dcrat | 32b9b361f850a2603397ad184861b667f4a9f2fa301908bf9390f29776a789a6

Resubmissions

25/03/2025, 12:12

250325-pdkyhsyrz5 10

08/02/2025, 06:08

250208-gvvkaazlct 10

08/02/2025, 06:01

250208-gq5jpa1kbl 10

Analysis

max time kernel
138s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08/02/2025, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runchicky.exe
Size

624KB
MD5

d22dc0f8675d231c6e89cd6398195ced
SHA1

48377a33001154de3e9067e1ba59a3f2c467016e
SHA256

32b9b361f850a2603397ad184861b667f4a9f2fa301908bf9390f29776a789a6
SHA512

c59658765335e0de941047e3d831a15e89ae1afb1fb54548d7f5018e40e8f932415d031c112077cae1b445b68e924106ba12d8bd59d5bd3cf5b8e7eeff4a50e3
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rbm82N7e51DLg1ZMKd3YNdxmZj:U2G/nvxW3Ww0tm828J6MKd3SxmN

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3428	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3428	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001d00000002aeba-10.dat	dcrat
behavioral1/memory/2044-13-0x0000000000D50000-0x0000000000DA6000-memory.dmp	dcrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
19	2816	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
2044	chainport.exe
2052	winlogon.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ee2ad38f3d4382	chainport.exe
File created	C:\Program Files\7-Zip\spoolsv.exe	chainport.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe	chainport.exe
File created	C:\Program Files\Windows Mail\sysmon.exe	chainport.exe
File created	C:\Program Files (x86)\Adobe\cc11b995f2a76d	chainport.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\smss.exe	chainport.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\69ddcba757bf72	chainport.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	chainport.exe
File created	C:\Program Files\7-Zip\f3b6ecef712a24	chainport.exe
File created	C:\Program Files (x86)\Google\sihost.exe	chainport.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\5940a34987c991	chainport.exe
File created	C:\Program Files\Uninstall Information\System.exe	chainport.exe
File created	C:\Program Files (x86)\Adobe\winlogon.exe	chainport.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe	chainport.exe
File created	C:\Program Files (x86)\Google\66fc9ff0ee96c2	chainport.exe
File opened for modification	C:\Program Files\Windows Mail\sysmon.exe	chainport.exe
File created	C:\Program Files\Windows Mail\121e5b5079f7c0	chainport.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runchicky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2716	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969674418-3952479498-2422112087-1000_Classes\Local Settings	runchicky.exe
Key created	\REGISTRY\USER\S-1-5-21-2969674418-3952479498-2422112087-1000_Classes\Local Settings	chainport.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4736	schtasks.exe
1532	schtasks.exe
2648	schtasks.exe
3768	schtasks.exe
2984	schtasks.exe
1048	schtasks.exe
2148	schtasks.exe
3616	schtasks.exe
4248	schtasks.exe
4668	schtasks.exe
856	schtasks.exe
1868	schtasks.exe
2672	schtasks.exe
2112	schtasks.exe
244	schtasks.exe
1584	schtasks.exe
4816	schtasks.exe
2972	schtasks.exe
5000	schtasks.exe
1664	schtasks.exe
1896	schtasks.exe
5044	schtasks.exe
328	schtasks.exe
2080	schtasks.exe
3608	schtasks.exe
2036	schtasks.exe
2860	schtasks.exe
3872	schtasks.exe
664	schtasks.exe
4820	schtasks.exe
2316	schtasks.exe
364	schtasks.exe
2492	schtasks.exe
1724	schtasks.exe
2056	schtasks.exe
4524	schtasks.exe
2744	schtasks.exe
2620	schtasks.exe
3288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2044	chainport.exe
2044	chainport.exe
2044	chainport.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
2052	winlogon.exe
4276	msedge.exe
4276	msedge.exe
3604	msedge.exe
3604	msedge.exe
4696	msedge.exe
4696	msedge.exe
4816	identity_helper.exe
4816	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2052	winlogon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	chainport.exe
Token: SeDebugPrivilege	2052	winlogon.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4424	916	runchicky.exe	82
PID 916 wrote to memory of 4424	916	runchicky.exe	82
PID 916 wrote to memory of 4424	916	runchicky.exe	82
PID 4424 wrote to memory of 2592	4424	WScript.exe	83
PID 4424 wrote to memory of 2592	4424	WScript.exe	83
PID 4424 wrote to memory of 2592	4424	WScript.exe	83
PID 2592 wrote to memory of 2044	2592	cmd.exe	85
PID 2592 wrote to memory of 2044	2592	cmd.exe	85
PID 2044 wrote to memory of 444	2044	chainport.exe	126
PID 2044 wrote to memory of 444	2044	chainport.exe	126
PID 444 wrote to memory of 3852	444	cmd.exe	128
PID 444 wrote to memory of 3852	444	cmd.exe	128
PID 444 wrote to memory of 2052	444	cmd.exe	129
PID 444 wrote to memory of 2052	444	cmd.exe	129
PID 4276 wrote to memory of 2688	4276	msedge.exe	135
PID 4276 wrote to memory of 2688	4276	msedge.exe	135
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 1648	4276	msedge.exe	137
PID 4276 wrote to memory of 3604	4276	msedge.exe	139
PID 4276 wrote to memory of 3604	4276	msedge.exe	139
PID 4276 wrote to memory of 2340	4276	msedge.exe	140
PID 4276 wrote to memory of 2340	4276	msedge.exe	140
PID 4276 wrote to memory of 2340	4276	msedge.exe	140
PID 4276 wrote to memory of 2340	4276	msedge.exe	140
PID 4276 wrote to memory of 2340	4276	msedge.exe	140
PID 4276 wrote to memory of 2340	4276	msedge.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\runchicky.exe
"C:\Users\Admin\AppData\Local\Temp\runchicky.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containercomponentbrowsersessionHost\2oJRbutlgxfcdw8Hh9s7qc5Tm6nW.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containercomponentbrowsersessionHost\BEpBAzWNQZE9Fln77MEjVlk.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\containercomponentbrowsersessionHost\chainport.exe
      "C:\containercomponentbrowsersessionHost\chainport.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QBvHMncv3z.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3852
      - C:\Program Files (x86)\Adobe\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\containercomponentbrowsersessionHost\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containercomponentbrowsersessionHost\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\containercomponentbrowsersessionHost\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTM0MUJENTAtOTk2QS00MDIwLTlEQ0QtQ0Q4N0U1RTM2OUU0fSIgdXNlcmlkPSJ7RTIzMzE2QkQtQTU3MS00NDVCLTgzMTYtOUI0MjY0OTIyNkE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkE0N0QwQTgtRDQ5Qy00NzQ4LUFFOTktNEI1ODBFQUE0MzNDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTk3NyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI4NTM1NTkwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwOTk4OTUzNTkiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f3f3cb8,0x7fff8f3f3cc8,0x7fff8f3f3cd8
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,10447642822643315574,444198453565884076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a2b6a38b7ba9aa7c64738c68e58edb9

SHA1
fc9280f92eaf999ddc4dfe87c08f0640384ecc77

SHA256
ceaedf34d68a4c20e135231363cba3816453f53b96ae58fd88bc5f00135dbb6b

SHA512
69aed16cd3a96b7dbc1205714fa46040f105547b8b7338d7320cbef5338cdee2985953cd10b037e2dd7ff8a79dd7ce76edced906c7b50ef54980e52fe00a4e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2522886e1b6b01847a8b2bd8239db83a

SHA1
4c16812bf9f827262030825bda1f644746c90ac0

SHA256
596eec2b17e61e2acd9682ba492a4d5263cab1361dadbee49dbf1a175c226cf3

SHA512
f32b6e29315f7e0459a3ee890eb40b713262b936182609c9ba7408c9aeff97353a27fd711e7713629f9a302b48cbb7cd1175bbed28dd6e07869bb947cf048c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ccf92492d53a01450f971c3cf767029

SHA1
857f54344f7150c8348cad5674c42f4c9fee83a2

SHA256
806d2b70e7d370953eda4f17f9db7fc38bcb1c532e215644cbfcd9bbfb847711

SHA512
78a55f71810ecf2f590a2cb86a451769ebc95dd90a77ff9114054f36fe6b65f2de6641fa9af571ab3bf964b91b6786fcea4411357747b5143c1767e47514f0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62e7c88fc265fecdd0e5e2cfe9f49106

SHA1
2a8fdb19ad755d4432da3428558c7df39e03d4c2

SHA256
b6c2b09e4398922e45b9fa17ccfbe94cad4636d33bc867c5c03d24a1712adbc3

SHA512
7a65fcec34b167226598e9f97e3a510b81d15f8b28190f210b6e187fc5c386f2fc915fdf2e3fc880ce8ef8a599c915d4f0525efb47757f8f303dd034e2043c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c5c9fa43bb3585754d7d5725fd485f18

SHA1
cfd8283a1820e6f3877e02fd5ba23af92e401ad7

SHA256
22afe57cb47207f208d076f20a643e5287b5a6ab66d7ae8b6939d7b29c3a9d95

SHA512
f1900c938c2ae3b044eb25d608a95d8fb67c1cc8d2450a2c7e96d0b0b124a80c9392ba915f88c77ab3cf9a25f8b8794c6c3f0f5a77993233581f2eee80c929e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QBvHMncv3z.bat

Filesize
206B

MD5
975ce99f5f2b59e628b3efc7bcabe5a2

SHA1
1f797343369fa8c8ad5e0298f573ffa806c435bb

SHA256
95b4139da9169c865619d22ee25f19a44c804c81cf71a5e712f1765a41b61434

SHA512
ae43b18e840d032905d4b6b00ca232a3e6ec8cf289b5d95da90c566a68ad42e59730d90fb032259b79aa86ea77ac6345846601145d491d939b744a9ebeda90a0

Download Submit
C:\containercomponentbrowsersessionHost\2oJRbutlgxfcdw8Hh9s7qc5Tm6nW.vbe

Filesize
236B

MD5
c9fa9360334e74694bec9389510d78b4

SHA1
2defff1cff9f8cf5537d23e36a8142a6234dc6cf

SHA256
701836c11a98cceb6c2b4e2b65dfbbc9daf48eab446ee74f2646b820a00439a2

SHA512
57c3284db5f7a632b2d605236a43c8edaed0a71881aa158f28402b59edefaa86a8aa538ee1837e654c9f557969249549ddbd4a8d02934b466079a527ce2950c5

Download Submit
C:\containercomponentbrowsersessionHost\BEpBAzWNQZE9Fln77MEjVlk.bat

Filesize
55B

MD5
cefead7e02d3d3d7ceef508021db85c5

SHA1
c2b6ab077c82e91833632b6ee7ce2ded769e3f27

SHA256
a9638e9e49f1bf899d84de94c7b2d6dbd76fe6713cf111ebfddfc37519afe996

SHA512
4fde200afb99fa8c80f0c7354162174807ed441b6037847f70e05f20f1af2d8cbc51f80e49f1b0766c7a66f7b0ad4b068f232c8fc5f94bad06cce68652cd9b02

Download Submit
C:\containercomponentbrowsersessionHost\chainport.exe

Filesize
315KB

MD5
5dbf85cb66c28dd7a2fdee05429bc507

SHA1
00b7bb4189987a2c4c0482888717e46c6b954d70

SHA256
493e7f443428a30ebfddaa14f309bcf33b9052b61f508b2acf04dc9959c55db3

SHA512
9e466d0a6d3a48c45de06c6dccd0c3764a114f4f3662c0802b12c1433011ab9af36a6a76d534f1244b7c44b52752da280374059ca726e07bc24493e11810bc21

Download Submit
memory/2044-13-0x0000000000D50000-0x0000000000DA6000-memory.dmp

Filesize
344KB

Download
memory/2044-12-0x00007FFF94433000-0x00007FFF94435000-memory.dmp

Filesize
8KB

Download
memory/2052-50-0x000000001C7C0000-0x000000001C7C9000-memory.dmp

Filesize
36KB

Download
memory/2052-52-0x000000001D250000-0x000000001D26E000-memory.dmp

Filesize
120KB

Download
memory/2052-53-0x000000001D270000-0x000000001D27B000-memory.dmp

Filesize
44KB

Download
memory/2052-49-0x000000001C770000-0x000000001C7B6000-memory.dmp

Filesize
280KB

Download
memory/2052-51-0x000000001C7F0000-0x000000001C7FD000-memory.dmp

Filesize
52KB

Download