

                                                  SHA1

                                                  ec6f4dac47c63f4a8dcb6956446ec8c292bc5508

                                                  SHA256

                                                  30f1489867bcd1e000e22b0f5819c62f2db65acdd1e833dce29a3469b99318e8

                                                  SHA512

                                                  91ae565f000575ee1dc74e997b4de4f0a342a18f95442b5812a5a7164f958558461516f6371fc78de9a53edd5c92ca0066b0235f6303838f45ebad56b423b16a

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.bat
                                                  Filesize

                                                  154B

                                                  MD5

                                                  e8516071dd157528ed691186a9d99dd9

                                                  SHA1

                                                  3713e0f429e74e9e078895f1c1b94dbff65853cf

                                                  SHA256

                                                  837c68e668f57c4b770eef31c5a6173da271b53cfcda0c4199b141aba73c6314

                                                  SHA512

                                                  c38c6bc0a530e8abab6174c548488f3762aabd3cf748cc6f5697b74e8ad67c3feacd174a951f387afc77cb0abbebbf43a14b18743bff49c9b9126c5afefad61f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.bat
                                                  Filesize

                                                  149B

                                                  MD5

                                                  905240e7ebff263e497af74adac0aae8

                                                  SHA1

                                                  89f0b1f99d0aa77d08c8ec7b5edfc5f342e8688d

                                                  SHA256

                                                  fdc227188b76b80ec55c2c09022114f8481a61ffbf8c97901f7d947a3e6c5569

                                                  SHA512

                                                  9b14dd1857e4cf8651cdbb5fda5166568e40138d8f961ef7c727a8daf1dd613b755e8daf211c4bc9752d320649e587978507b32b394ef6580b1e0143d0070be0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\sigma.exe
                                                  Filesize

                                                  63KB

                                                  MD5

                                                  d1642320b4b4733552b78f746ccc2287

                                                  SHA1

                                                  bc473457b7a95e6bf31f87645ee021041f818afc

                                                  SHA256

                                                  2bb00b6059c1b0dacc9e952ccc1f819b09542f17eda7994a40d7ea361935ac34

                                                  SHA512

                                                  680c7ecfadd4203f673db5fd4e7d245bda57cc3aa49cd52cf9cbad3dfc0001331d206e90a255f2a1687bab5fbb482fa4cb288e167fd39287cdcaa5c11bea2542

                                                  Download Submit

                                                • C:\Users\Admin\Downloads\Unconfirmed 668079.crdownload
                                                  Filesize

                                                  15.0MB

                                                  MD5

                                                  0a0bfa2a34c18aabe07b2f1dfade8324

                                                  SHA1

                                                  88b56d883127d91ce965acde397c8c2bfa77fcdb

                                                  SHA256

                                                  596a0d23349666bc5991c60c8b4d148c46e9ce5198b6364d10f949b503819902

                                                  SHA512

                                                  b058050e0db3aa759123a48458b2ea22c9d5c15f1984c5c13649985668507d3ab95b670e2a4609dd80a8cabb5c44ffdaa7d1f40e25f44aa63b10e59cd74b0656

                                                  Download Submit

                                                • memory/2796-7-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/2796-0-0x00007FFCA5843000-0x00007FFCA5845000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2796-1-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/2796-8-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/2796-2-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/3332-234-0x000000001C8F0000-0x000000001C90E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/3332-232-0x000000001C4A0000-0x000000001C516000-memory.dmp

                                                  Filesize

                                                  472KB

                                                  Download

                                                • memory/3332-233-0x000000001C720000-0x000000001C7D2000-memory.dmp

                                                  Filesize

                                                  712KB

                                                  Download

                                                • memory/4728-141-0x00000000261F0000-0x00000000282A2000-memory.dmp

                                                  Filesize

                                                  32.7MB

                                                  Download

                                                • memory/4728-150-0x000000001BC10000-0x000000001BC68000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/4728-147-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/4728-148-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/4728-149-0x000000001BC00000-0x000000001BC14000-memory.dmp

                                                  Filesize

                                                  80KB

                                                  Download

                                                • memory/4728-140-0x0000000000870000-0x00000000017A4000-memory.dmp

                                                  Filesize

                                                  15.2MB

                                                  Download