rhadamanthys | 6e722243696a6525fe5e873b77f5069fd5c6c7e9147d8a69a13675c67211e892

Analysis

max time kernel
50s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2025 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.bat
Size

32B
MD5

bf24697b5cb868ee7a5ddd4809d45dbc
SHA1

716a502d0392c6bbdc770f4146b995575f259373
SHA256

6e722243696a6525fe5e873b77f5069fd5c6c7e9147d8a69a13675c67211e892
SHA512

91c1f63a4337e19c7009892fe697b476b007e6d554afd5668bfdbb853a0874a6b91567340e87d9c18a58d7b99e059edb61048cf417eff3a7ea02cbfd83771082

Score

10^/10

rhadamanthys defense_evasion discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 17 IoCs

resource	yara_rule
behavioral1/memory/4120-176-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3444-175-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3444-173-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4620-180-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/760-179-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1228-182-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4028-184-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2340-186-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1080-188-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4756-190-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4040-193-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3772-194-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1792-200-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/916-202-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1376-204-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1216-198-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4832-196-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 32 IoCs

description	pid	Process	procid_target
PID 4120 created 684	4120	aspnet_wp.exe	49
PID 4620 created 684	4620	aspnet_wp.exe	49
PID 3444 created 684	3444	aspnet_wp.exe	49
PID 760 created 684	760	aspnet_wp.exe	49
PID 1228 created 684	1228	aspnet_wp.exe	49
PID 1080 created 684	1080	csc.exe	49
PID 4028 created 684	4028	aspnet_wp.exe	49
PID 4832 created 684	4832	aspnet_wp.exe	49
PID 1216 created 684	1216	aspnet_wp.exe	49
PID 5096 created 684	5096	aspnet_wp.exe	49
PID 4060 created 684	4060	aspnet_wp.exe	49
PID 2872 created 684	2872	aspnet_wp.exe	49
PID 2036 created 684	2036	aspnet_wp.exe	49
PID 1856 created 684	1856	aspnet_wp.exe	49
PID 860 created 684	860	aspnet_wp.exe	49
PID 4404 created 684	4404	aspnet_wp.exe	49
PID 1400 created 684	1400	aspnet_wp.exe	49
PID 128 created 684	128	ilasm.exe	49
PID 4796 created 684	4796	aspnet_wp.exe	49
PID 1756 created 684	1756	aspnet_wp.exe	49
PID 1080 created 684	1080	csc.exe	49
PID 1792 created 684	1792	aspnet_wp.exe	49
PID 1644 created 684	1644	aspnet_wp.exe	49
PID 832 created 684	832	aspnet_wp.exe	49
PID 1376 created 684	1376	ilasm.exe	49
PID 2948 created 684	2948	aspnet_wp.exe	49
PID 244 created 684	244	aspnet_wp.exe	49
PID 332 created 684	332	aspnet_wp.exe	49
PID 3532 created 684	3532	aspnet_wp.exe	49
PID 652 created 684	652	aspnet_wp.exe	49
PID 1912 created 684	1912	aspnet_wp.exe	49
PID 4620 created 684	4620	aspnet_wp.exe	49

Enumerates VirtualBox registry keys 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	bootstrapper.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bootstrapper.exe

Looks for VMWare services registry key. 1 TTPs 4 IoCs

defense_evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	bootstrapper.exe

Suspicious use of SetThreadContext 42 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 3444	1864	bootstrapper.exe	103
PID 1864 set thread context of 4120	1864	bootstrapper.exe	104
PID 1864 set thread context of 4620	1864	bootstrapper.exe	105
PID 1864 set thread context of 760	1864	bootstrapper.exe	106
PID 1864 set thread context of 1228	1864	bootstrapper.exe	107
PID 1864 set thread context of 4028	1864	bootstrapper.exe	108
PID 1864 set thread context of 2340	1864	bootstrapper.exe	109
PID 1864 set thread context of 1080	1864	bootstrapper.exe	111
PID 1864 set thread context of 4756	1864	bootstrapper.exe	112
PID 1864 set thread context of 4040	1864	bootstrapper.exe	113
PID 1864 set thread context of 3772	1864	bootstrapper.exe	114
PID 1864 set thread context of 4832	1864	bootstrapper.exe	115
PID 1864 set thread context of 1216	1864	bootstrapper.exe	116
PID 1864 set thread context of 1792	1864	bootstrapper.exe	117
PID 1864 set thread context of 916	1864	bootstrapper.exe	118
PID 1864 set thread context of 1376	1864	bootstrapper.exe	119
PID 1864 set thread context of 2036	1864	bootstrapper.exe	152
PID 1864 set thread context of 860	1864	bootstrapper.exe	153
PID 1864 set thread context of 1856	1864	bootstrapper.exe	154
PID 1864 set thread context of 2872	1864	bootstrapper.exe	155
PID 1864 set thread context of 1400	1864	bootstrapper.exe	156
PID 1864 set thread context of 4404	1864	bootstrapper.exe	157
PID 1864 set thread context of 4060	1864	bootstrapper.exe	158
PID 1864 set thread context of 5096	1864	bootstrapper.exe	159
PID 1864 set thread context of 4796	1864	bootstrapper.exe	160
PID 1864 set thread context of 128	1864	bootstrapper.exe	163
PID 4020 set thread context of 1756	4020	bootstrapper.exe	192
PID 4020 set thread context of 4620	4020	bootstrapper.exe	193
PID 4020 set thread context of 1080	4020	bootstrapper.exe	195
PID 4020 set thread context of 1376	4020	bootstrapper.exe	198
PID 4020 set thread context of 1216	4020	bootstrapper.exe	199
PID 4020 set thread context of 1792	4020	bootstrapper.exe	200
PID 4020 set thread context of 2948	4020	bootstrapper.exe	201
PID 4020 set thread context of 1644	4020	bootstrapper.exe	202
PID 4020 set thread context of 832	4020	bootstrapper.exe	203
PID 4020 set thread context of 1728	4020	bootstrapper.exe	204
PID 4020 set thread context of 332	4020	bootstrapper.exe	205
PID 4020 set thread context of 652	4020	bootstrapper.exe	206
PID 4020 set thread context of 244	4020	bootstrapper.exe	207
PID 4020 set thread context of 4600	4020	bootstrapper.exe	208
PID 4020 set thread context of 1912	4020	bootstrapper.exe	209
PID 4020 set thread context of 3532	4020	bootstrapper.exe	210

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
4840	1080	WerFault.exe	111
4392	4620	WerFault.exe	105
3900	3444	WerFault.exe	103
4768	1376	WerFault.exe	119
5020	4120	WerFault.exe	104
4360	1792	WerFault.exe	117
4492	5096	WerFault.exe	159
3784	4060	WerFault.exe	158
5104	2036	WerFault.exe	152
4980	2872	WerFault.exe	155
5036	1400	WerFault.exe	156
3712	1756	WerFault.exe	192
2760	1792	WerFault.exe	200
2264	244	WerFault.exe	207
3332	3532	WerFault.exe	210
2772	4620	WerFault.exe	193
4592	2948	WerFault.exe	201
1932	1644	WerFault.exe	202
1980	1080	WerFault.exe	195

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\test_if_virus.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
484	msedge.exe
484	msedge.exe
1092	msedge.exe
1092	msedge.exe
1864	bootstrapper.exe
3444	aspnet_wp.exe
3444	aspnet_wp.exe
4120	aspnet_wp.exe
4120	aspnet_wp.exe
760	aspnet_wp.exe
760	aspnet_wp.exe
4620	aspnet_wp.exe
4620	aspnet_wp.exe
1228	aspnet_wp.exe
1228	aspnet_wp.exe
4028	aspnet_wp.exe
4028	aspnet_wp.exe
4120	aspnet_wp.exe
4120	aspnet_wp.exe
1080	csc.exe
1080	csc.exe
4620	aspnet_wp.exe
4620	aspnet_wp.exe
3444	aspnet_wp.exe
3444	aspnet_wp.exe
760	aspnet_wp.exe
760	aspnet_wp.exe
4832	aspnet_wp.exe
4832	aspnet_wp.exe
1216	aspnet_wp.exe
1216	aspnet_wp.exe
1228	aspnet_wp.exe
1228	aspnet_wp.exe
1080	csc.exe
1080	csc.exe
4028	aspnet_wp.exe
4028	aspnet_wp.exe
4832	aspnet_wp.exe
4832	aspnet_wp.exe
1216	aspnet_wp.exe
1216	aspnet_wp.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
860	aspnet_wp.exe
860	aspnet_wp.exe
5096	aspnet_wp.exe
5096	aspnet_wp.exe
2036	aspnet_wp.exe
2036	aspnet_wp.exe
5096	aspnet_wp.exe
5096	aspnet_wp.exe
2872	aspnet_wp.exe
2872	aspnet_wp.exe
1400	aspnet_wp.exe
1400	aspnet_wp.exe
4060	aspnet_wp.exe
4060	aspnet_wp.exe
1856	aspnet_wp.exe
1856	aspnet_wp.exe
4060	aspnet_wp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	bootstrapper.exe
Token: SeDebugPrivilege	3900	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4020	bootstrapper.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 484	832	cmd.exe	84
PID 832 wrote to memory of 484	832	cmd.exe	84
PID 484 wrote to memory of 4676	484	msedge.exe	87
PID 484 wrote to memory of 4676	484	msedge.exe	87
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 2028	484	msedge.exe	88
PID 484 wrote to memory of 5096	484	msedge.exe	89
PID 484 wrote to memory of 5096	484	msedge.exe	89
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90
PID 484 wrote to memory of 4708	484	msedge.exe	90

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:684
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3508
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:792
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3812
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:976
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4116
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:936
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2016
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4784
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1788
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3784
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/g3Bixl
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b3323cb8,0x7ff8b3323cc8,0x7ff8b3323cd8
    3⤵
    PID:4676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,12712053694640116396,12597767863639740162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3344

C:\Users\Admin\Desktop\bootstrap\bootstrapper.exe
"C:\Users\Admin\Desktop\bootstrap\bootstrapper.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 400
    3⤵
    - Program crash
    PID:3900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 396
    3⤵
    - Program crash
    PID:5020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 396
    3⤵
    - Program crash
    PID:4392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 400
    3⤵
    - Program crash
    PID:4840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 204
    3⤵
    - Program crash
    PID:4360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 364
    3⤵
    - Program crash
    PID:4768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 392
    3⤵
    - Program crash
    PID:5104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 396
    3⤵
    - Program crash
    PID:4980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 396
    3⤵
    - Program crash
    PID:5036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 432
    3⤵
    - Program crash
    PID:3784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 372
    3⤵
    - Program crash
    PID:4492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:5044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1792 -ip 1792
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4028 -ip 4028
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1080 -ip 1080
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4120 -ip 4120
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1376 -ip 1376
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4040 -ip 4040
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4756 -ip 4756
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2340 -ip 2340
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1216 -ip 1216
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4832 -ip 4832
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 916 -ip 916
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3772 -ip 3772
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1228 -ip 1228
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 760 -ip 760
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3444 -ip 3444
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4620 -ip 4620
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5096 -ip 5096
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 4060 -ip 4060
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2872 -ip 2872
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2036 -ip 2036
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1856 -ip 1856
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 860 -ip 860
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 4404 -ip 4404
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1400 -ip 1400
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4796 -ip 4796
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 128 -ip 128
1⤵
PID:1488

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4564

C:\Users\Admin\Desktop\bootstrap\bootstrapper.exe
"C:\Users\Admin\Desktop\bootstrap\bootstrapper.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 344
    3⤵
    - Program crash
    PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 368
    3⤵
    - Program crash
    PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 344
    3⤵
    - Program crash
    PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 400
    3⤵
    - Program crash
    PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 368
    3⤵
    - Program crash
    PID:4592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 368
    3⤵
    - Program crash
    PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 344
    3⤵
    - Program crash
    PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 400
    3⤵
    - Program crash
    PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1756 -ip 1756
1⤵
PID:72

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 1080 -ip 1080
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1792 -ip 1792
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1216 -ip 1216
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 1644 -ip 1644
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 832 -ip 832
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1376 -ip 1376
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2948 -ip 2948
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1728 -ip 1728
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4600 -ip 4600
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 244 -ip 244
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 332 -ip 332
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3532 -ip 3532
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 652 -ip 652
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1912 -ip 1912
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4620 -ip 4620
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
870d929fe21bd15af5fe11695b57375e

SHA1
ca12f7b13f321389cb93608af1090f4a04c87c4d

SHA256
084ac26acceb534c3a03b27a4b6cbeed0061daf120a1ee6034dcd8adf17a25c7

SHA512
216ba421f0b39302ac367bf129f4ac739c1c16573790e952a520ac44ba18fbbc8368f9b9e50f4bb7242af8311d6ef315df2f4bc76d03a40875b76c114d0eb25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9af0a550199765b9d07fc346a534cb6

SHA1
d7e9398086687142157ac1b3e90b394ae05650fd

SHA256
12a18b7c47836fafdc6f6eaf17b294adda3278c0ffad645fa9255e31f755e095

SHA512
2dc7686d871496dc4cd386780c918b51c4339018b701dbb17fca298fca8d7d68993e0e43988c2413484a4ac9956acfabf4279895f473889a4f7d681d57df0540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1ad4cd1f-574d-481c-b8ed-6d6e88cd6dda.tmp

Filesize
6KB

MD5
0cb38cf23bea059473b4a1b9b6580ab0

SHA1
97bfb7b1905d4f77db2f88f0511c71704e0fb63e

SHA256
3325ecd60e15afcfd9437b8cf5ab88b5c504b8a6c14bd9a0f900633d325b4654

SHA512
e99925fafc9d8fb40834f56ab71c82b51ceb7f40a4b6a7a57421f8300b2d9e921191a6a4de54551008e0c89626b6c5621e76bf0c7e693761e6e9bff58ba2ae6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
cfed6fe9b0162efc1c30d35e70307bfa

SHA1
7992968d82aff4036be5a670daa5657166211dad

SHA256
9f6626e09d7744a95c6ea5c984792c0e57e1f6f83c0194cfa31e266aa175185f

SHA512
e4e83dc19dd5b561a01fa2f349f7650a4d2d362209a54b27b4fbc6eb2f073ca38a515801ef636a0b1dd44d1695020e5731acdee463c24486da379f600df028ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
e79f52d37643cc110fed273d95c3d580

SHA1
ec2e203aa3ca19ccc35825a1b441a29df340f2b0

SHA256
7db4556ddcb0ee3a349b4f9fd7692dd1aac12682993120bf7cb48cbb92cdf818

SHA512
cff23200eaa76d2b9eabac0ac88244afdc59cafc758d7eb2fb8dbd5a6790e4eba19146a5bad43bb76f426301f5df2deeb84f5bfcf2c2c0d4d7c4a7ea0f8c8c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e2957e78ef29e2dc2d47ebc8282e92c

SHA1
1ca9f63da6636e3bb4b5bc412764c02171a71945

SHA256
5fdc8f4a5abac407c4607325d9cf3e4758c422c385fb33c7be7433d31d8abdfa

SHA512
bf1ac4a436214f9915b1739ee4abb6dd95cede8f1646fd91e05c3734b1e5668336eaeac2c66e4ab7f10696f4337315c1892a230d6bdd43a87df01cea7a5d2eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4c2350a88f077b7fb8e56d8754649f0

SHA1
6935fbebe55e35d3101ad9cc5a7301fd03a3249d

SHA256
2bec7a0caf568d47179bc6e8f0a0b2e88a7b36cef4277fac0be84ef776bd99bb

SHA512
a2129aa7d3299c2ed16eca29d579ebb9a5cda3694f223276d9532de564c0613ae5eb90edc9b4d3716f65c417f2e8083998a09048a100f3dc6b3d643b475dec69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1528ed9e85794326a11f5431103cc05e

SHA1
34b9f6099b0d5957601a8f1608e49671a813e544

SHA256
a417dd57b2000d486b6d3bc17e5c8b207ff3ab7e2fc1e275bcbf4b7fda8a01e7

SHA512
3602cef0b453a3253be477cf91ff8f1f22d3b32af26338ac3afc8b7152510467db83c6b82b44687b869422d06327caed3fec23e77f011d80fefe93e0f09f89ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f29a51f5aeab63ef1a3ca4996d6e8ad9

SHA1
0da34bdffc48e21a8a8f2a7bc4a24e3fe52088f2

SHA256
99a1cc382c70d6fd739c2a56ccd2c34fc420515441b7ab0279b4eab68dad99b6

SHA512
6aa562fff210371ff2344385853e6a1acd5078fd6c09979737a0acb084303ad71b4736c07cc24a16372df8221169559ad9e3c4cb29e44d60a83bd1bd61cf12df

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\47fe3530-d1e6-441a-b8f1-f9a9ef91ec58.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 798654.crdownload

Filesize
2.3MB

MD5
c9cf2b532cf9eb1e37dbf64be6bf4173

SHA1
3d0679a1515ccb53bc344b055288229996d55abe

SHA256
cc47f687914f02b2bb70173adb57a381319373389e50e9b29fcc5427468cbd09

SHA512
e33e2e980cc3ea7bb564515b291c82d5ede15b7b4176fb18f5b6a175d20587d90f069c0764ec28bc3b23555f9f8b427ab81998e9b06ca989c0ad87f82b71c97f

Download Submit
C:\Users\Admin\Downloads\test_if_virus.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/760-213-0x0000000001620000-0x0000000001A20000-memory.dmp

Filesize
4.0MB

Download
memory/760-215-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/760-179-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-202-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1080-224-0x0000000000F70000-0x0000000001370000-memory.dmp

Filesize
4.0MB

Download
memory/1080-188-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1216-198-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1228-220-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/1228-182-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1228-218-0x0000000001200000-0x0000000001600000-memory.dmp

Filesize
4.0MB

Download
memory/1376-204-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1792-200-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1864-172-0x00007FF8A18A0000-0x00007FF8A1C4C000-memory.dmp

Filesize
3.7MB

Download
memory/2120-228-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download
memory/2340-186-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3444-234-0x00000000759A0000-0x0000000075BF2000-memory.dmp

Filesize
2.3MB

Download
memory/3444-206-0x00000000010F0000-0x00000000014F0000-memory.dmp

Filesize
4.0MB

Download
memory/3444-209-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/3444-173-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3444-205-0x00000000010F0000-0x00000000014F0000-memory.dmp

Filesize
4.0MB

Download
memory/3444-175-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3772-194-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-222-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/4028-219-0x00000000014A0000-0x00000000018A0000-memory.dmp

Filesize
4.0MB

Download
memory/4028-184-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4040-193-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4120-208-0x0000000000FA0000-0x00000000013A0000-memory.dmp

Filesize
4.0MB

Download
memory/4120-211-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/4120-227-0x00000000759A0000-0x0000000075BF2000-memory.dmp

Filesize
2.3MB

Download
memory/4120-176-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4620-214-0x0000000001220000-0x0000000001620000-memory.dmp

Filesize
4.0MB

Download
memory/4620-225-0x00007FF8C2440000-0x00007FF8C2649000-memory.dmp

Filesize
2.0MB

Download
memory/4620-230-0x00000000759A0000-0x0000000075BF2000-memory.dmp

Filesize
2.3MB

Download
memory/4620-180-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4756-190-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4832-196-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download