asyncrat | hxxps://salvador-interventions-pointing-discover[.]trycloudflare[.]com/

Analysis

max time kernel
599s
max time network
606s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21/02/2025, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://salvador-interventions-pointing-discover.trycloudflare.com/

Score

10^/10

asyncrat stealerium xworm default collection discovery execution persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

62.60.190.196:8000

Mutex

9Kl9naWliCNlyild

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

62.60.190.196:3232

62.60.190.141:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.60.190.141:4056

Mutex

fagpetngyrfkiki

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3860-195-0x0000000002170000-0x000000000217E000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3380 created 3720	3380	python.exe	57
PID 4364 created 3720	4364	python.exe	57
PID 6096 created 3720	6096	python.exe	57
PID 824 created 3720	824	python.exe	57

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/6020-200-0x0000000002380000-0x0000000002396000-memory.dmp	family_asyncrat
behavioral1/memory/4880-205-0x000002735BF00000-0x000002735BF18000-memory.dmp	family_asyncrat
behavioral1/memory/3580-222-0x0000014393270000-0x0000014393286000-memory.dmp	family_asyncrat

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1896	PowerShell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	icanhazip.com
56	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
748	cmd.exe
2768	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2760	msedge.exe
2760	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
5984	msedge.exe
5984	msedge.exe
1896	PowerShell.exe
1896	PowerShell.exe
1896	PowerShell.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3380	python.exe
4364	python.exe
6096	python.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe
4880	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5600	taskmgr.exe
4880	notepad.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
3380	python.exe
4364	python.exe
6096	python.exe
824	python.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	PowerShell.exe
Token: SeDebugPrivilege	3860	explorer.exe
Token: SeDebugPrivilege	6020	explorer.exe
Token: SeDebugPrivilege	4880	notepad.exe
Token: SeDebugPrivilege	3580	notepad.exe
Token: SeDebugPrivilege	5600	taskmgr.exe
Token: SeSystemProfilePrivilege	5600	taskmgr.exe
Token: SeCreateGlobalPrivilege	5600	taskmgr.exe
Token: SeSecurityPrivilege	5600	taskmgr.exe
Token: SeTakeOwnershipPrivilege	5600	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe
5600	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 5416	2760	msedge.exe	80
PID 2760 wrote to memory of 5416	2760	msedge.exe	80
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 5668	2760	msedge.exe	81
PID 2760 wrote to memory of 2500	2760	msedge.exe	82
PID 2760 wrote to memory of 2500	2760	msedge.exe	82
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83
PID 2760 wrote to memory of 3116	2760	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://salvador-interventions-pointing-discover.trycloudflare.com/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff85f2046f8,0x7ff85f204708,0x7ff85f204718
    3⤵
    PID:5416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:8
    3⤵
    PID:5264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1204 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:6132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6784 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:64
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
    3⤵
    PID:708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
    3⤵
    PID:472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7709192949904178386,630242393057847623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:2100
- C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
  "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\ban\lob\Python312'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- - C:\Users\Admin\Downloads\ban\lob\Python312\python.exe
    "C:\Users\Admin\Downloads\ban\lob\Python312\python.exe" .\load.py .\an.bin
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:3380
- - C:\Users\Admin\Downloads\ban\lob\Python312\python.exe
    "C:\Users\Admin\Downloads\ban\lob\Python312\python.exe" .\load.py .\pay.bin
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:4364
- - C:\Users\Admin\Downloads\ban\lob\Python312\python.exe
    "C:\Users\Admin\Downloads\ban\lob\Python312\python.exe" .\load.py .\payload.bin
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:6096
- - C:\Users\Admin\Downloads\ban\lob\Python312\python.exe
    "C:\Users\Admin\Downloads\ban\lob\Python312\python.exe" .\load.py .\ve.bin
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:824
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4880
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3580
- - C:\Windows\System32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:748
  - - C:\Windows\System32\chcp.com
      chcp 65001
      4⤵
      PID:1168
  - - C:\Windows\System32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2768
  - - C:\Windows\System32\findstr.exe
      findstr All
      4⤵
      PID:4724
- - C:\Windows\System32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:2716
  - - C:\Windows\System32\chcp.com
      chcp 65001
      4⤵
      PID:3484
  - - C:\Windows\System32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6100
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9f005a1ce92bd5b2f4ca680dfad3955c\Admin@DEGBKVTE_en-US\System\Process.txt

Filesize
562B

MD5
857e43f45ae610896beb640e2dafe802

SHA1
ad47ec08ae33e1a265d4d9a4e20d16e9324b86b6

SHA256
95f6ba99bea085ee26f92d4b2e09258db2dee75ada042aafec0191f0e848b3c8

SHA512
c3a1619eab5096a87322ab7c609a583031e7301ec2785cbcadeecb051c24cfed30d85f1fbd33fecf18ddf497c527d8c69f567b49a545c7d80083f70e3c8583d1

Download Submit
C:\Users\Admin\AppData\Local\9f005a1ce92bd5b2f4ca680dfad3955c\Admin@DEGBKVTE_en-US\System\Process.txt

Filesize
1KB

MD5
3ca317efdeccf2a3c4f79607a02d68ac

SHA1
e3b93151a1effa190ac2d5cd7274ab54081801e0

SHA256
63aef40b30a113aae0e289f6dae21ead2587917fde188ebcfcceed06b079972b

SHA512
205588e865ba8f3c99f1379996a22f0ab558b34df5dd285b199de9d1727c13568041fb2c549a3b533c3f728319fa31a4d07291a8d7577a62d1861a4562bc664e

Download Submit
C:\Users\Admin\AppData\Local\9f005a1ce92bd5b2f4ca680dfad3955c\Admin@DEGBKVTE_en-US\System\Process.txt

Filesize
4KB

MD5
9b89c1c7f41c873d19782d9e1e521ac5

SHA1
e66508b79cb9626c988065aa2234d00f67a30dd2

SHA256
0a4a69959ab51f0e06e3486f8aaaff1634d96a13eb82b925769366e275439308

SHA512
e33c56ced11ce78c5101e44228dd7f5a474091c05c8e9ce5b5ad27521e3f6f4a538d3377431e714ccd43528ba068a85eb45ff769ac50cce786e3f1126c7c225f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0dfbdad47d1a5d0e150f7ce1c87a2c8

SHA1
7163d90657a956bec90a73af78c3393168a2c114

SHA256
d29eb9e2fceb8cf4bb4ed7b032efaf38d893586e0bc2cb672d7d5550603328f8

SHA512
aa60297fa8652377bf3e36f6caf10cef8e8be1986565e99c369fe92625059d36d1f4b23b8ec8cd4b9fc4133702d9b7fda189b21821d2019d4eb7fed4f997010d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
41KB

MD5
6283217ea088f352876ae67beb27d0c2

SHA1
76250e052a43ec7c5a4d31b4960b85f857a26cd2

SHA256
b6431faf0e8b009017b9621dd6b136ff82f4f3cc69d79cf8824b0f9c1ecd05ba

SHA512
7d6af54106b79284fa72760e9f0800ab2f3956c946ab353f1fe84c3201844490b35b2a1fc0b82a9ac0c6ff7dee907e8c9c9cb8f88f121ceeb1b9979c6fa7980c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
215KB

MD5
0e9976cf5978c4cad671b37d68b935ef

SHA1
9f38e9786fbab41e6f34c2dcc041462eb11eccbc

SHA256
5e8e21f87c0a104d48abc589812e6f4e48655cabe4356cda9e3c1ceee0acaa4e

SHA512
2faa6fff6b47e20fd307a206827dc7ff4892fce8b55b59b53d3e45b7dcf5fd34cebc4776b63da5aa4d0e0408344bd4602d26d09e7a456dd286e93b768cbfaa51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
8abd1512d00991f94b870380bb39089a

SHA1
d1bdb98e0fab258dd5c8606c7cf0cdf3452a58b1

SHA256
119c4d490f08887c8f009be8c888893469971ef315f1ecfac5c83a4fcc86d10b

SHA512
2cb0e79e779a12fc637c1b6bad0efc656e057c51019604bf71d6b55edb6180e7bee0010db324120cd0f77e9cb1437bee75840f03e11192f5c7c228c95a779f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
95ddc9ed248e4c6aae2e9023e0e6401b

SHA1
373daaf68110537f901e7e01f151dbbd4f6178a6

SHA256
6dbde8db437cf1069da58ea419b8927752311b308e26e801523add52277fdb2b

SHA512
69e6ffb40e7d6eb5c41009d4bdce190ebd511940f0ea6489b305185ba8cfb5fe2d4483cc36ddc324142005132d3c3cc72ffb46f9a0409379618a573a876f5ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
38f9a7fcde5617ca17d87929e987456d

SHA1
92654fef167bf2caa3d9ee5a365e75eca46b4314

SHA256
af28cb06fec632e5c14ed4130f6e461c475dc6cc6175f1c7906687e0243276d8

SHA512
061b9a50928738cac8dc8c6add332437e5dce2bb3d078b1975a942afa664d7b80183b2afa9c2a7cf0a21bc28370c657b7bd008acd968851b9ce35290b3299b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
89a1ee91b3693acf548700d6172d706e

SHA1
22290e1301579a39e03e69486bf740e57da769b2

SHA256
87181530f43d6f1d5062612ae0ede53a90654f78955bd78fd77acf321e107122

SHA512
0d93e255b3c30018769f07b657580b16260990d2e2658dcacbe10664dc1bdb91100d739eda954d0e0f4acf2425b16090e64d29fab3196b54955d148bc2019e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fcd8be9d884ffd1494ea87dd8354cd7c

SHA1
d6170f7bd3907bf0904a07161daf78049cb21fe8

SHA256
32f308d0a341458f22094f1aeb15384db6f0355a9a5e249ca6e1b9ea42c68b31

SHA512
877fa63ded6dbf41b4055c3e601f58888d4cced51825a801e2973384697f65ed8d3e3a40bb9e1c94e35edb2149a287c609fd9df386b6e21170dffd1b0f131c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
226B

MD5
28d80ea33ac7aeea2eb8282cceae9875

SHA1
4d38bc5457876d19a358d69ae91032327f95dc3f

SHA256
7c582c18716e36839d3e3a91cbced5bf1e1109b331a4cb4e2d733b9234bed807

SHA512
26425d79ee4ad9e48980e939f6a6ad35cfbcf9abb2042ccc16251d08712539e2b95adceb515f134f100112f430214cfe93447efaf088d5973851e9244b9d286a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f310d937b162c28001cd7c7064e584ab

SHA1
9236605374de0145764f2848f579a063daec6c77

SHA256
f44d6891f1f2c202e6c7cabf55a9e1326474d0c7312a863736afd474a7a36ac3

SHA512
b1c078e32d24208d367f84f41d070f471d7e420ea6d4ffddf59e0d162c7072214443fd6028f49571c7d46ec2d824cbc029ca5dcf09b6a6c1c7677bf72b872601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
748ad082c40217ce9d68c99a89fa4105

SHA1
1aa4a3bef456612d12f0635621545290d452d9b1

SHA256
b7ed84b99e9b43f11ac1eb08add5a67ec9b7b71950cec51950f4b8d8b6b66050

SHA512
aaf72fa6ce93a7ed791fbfc62c82d7ee4f2a3d184e4662d1aec40b0fab809df71879450123f0a44a5330ceb81b42d696fc968d5c21f63e1f6d11d9a706ef8594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b43ec517fd7c258520aee383e5a3af16

SHA1
62643f8f04a50959e2a62dbc53386a912a05dd52

SHA256
f7e205380d190c853c309dbad464831e8d82079e4c787a3dfdd1a972282e89f9

SHA512
5cdca17873f863bac36c379600be50e0a6e54ab323a3226ca44a9ecfc0308459767ef9952b9daea996705157b3a81e98cb3873dcaa8f023b35935a0e1757288a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
258f3d6ea8bef55f4f95e5dbd3b2d02f

SHA1
e7c31762375d5ca34e6d1fee42f5e5aa78175cb8

SHA256
dd6e1faa60a1c809eab63a9d164eaba614cc5e5b92349b45eb287b12dd79fe72

SHA512
a54bd805960697de4392f0ae0b57af682567a3b6d29b2471e8341ffd2f227c01e41165c190496ff096947906c14caad21e560db4e99cd1df494ce7ff1aacd5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d776a594b4a87a633e67e599a1a5914f

SHA1
871f192b5c1506935ac969477df3c2238b218ad9

SHA256
704147f767af2f752f6470a0f893ced2f5df7addb94da045a678044251c20cfc

SHA512
296cc7355dabc340110d09857b9dfea20fc1b71828ec4012876a4a6f7cccd08ed1c1fe96d41dcc0c148aac3c1a331e179e59b88093b2be0558ada6ed232cc66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3195da2b4c97fd7d42504f51f1c486bf

SHA1
591557d083387a83b7194059ea450dcba91789b1

SHA256
2066754822cbf26dfd2242d5cc2cb023b655576e704bb00edaac8fac5fd3f1ff

SHA512
1b233037714b905c9f00c1ef3779e074c4b1c701cf8216e1b06943adbbd35dc8da5be7864e9f1235c6dc504007a185c874a3721caed997c4a3e4edf7a6d3daf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2c43c077cacae2bcb9a9497f95b9f46b

SHA1
f8e52255e3ed0c064f9614e260d5de6c61b785cf

SHA256
6dd9379236e432876872e4bcec3bad0ff81fc8cca5a8801addcf64fea3380a97

SHA512
b02cf50d2a1ed8876511e9420ca17f525a9e31bfeb8038f665c5cbcb9d7c6a4d7801cd5a04321bc93ba1ee5d61d564b0ab903f126eadff90bf5f895b89639db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ce41128911db6a4c9ffb46688e5a1e99

SHA1
926d714cc5309a6b010a46baff9f3b44a179871b

SHA256
829b9ed94fc846f73d38dfe86c7b59f3e40f98cad2ec426eed1e867e16fa7256

SHA512
0753b03f3c7ca6553bb88ebb25685d79c075d47245206e5560926261b4aa5effc6fa7eb79565710d57f0d622dd0f63f1aa34d6174b048ce8949d847a95fc0b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bb88e.TMP

Filesize
48B

MD5
289540c9023437da764ab5fbdcbca837

SHA1
6cd0fc5e580ada056f80bd2e367f2fc7541084bc

SHA256
d85604fda8d15a098f82da0ab6814ed31dae2d30c770955d45d16ed5dc1b3494

SHA512
b352032583a3c1055181dab8adc6205cfc889d18e50e0becc346ba30045d97cc6e8d0141c02879f47a272311ab52b6b10a383007e1e2780a3427eb6cc34f72ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4964d6b5e1994d74da265adff4f99efd

SHA1
9ef9b49d5566d7a250b51f3da43e258354b641c4

SHA256
af21d8738a8cdff8304e5c1feb3f6abcdfcdb70b3dcc0061c8f7137a129e0a36

SHA512
9776208157e61f8ab9cb0f93ae56cc82910f9f66e48cff3d07a9829950fc0050d149ec470166d0ac6a6d4bd94863630a7ad7eacba200e564b95af72ee2a3dcf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b86460d7689d0d588fd164cb8eb64d4b

SHA1
02b968c049af2145e20d7ed207a9cda6a8d9689f

SHA256
e072c9328e49781fcf7e4e482d47011019665077aec1f00bf0ef070fc8ca087b

SHA512
55871b8d0991d8e4cb898af0fa1b6f5746630e91f16d8639ca0595c4875cb2482ff7e2de6022947ea0cc3a59c096e861131d2b0dd36513329a7da95df499c60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e317824ed9877862117b817914f51871

SHA1
92931b0fd92723565e3f3afc2c0a5c6a5299edd2

SHA256
2a361bf5d59a5bd6b479ba546351fc2f5726e0af5b1eed53ca9b2c82c6cbe26d

SHA512
0f62bc45f1656412e9f00bad6b77280bedf7c2102286569e6fbec8d9893fd498578306bbc8e273b2cbde27e136913e5d6171063f46132428ca88b0719437bee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd5ff7e5669d982778aa9424c2e7b938

SHA1
35c5ef8207aa4ce17b54a13dd78b5471ca63204d

SHA256
223b77c16d28bbda0c7fc1d539af6d426612fd99da26fbfdfccd34a656dcb31c

SHA512
a175a4e73edbacb3298a5308c0dcda7eb74c293b6f677ed6e3b4fcb266d665bb0e7e19f97fb8b0c540c7b1efda5ca4b5140077ffaa9788bca682e480a864cd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6108e4034c108617cb36d5868177414a

SHA1
4b7a69e0aba7543783add9a07e55ed2bf3d1194c

SHA256
7f89ab5686328731dce49e4734ffe4a35a36a47b2eb5716dc62be3aee3f6dee2

SHA512
f34f46e50f92b65b76736b1be47741aa1e94dfd8010a90da6713c821fa87392eafab39e848a49b0fbfad8a26452aec51f8ab79a64bb74f2fd18728b7cff4d3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47a531fe5ea55c5907cf07097422363e

SHA1
79b20a6acc74621348c07ced8740e96754270a71

SHA256
75d12f979bfd9c6b9c9efecccdc641de27928909b16a00ad650d492c701a6cbf

SHA512
5ad144b1fe996a6a342ae356c482ac02912254c09ad887f84eef16f803e27a6c972f1532b992e894adc2f516c64f31a2fe80dbb9b8d9e53739ec7406202e8ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d08736737d873670a7d7ab1861d9cbe

SHA1
0362c7cd977b1162664d3ce1faf59364ff7e963f

SHA256
1b80a2a375b05d6510fb52db4f0da695d912cbf6ca62cf4252d9ec1a509ff759

SHA512
356993b6804c67c30ab80f4d0fbee6f0494c5e6e62cdcc3b4402709befe99e61f93ecaef7572a1dd10f81cd11168cb056b694677da352cc2293891bba797db63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdpvvkju.kmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 788571.crdownload

Filesize
19.7MB

MD5
e3dd46f757b5e97f3de1eda54db78044

SHA1
34546b055cbcebb09c22fb4048fe0068153b3bc8

SHA256
6cea485ebdaabac42296d07089361d7e745ec1be124bdc0cc45c654fb783dfe3

SHA512
ea53a5bfd3cfbcda55222fc7b2b0c47f54e61a032e74b720b617a35004c725697871274f7d790ee79b5bab68d9ea4aa0e561c18adcb59f6e4ece1512922a7277

Download Submit
memory/824-219-0x0000014395E90000-0x0000014395EF0000-memory.dmp

Filesize
384KB

Download
memory/1896-182-0x000001FE76640000-0x000001FE76684000-memory.dmp

Filesize
272KB

Download
memory/1896-177-0x000001FE5CD70000-0x000001FE5CD92000-memory.dmp

Filesize
136KB

Download
memory/1896-183-0x000001FE76A60000-0x000001FE76AD6000-memory.dmp

Filesize
472KB

Download
memory/1896-184-0x000001FE769E0000-0x000001FE769FE000-memory.dmp

Filesize
120KB

Download
memory/3380-190-0x0000024B15FD0000-0x0000024B16028000-memory.dmp

Filesize
352KB

Download
memory/3580-366-0x00000143AC2B0000-0x00000143AC32A000-memory.dmp

Filesize
488KB

Download
memory/3580-222-0x0000014393270000-0x0000014393286000-memory.dmp

Filesize
88KB

Download
memory/3580-220-0x0000014391740000-0x000001439175A000-memory.dmp

Filesize
104KB

Download
memory/3580-223-0x00000143AC120000-0x00000143AC2A8000-memory.dmp

Filesize
1.5MB

Download
memory/3580-228-0x0000014393330000-0x000001439333A000-memory.dmp

Filesize
40KB

Download
memory/3860-195-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/3860-193-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/4364-197-0x0000022216200000-0x0000022216260000-memory.dmp

Filesize
384KB

Download
memory/4880-205-0x000002735BF00000-0x000002735BF18000-memory.dmp

Filesize
96KB

Download
memory/4880-203-0x000002735A3B0000-0x000002735A3CC000-memory.dmp

Filesize
112KB

Download
memory/5600-412-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-407-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-410-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-411-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-401-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-413-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-409-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-408-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-403-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/5600-402-0x000001567E220000-0x000001567E221000-memory.dmp

Filesize
4KB

Download
memory/6020-200-0x0000000002380000-0x0000000002396000-memory.dmp

Filesize
88KB

Download
memory/6020-198-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/6096-202-0x0000021ACFFD0000-0x0000021AD0033000-memory.dmp

Filesize
396KB

Download