asyncrat | f65b4ac5a2e3791b5851ff09840e334a51169cee78a5c383f956cc11e912ece6

Analysis

max time kernel
144s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV2.09(rat).exe
Size

5.9MB
MD5

bbe4425a7b91d830ae36203ce3660a19
SHA1

147d8f6cd4b7694a6274cde567b4b94c51bc3b3a
SHA256

f65b4ac5a2e3791b5851ff09840e334a51169cee78a5c383f956cc11e912ece6
SHA512

a4e1957b5a829bd6a833fca9616e790f6fc976c35bc6110f259142415593a0369e5dc6ec45e3dc72b1ea3776d7a999beb77b80d80c36684391412e8beb4425e9
SSDEEP

98304:Voqb1QHJ2we9het0Un2reIgLxmqMBfiGJRkZqtVwCYWoOacfHM26PbF8qz16B8BB:VoMIJJeCwaxmZBfiGJRkZqtGCYTQMXF7

Score

10^/10

asyncrat gurcu default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7674843264:AAGzWOldtG3GqsZObUVSOc6rpPUp0jvoUtc/getM

https://api.telegram.org/bot7674843264:AAGzWOldtG3GqsZObUVSOc6rpPUp0jvoUtc/sendMessage?chat_id=-1002262935377

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0028000000046107-59.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	BootstrapperV2.09(rat).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 7 IoCs

pid	Process
3484	1.exe
2364	BootstrapperV2.08.exe
1100	svchost.exe
3304	svchost.exe
5424	svchost.exe
5512	svchost.exe
5956	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
17	discord.com
20	discord.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	icanhazip.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\10e69a79-e700-4946-9257-fb299a3c8bea.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250101180019.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1276	cmd.exe
4460	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5600	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5532	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3226857575-536881564-1522996248-1000\{E83F54ED-3D2C-4266-97E3-162622AFFD42}	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
4492	msedge.exe
4492	msedge.exe
1108	msedge.exe
1108	msedge.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
3484	1.exe
5208	identity_helper.exe
5208	identity_helper.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	1.exe
Token: SeIncreaseQuotaPrivilege	1100	svchost.exe
Token: SeSecurityPrivilege	1100	svchost.exe
Token: SeTakeOwnershipPrivilege	1100	svchost.exe
Token: SeLoadDriverPrivilege	1100	svchost.exe
Token: SeSystemProfilePrivilege	1100	svchost.exe
Token: SeSystemtimePrivilege	1100	svchost.exe
Token: SeProfSingleProcessPrivilege	1100	svchost.exe
Token: SeIncBasePriorityPrivilege	1100	svchost.exe
Token: SeCreatePagefilePrivilege	1100	svchost.exe
Token: SeBackupPrivilege	1100	svchost.exe
Token: SeRestorePrivilege	1100	svchost.exe
Token: SeShutdownPrivilege	1100	svchost.exe
Token: SeDebugPrivilege	1100	svchost.exe
Token: SeSystemEnvironmentPrivilege	1100	svchost.exe
Token: SeRemoteShutdownPrivilege	1100	svchost.exe
Token: SeUndockPrivilege	1100	svchost.exe
Token: SeManageVolumePrivilege	1100	svchost.exe
Token: 33	1100	svchost.exe
Token: 34	1100	svchost.exe
Token: 35	1100	svchost.exe
Token: 36	1100	svchost.exe
Token: SeIncreaseQuotaPrivilege	3304	svchost.exe
Token: SeSecurityPrivilege	3304	svchost.exe
Token: SeTakeOwnershipPrivilege	3304	svchost.exe
Token: SeLoadDriverPrivilege	3304	svchost.exe
Token: SeSystemProfilePrivilege	3304	svchost.exe
Token: SeSystemtimePrivilege	3304	svchost.exe
Token: SeProfSingleProcessPrivilege	3304	svchost.exe
Token: SeIncBasePriorityPrivilege	3304	svchost.exe
Token: SeCreatePagefilePrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeRestorePrivilege	3304	svchost.exe
Token: SeShutdownPrivilege	3304	svchost.exe
Token: SeDebugPrivilege	3304	svchost.exe
Token: SeSystemEnvironmentPrivilege	3304	svchost.exe
Token: SeRemoteShutdownPrivilege	3304	svchost.exe
Token: SeUndockPrivilege	3304	svchost.exe
Token: SeManageVolumePrivilege	3304	svchost.exe
Token: 33	3304	svchost.exe
Token: 34	3304	svchost.exe
Token: 35	3304	svchost.exe
Token: 36	3304	svchost.exe
Token: SeSecurityPrivilege	6048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5424	svchost.exe
Token: SeSecurityPrivilege	5424	svchost.exe
Token: SeTakeOwnershipPrivilege	5424	svchost.exe
Token: SeLoadDriverPrivilege	5424	svchost.exe
Token: SeSystemProfilePrivilege	5424	svchost.exe
Token: SeSystemtimePrivilege	5424	svchost.exe
Token: SeProfSingleProcessPrivilege	5424	svchost.exe
Token: SeIncBasePriorityPrivilege	5424	svchost.exe
Token: SeCreatePagefilePrivilege	5424	svchost.exe
Token: SeBackupPrivilege	5424	svchost.exe
Token: SeRestorePrivilege	5424	svchost.exe
Token: SeShutdownPrivilege	5424	svchost.exe
Token: SeDebugPrivilege	5424	svchost.exe
Token: SeSystemEnvironmentPrivilege	5424	svchost.exe
Token: SeRemoteShutdownPrivilege	5424	svchost.exe
Token: SeUndockPrivilege	5424	svchost.exe
Token: SeManageVolumePrivilege	5424	svchost.exe
Token: 33	5424	svchost.exe
Token: 34	5424	svchost.exe
Token: 35	5424	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3484	3096	BootstrapperV2.09(rat).exe	84
PID 3096 wrote to memory of 3484	3096	BootstrapperV2.09(rat).exe	84
PID 3096 wrote to memory of 2364	3096	BootstrapperV2.09(rat).exe	85
PID 3096 wrote to memory of 2364	3096	BootstrapperV2.09(rat).exe	85
PID 2364 wrote to memory of 4492	2364	BootstrapperV2.08.exe	88
PID 2364 wrote to memory of 4492	2364	BootstrapperV2.08.exe	88
PID 4492 wrote to memory of 2808	4492	msedge.exe	89
PID 4492 wrote to memory of 2808	4492	msedge.exe	89
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 1052	4492	msedge.exe	91
PID 4492 wrote to memory of 5008	4492	msedge.exe	92
PID 4492 wrote to memory of 5008	4492	msedge.exe	92
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93
PID 4492 wrote to memory of 4364	4492	msedge.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.09(rat).exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.09(rat).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3484
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1276
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1224
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4460
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:2920
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:5336
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5384
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5404
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5424
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:5512
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:5956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1d874324-087c-4bfa-a21a-468709b481c8.bat"
    3⤵
    PID:6092
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3484
      4⤵
      Kills process with taskkill
      PID:5532
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5600
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/8PgspRYAQu
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffb6baa46f8,0x7ffb6baa4708,0x7ffb6baa4718
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
      4⤵
      PID:1052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:2600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 /prefetch:8
      4⤵
      PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5080 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
      4⤵
      PID:3796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
      4⤵
      PID:660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 /prefetch:8
      4⤵
      PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x158,0x24c,0x250,0x10c,0x254,0x7ff6e3045460,0x7ff6e3045470,0x7ff6e3045480
        5⤵
        
        PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
      4⤵
      PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,11272363173867342096,5703572179703551491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
220B

MD5
2ab1fd921b6c195114e506007ba9fe05

SHA1
90033c6ee56461ca959482c9692cf6cfb6c5c6af

SHA256
c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

SHA512
4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Apps.txt

Filesize
6KB

MD5
3a369126adb05a2596cafba28131c27a

SHA1
2756b6b2f27ce049d93361163bf208448cd98955

SHA256
ec0483822d84f2da42102850d330e923023713f9e8bead246b365d5a48ebbc12

SHA512
44132ca7712d77991ee8c00256c533c2890beba91b0dd1d8a14b2ccea378188a3d5b072bd289d023f1f3b13fffc8110a168479e5fb844386355951f9cd62d614

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Process.txt

Filesize
808B

MD5
bb9695bcb5e0422e4504e93f219245e9

SHA1
9a108efd1e0b665da0650b297101fd14a5dd3479

SHA256
5a3425bb1d52fcc118ce8e76f6d4dbfb31ef403778e1a5d91cc2d98dfd8c43e1

SHA512
2b0cdd74660dcdf3c537d03c45d6cb683821dbd1bd3043fb530af6c9bb589aba2454927e71bdbf57193a44dd1e5793654f6b00e92cbf2c4cd43751cc46df3558

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Process.txt

Filesize
1KB

MD5
654cb2ff053b6a31dd1c08b0454f3d2e

SHA1
99b9aa191cd70b6f224381aa5e0582ab07764411

SHA256
f23a921541255b3bb1e8442bea4c4c63b30eda5a7d977fc1adf98cb596498763

SHA512
ff2ab350e71cb7fc6fd041e960ebeccb228204bdcf4a79dd13a052b672a47b3b34ebc3fe7ab778b275243596b9b20ada4227b76df6507cf022bba70de988a77f

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Process.txt

Filesize
3KB

MD5
019d05ecb9dc03497fc2b062724ef53e

SHA1
3ed94ee5dd69ee24973c84eb3f00e28d2693d93b

SHA256
89694d7effa3015f5fdb14a30a74a2dc862db6d2d618b91b900b3390c904efb6

SHA512
81c3237e2b5f6bc2e056c96f869fd874878e465ed9a6e71e522858a0a3f849af8cbc9f91304acedbd3c57e99dc85d5bb3416791d92554da0d7739badaede6148

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Process.txt

Filesize
3KB

MD5
ee718ef8b2e09107b0e5c67a980d43ea

SHA1
e7aedffdfb67963996ec1f1d8c22b1ef285c9fa0

SHA256
0df53464d0ff68308082b16ee43a2860e53e0b4dd85ada84dff0af78cb3c3050

SHA512
fa731382ccd6cfdacf9e6fe33a431d69a938e39326b8d3a5cc1b3929e0176399a1a7c79ebf4b86eb5f7a6fe826424af61dbdc8df30a3d7a4a9de76c3857f4f76

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\Admin@TECFIYDO_en-US\System\Process.txt

Filesize
4KB

MD5
f59737654a4c2f87aee82ef601a4fc08

SHA1
a7136380e025eea7867154eb328be1da3096df7d

SHA256
d2635fcb47c2e7854fb302d0ac08f3a60793f8c7c2aa2b17636fb34664d1a4ed

SHA512
238f2bca0f7994cfff4567cd94fe31408e0fc3b0e1fc9490962ccf066097b1a5c3fa568f5c5cefb80761b5ea68a6154924efe0c6c09d9dce71f8828b62e07d9c

Download Submit
C:\Users\Admin\AppData\Local\44a2a1df63a77a42d267fe7dc0578372\msgid.dat

Filesize
2B

MD5
093f65e080a295f8076b1c5722a46aa2

SHA1
5a5b0f9b7d3f8fc84c3cef8fd8efaaa6c70d75ab

SHA256
3e1e967e9b793e908f8eae83c74dba9bcccce6a5535b4b462bd9994537bfe15c

SHA512
c45d027d446112379f9dcb9a9e84763c84ffa7533632ae255fb9d5134d54171769a5906366091b39ae680484eabc9a3a08ca58e980419f03d86b11b345778335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23fa82e121d8f73e1416906076e9a963

SHA1
b4666301311a7ccaabbad363cd1dec06f8541da4

SHA256
5fd39927e65645635ebd716dd0aef59e64aacd4b9a6c896328b5b23b6c75159e

SHA512
64920d7d818031469edff5619c00a06e5a2320bc08b3a8a6cd288c75d2a470f8c188c694046d149fa622cbb40b1f8bf572ac3d6dfc59b62a4638341ccb467dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b19b7ecb6ee133c2ff01f7888eae612

SHA1
a592cab7e180cc5c9ac7f4098a3c8c35b89f8253

SHA256
972bc0df18e9a9438dbc5763e29916a24b7e4f15415641230c900b6281515e78

SHA512
16301409fee3a129612cfe7bdb96b010d3da39124aa88b2d111f18d5ae5d4fc8c3c663809148dd07c7f3cd37bb78bd71e25be1584bd2d0bacf529fa7f3461fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0c5f09ede99d49e089c9c08e68c2c52e

SHA1
ea8cd87c569382b39921b57031109e61a9e6b794

SHA256
1207f31e7de61fa3f1a0f4e436c370f0287188d1aad0d69f6115a232067506a4

SHA512
27956c07a2cf7db892812741d8d046ed551f9b28a9d6786482226620005aa028c1764ec35befdedba1f24b00f9407a9a200a6cc772c2e67daf8cbdfecf69edc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
d4c53b3970c02345d092d950bfb412a3

SHA1
b4297369f5466dfc740aab159c0f1ffbf32c219c

SHA256
765b263d9f565a6f2b85b0498d88e73036d89ef2788448cee04aafdfd5f0eece

SHA512
9eba963c34283ea7d0acf43a90670becf34fb877ae09d3fb9f0bfa52864458fae0c7a291d4afc88d0de69354fb371e78fb808a0b75acfe3da0daf4f8d4055681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
ff9f825925f89085b6c4809612c14b39

SHA1
3cd291d4b9d7bfff93177f074aa75d7034ce0d4e

SHA256
118d159f05b7fb0b7424c2374470d9e77857047f4a0663e944e2363ecf04b0fa

SHA512
735ec4fd0c01534dd09a61b341ed00a0bbb7488c1e267d736041d96e0f6a62c8b4090ded41986464cf82b472831c6d10f9fbf688e20340f6c293ba5332e05d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58dd5b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
087f8f75832438b522fed0238ec3ab9b

SHA1
4226425ccd4eeebea489d755e0e6b4aba4574108

SHA256
996c71af6094d3a91ea1499ed9248f2eb103242356bf4ed78ddb8c8da00d54be

SHA512
54d4897579720d24d86be8de279860f653cc0f1572b715d826d79381470fe077a0f5185f2748ce1885cb700dffd31f2087dc2674a1247f3a2b8e0342671a27d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6b28f83eea2e0deed75016c0d8b7a86

SHA1
edcde77c1fa0c1557034a6d1b7f10a68ca1369cc

SHA256
a4b9ab926da3cf0101bfb18a06fc733e60e892667c12ac1e11c0af334792c0bd

SHA512
7ff50e1c3b53fb72b545513cc45bdab7b693d04f1ca89178e95a681beffaa71632cac4be6d9bc91396da5c55b7243ce744364e169d3a5d3f8d1355497b8ee4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ffdb7542116e556a31745c1265aaae6

SHA1
9fc0e8a0346a2ffb5f23a92728a5bcb019e3de39

SHA256
e5940cbec1506f6af1c55f027c913551755bd5bfe98c3fdeef4c2e7da69f3288

SHA512
9411b60a103a406d8b05cc08f6fcf9d39087d9ab248426968e8a49095f447dda92f5eee1f777614a66cedcd880e366ace2ba93968cab44a82a4eccb3deb13422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2161cac0d67fdcbd327b4167f2547d7d

SHA1
f04410434306164cec1e24447f2fd9bef358d9f7

SHA256
6223b3bd4a3722a3cd8ac69db73e6fa500af38d4d0d14dba05d56893d78011a2

SHA512
de143b2862c01a4778144268bd627e40d633c5dbcbab661548b87202e2de9d854c0632cc9632c5546cd4769c6737c059cf281134a6728b754b2c749115244293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8cd513127214e252edf0454f329bc002

SHA1
6f47fac6be8e7331e54203a7865e86b32cddf16b

SHA256
3df220380a8bf881117c17102a5c70ae7deea18ec92e7c478df2ee904d882108

SHA512
0b6d2f2e12bb8b15175875b7118778e57475934dee0476bc3ec989c5408d1ff5cf1c2d5dce4bd980a3ef9bfee232f974fa90050171826f3f0847f9682ae7e4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
371edf34cc4edfe5fc16d906571e1a49

SHA1
2b0f160569aff513f7ac25a16adf02758cca07fc

SHA256
ee07b7e150c132312f076f2fe4c58445fcf86aea9eda0468b6ee040b5f690d35

SHA512
9598bca019b2acf65bc0511062e8edf53e00b3801d7a9b49f9c6b7209bcf7ff782ec215716955d5f378f952d77435bccf210384909f28bffa83fa9ac8589cdb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cf4222ca-853d-49eb-bc9d-8874ed4455a9.tmp

Filesize
8KB

MD5
1dd046539c22c90d9ae0c5eda5d84f25

SHA1
50c57b48e37701352f1c3ecf75a803b4c46a503f

SHA256
05638d94af08555fc086587aa645184d4caed513c9d61d652fc0c92064745e0c

SHA512
2cc2e8c015d0efe539c3b2b774d74b61bdc055fed540c20fd9bb5e6b91d7909aaec4b790008d80c50dbbf45f92c9afcdcc23b1cf32c16c4665000fae2268274e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
3.6MB

MD5
67fa781a0df1aea8159a22c0390023f3

SHA1
d3641ee05ddd0a652a9004894f09b484336f115e

SHA256
c59878f34eb08565dde137d3da8f37185c07b01de149b4c210497703c737605a

SHA512
2f7fb249fd1e4097928adffd40b5131002b6fb47a26248d92f0781f6510dbb4e382febd2bfc7755970baf2f4c90d48591ca3edc08d10ed0491df9ee4575eff2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d874324-087c-4bfa-a21a-468709b481c8.bat

Filesize
152B

MD5
5ff433043dfba4bac0a44ebd32b9f76e

SHA1
53901278c8dc2e95d9aad8768d25be1f4a9d5b86

SHA256
615ab5326d625343d7171267635393750e92a041807d770a8b01c0e7b06347f2

SHA512
99909132639b3ffa76ecb596fa9143e6add0b2b778aa258fb4d0466cd1073c76132fde2b95c2b61962a1e03fb534eedec221c933a24fdc08c42ca15c281bab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe

Filesize
2.9MB

MD5
3f960b403cd616c9f59b3c22fc69aeca

SHA1
c9878d8dd7cada17525d0fb41626ef10387cb624

SHA256
8d0e9176ab99c1c4442f8529a5e06a84cf4573b79d21c15022f825ad9c36c84a

SHA512
bd48219ce56276114a411d4a3b19ff723cf20fe75571faebd43c2567b2a6cc73b77ffe5858ac5f80cec32d79ae3df84ebfc42b80b38af14691727f2c08399761

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
690B

MD5
343e340a81081d8192978a200277119a

SHA1
311a37dce5e93a591ae5e9810118d5fe0c44d43d

SHA256
6a3572f0be3921fabd641d432778805743a44dde5d5177aaf76015a22c523bef

SHA512
af30512d108c33ded54c34111590d611c3bc45136260c260513d0464d1414c28c9b3e712563c28d184dc9fc6fff6a9b77ffc188ec634dfb66440ac6a44b0b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
3cfa0ec746c9b5e948dec54bc287e350

SHA1
ac00d64128f821132eca36d779ef4c5de571d2ea

SHA256
2e27e67610f97830d20e3d4d6f42f3cdaedf1d40c7e01158113509a8ccb304f5

SHA512
02a3b77c554a15e4dbfe9f6cbbb6868cc62686d48ad6fac65d89d9d6d865cadb81f5c3a7b52163287d0d0cbcd3ed59284236c074ee4800768e004facfe304ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
b7a183a0580a97428769645baf299868

SHA1
e0da62b276c100b3f197af19a4117cce13f35b4e

SHA256
2289711480e601df1ab52ebe8625f957de174d45140cf03ef012a44519efcad4

SHA512
bd470b7725d1d4e149d2aaf942b2c930af787c3a05804f0bf2f7bcb172a4c0e6dce26048f4259043df4c9e6465281463849c473f04c7be211fc2a78fc74e2977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
3a665e3e078f32de41e4afc97d7afb5d

SHA1
55fc27905afad89b88409fc97f2567672122e5f9

SHA256
88a0be01bd518f8db016236e7e66f578936d39ba53efdf1b046b11e580da61ba

SHA512
cf51ad827ee7295a6772493f70088cc923431d3837fc6d06bd9acf0ff76a160048d4c83cefe247501289533e07810ac47ff8a6f0c6c8212f32b2916d27df643b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3400ac24551dddc1a7b0d4be98991631

SHA1
155514c662b818442090d9dd67dcfac0d98675af

SHA256
e684e5e49c257f0763899bc14b43c02a67d8763cfd1433c0acf0649a3be04992

SHA512
a761e43bc8c9003838a9831dcc17af7a6417083a7119c1028023a5f5e471de94c00e823c49c5ccf983e2a625f5e3f16b15d9e05664b9b00c10e2800c4d3e2729

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
151870047ec9806b2a102c5a876db369

SHA1
85816b72a28ac6545d82f6f09640fedbb98891ff

SHA256
52cf31bc96ca76834b6df38ae7d1290559f3db0fd7092a1c6616248d70f227e4

SHA512
34eca23908116afa47cd0f79399793db11c89fe0c331264e6d4492ec1b24146d74b62d54309181f99bcfa920971fb9ae56ac8c0c45ad2969cde02ae5498cc269

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
67ca41c73d556cc4cfc67fc5b425bbbd

SHA1
ada7f812cd581c493630eca83bf38c0f8b32b186

SHA256
23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

SHA512
0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

Download Submit
memory/1100-82-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download
memory/2364-42-0x000001B32D750000-0x000001B32D776000-memory.dmp

Filesize
152KB

Download
memory/2364-37-0x000001B32D130000-0x000001B32D138000-memory.dmp

Filesize
32KB

Download
memory/2364-47-0x000001B32D7C0000-0x000001B32D7C8000-memory.dmp

Filesize
32KB

Download
memory/2364-46-0x000001B32D6E0000-0x000001B32D6EA000-memory.dmp

Filesize
40KB

Download
memory/2364-45-0x000001B32D700000-0x000001B32D70A000-memory.dmp

Filesize
40KB

Download
memory/2364-44-0x000001B32D790000-0x000001B32D7A6000-memory.dmp

Filesize
88KB

Download
memory/2364-35-0x000001B30CCA0000-0x000001B30CF82000-memory.dmp

Filesize
2.9MB

Download
memory/2364-36-0x000001B30D350000-0x000001B30D360000-memory.dmp

Filesize
64KB

Download
memory/2364-43-0x000001B32D780000-0x000001B32D788000-memory.dmp

Filesize
32KB

Download
memory/2364-38-0x000001B32D710000-0x000001B32D748000-memory.dmp

Filesize
224KB

Download
memory/2364-41-0x000001B32D6F0000-0x000001B32D6FA000-memory.dmp

Filesize
40KB

Download
memory/2364-40-0x000001B32E5D0000-0x000001B32E6D0000-memory.dmp

Filesize
1024KB

Download
memory/2364-39-0x000001B32D6D0000-0x000001B32D6DE000-memory.dmp

Filesize
56KB

Download
memory/3096-0-0x00007FFB7E963000-0x00007FFB7E965000-memory.dmp

Filesize
8KB

Download
memory/3096-1-0x00000000002A0000-0x0000000000886000-memory.dmp

Filesize
5.9MB

Download
memory/3096-13-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3096-290-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-371-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-735-0x000002A8F8C00000-0x000002A8F8CA0000-memory.dmp

Filesize
640KB

Download
memory/3484-733-0x000002A8F8BD0000-0x000002A8F8BF2000-memory.dmp

Filesize
136KB

Download
memory/3484-732-0x000002A8F8AF0000-0x000002A8F8BA2000-memory.dmp

Filesize
712KB

Download
memory/3484-311-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-795-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-34-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-30-0x00007FFB7E960000-0x00007FFB7F422000-memory.dmp

Filesize
10.8MB

Download
memory/3484-17-0x000002A8F5810000-0x000002A8F5BAA000-memory.dmp

Filesize
3.6MB

Download
memory/3484-691-0x000002A8F8AD0000-0x000002A8F8AEA000-memory.dmp

Filesize
104KB

Download
memory/3484-690-0x000002A8F8A70000-0x000002A8F8AB4000-memory.dmp

Filesize
272KB

Download