cf2daf2ee156bbaa5538861e4e985b048fc381aaa1b0e6b23e7d85c792f9e740

Resubmissions

28/03/2025, 17:21

250328-vxgm4a1kx8 10

28/03/2025, 17:18

250328-vvsmks1kw8 8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Logger.exe
Size

164KB
MD5

249060b5228607adb181a84d996aad8f
SHA1

947888adf4003acf955fde300e966b2124dc8315
SHA256

cf2daf2ee156bbaa5538861e4e985b048fc381aaa1b0e6b23e7d85c792f9e740
SHA512

5868765e1962f3d30529742125fa6864343c1d20a0d32a81f7c66dec00e9ad8e57f3849639cd354cba5636a978008c39a0b070f4ac8546a2d7ed298cbae9bfd6
SSDEEP

3072:yahKyd2n31o5GWp1icKAArDZz4N9GhbkrNEkOP2k:yahOQp0yN90QEb

Score

8^/10

discovery persistence pyinstaller spyware stealer

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
187	380	msedge.exe
187	380	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
4808	Logger.exe
5856	Logger.exe
5256	Log.exe
3076	Log.exe

Loads dropped DLL 59 IoCs

pid	Process
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Logger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Logger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Logger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
207	discord.com
211	discord.com
212	discord.com
217	discord.com
185	raw.githubusercontent.com
186	raw.githubusercontent.com
187	raw.githubusercontent.com
206	discord.com
209	discord.com
223	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
204	api.ipify.org
199	api.ipify.org
200	api.ipify.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_3168_1422945162\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3168_724847328\_locales\sr\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000002379e-1239.dat	pyinstaller

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876559723397511"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{7284E994-9AAF-413E-AB68-6CE5A4FFA430}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3076	Log.exe
3076	Log.exe
3076	Log.exe
3076	Log.exe
780	msedge.exe
780	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	Log.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5556	WMIC.exe
Token: SeSecurityPrivilege	5556	WMIC.exe
Token: SeTakeOwnershipPrivilege	5556	WMIC.exe
Token: SeLoadDriverPrivilege	5556	WMIC.exe
Token: SeSystemProfilePrivilege	5556	WMIC.exe
Token: SeSystemtimePrivilege	5556	WMIC.exe
Token: SeProfSingleProcessPrivilege	5556	WMIC.exe
Token: SeIncBasePriorityPrivilege	5556	WMIC.exe
Token: SeCreatePagefilePrivilege	5556	WMIC.exe
Token: SeBackupPrivilege	5556	WMIC.exe
Token: SeRestorePrivilege	5556	WMIC.exe
Token: SeShutdownPrivilege	5556	WMIC.exe
Token: SeDebugPrivilege	5556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5556	WMIC.exe
Token: SeRemoteShutdownPrivilege	5556	WMIC.exe
Token: SeUndockPrivilege	5556	WMIC.exe
Token: SeManageVolumePrivilege	5556	WMIC.exe
Token: 33	5556	WMIC.exe
Token: 34	5556	WMIC.exe
Token: 35	5556	WMIC.exe
Token: 36	5556	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5456 wrote to memory of 5264	5456	Logger.exe	87
PID 5456 wrote to memory of 5264	5456	Logger.exe	87
PID 3260 wrote to memory of 1460	3260	cmd.exe	91
PID 3260 wrote to memory of 1460	3260	cmd.exe	91
PID 3148 wrote to memory of 3168	3148	msedge.exe	104
PID 3148 wrote to memory of 3168	3148	msedge.exe	104
PID 3168 wrote to memory of 5920	3168	msedge.exe	105
PID 3168 wrote to memory of 5920	3168	msedge.exe	105
PID 3168 wrote to memory of 380	3168	msedge.exe	106
PID 3168 wrote to memory of 380	3168	msedge.exe	106
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 1232	3168	msedge.exe	107
PID 3168 wrote to memory of 6032	3168	msedge.exe	108
PID 3168 wrote to memory of 6032	3168	msedge.exe	108
PID 3168 wrote to memory of 6032	3168	msedge.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Logger.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Logger.bat"
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\DenyFind.htm
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument C:\Users\Admin\Desktop\DenyFind.htm
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ff898cdf208,0x7ff898cdf214,0x7ff898cdf220
    3⤵
    PID:5920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2140,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2596,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=2656 /prefetch:8
    3⤵
    PID:6032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3552,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
    3⤵
    PID:5800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
    3⤵
    PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5244,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:1
    3⤵
    PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6128,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:1
    3⤵
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
    3⤵
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6112,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:2552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:8
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:8
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7044,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=1232 /prefetch:8
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6964,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:1
    3⤵
    PID:592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6884,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=3860 /prefetch:8
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8
    3⤵
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7192,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6412,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:8
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7076,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:1
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7172,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:8
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4352,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:8
    3⤵
    PID:5296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4920,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:8
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7356,i,2882979128209554677,17550022609393886030,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2944

C:\Users\Admin\Downloads\Logger.exe
"C:\Users\Admin\Downloads\Logger.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Logger.bat"
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:6036
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:2692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5000
- C:\Users\Admin\Downloads\Logger.exe
  logger.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5856
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "Logger.bat"
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:5228
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:3280

C:\Users\Admin\Downloads\Log.exe
"C:\Users\Admin\Downloads\Log.exe"
1⤵
- Executes dropped EXE
PID:5256
- C:\Users\Admin\Downloads\Log.exe
  "C:\Users\Admin\Downloads\Log.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:3760
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:3756
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3168_592902189\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
bb89e40368ae979f54cc8274266f3427

SHA1
7142f1c0b33c884b3619f430b88afea329938d17

SHA256
8abd0b15857359df18ae4f592a7863c4c518aa6e3db4cffbb93289626a0f387d

SHA512
3e8945899b937dd4e8a85ce294ba78a85824f62c6db40efd6bacfc3f9ab5a54e465d33a973afbae002cc16a7a7851ad33b2dc12938f4ff0ce05aea00ebfc264f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7727e95033877fb2ca3d9499ccc15883

SHA1
37535e33ec550a27db704ecc7ac0419f28a8fb5b

SHA256
2bf38a2e76d3984c3b5fe3d69e1716d064cc954f6b66d4c97dd1b8e036c016ef

SHA512
58573594dc3fdc057452071345747d5c7bd46d94274f94286e8fa4d843920ce247961b10771621b8a0a88048c6f45ad2cd37d7215189c3b17272d3d96f1e2065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe582824.TMP

Filesize
3KB

MD5
f87a7bffce9729726cba1e3546a7fc7b

SHA1
d07e6befbbf93f6537503bc76ea0ffff73e74abc

SHA256
cb5bcc0149bdf68dab265440d24a90b5bc0048b1a8652bfdf6e61edd85d6f037

SHA512
236b61fe4c49170eea5f83919146750af09d5998dd03c7233f01d435819541b7c5b9acee1ca26eef41a4e03647aa9bb4223329abd6fe4d021dc439e0b5bf86d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
276e4a8658abca0fa29cda872914ea23

SHA1
47e9471731a418890f42009f5e67252551f51d07

SHA256
f93ba6e2e1822f23973debaec5980f669451bc130ea1db3ce01d28c7e72c946b

SHA512
3d6d16b0c451292cb5a51f51afa99b78ad40b1517e966fa166ce748ee7cbbf192f01383e597359b0e85e4ef6fd32b66fae5a349b39edafb6e3ef33594f3e4c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
543da84a498477e752e03829eb16a8c5

SHA1
6fe36c700948eed60fef6d1d79195206de78e621

SHA256
9ea3547ee70df5bb903b0e532e5e2930237b5042688a887486094c9a573f129d

SHA512
784a7481a89806d2d06261beb058c20cdeeb47719521acdc392837eabd1825ec7c6b07725c9afe5a4b1b7ae7821d83c90b1c52856ebb233f277c0fee2a4523ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
f65a69d3ffd845c3307354fe50e661b3

SHA1
997b0bf7552090a1ddf6b16854991e5771e98571

SHA256
b5a5d727f763ab6d70eb14c2dd4fd08df09e2fcda1f3d668a588a82af80af1c3

SHA512
a50db86c8fec615386912f93d15e106d5251407719f79a492ad6ffdd70caf80220af4bc970152af7cd603515273d92be8aa6466f230499cc9cd9413bfe61dd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
c5137b3947d085b9b7bca5e18d711fe1

SHA1
539c13160e591693becdeee124baa2d049704ed2

SHA256
e94d17359705b9f78883a59f92a637cf9c6386fc4719d558d964645f64fd4c2f

SHA512
302a82a590744b51bd2a581fe016616e571c6d36c5c52257c2cf8b96972984af75485f21f363c6eb76c3c44ed2f558258e3674c7c93d98e9f9eb1a13957b3cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
2b90e05c0f71478bb74792c5a18be9a0

SHA1
205fae06e3e5aee3244288b88058a769aee61868

SHA256
f5563f55223d494276aac47f895b982bcac1985eecf89f841a8c5725e5798fd3

SHA512
130d6317bdefe4365c5fd24d78e9971f2c5592e812cffe59b730c2e33e4f256509d72bb95a24054fc6ed45bc746ff4635a12c8ba0f2fcf149327ce5f0d6012df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
1d28a689a063849d58f11204485f1ee8

SHA1
b8f7f6954e35bd74ba175b075a9fcde45c8b167b

SHA256
2260f625c2bea14153b48a4857098a46e594cbe807c39a0975d50079f0901f7d

SHA512
a97781e1b8345ca21074983d8e36a585106e46aad9c98cddb07639c51fa318f5c4d7da89b2b4476fdff1cbdb068dc7859dc2a492341f882eea4d58bbb7fb697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
c98b3fc8a2b571ce373285b2c03880b2

SHA1
b47e407b271e0b46648d939bc1c06aa80ccc5292

SHA256
cb57584e956248dd278643c9d163aa582bcdaa7df8df823d4a8fc5cf9f6c8314

SHA512
c8f197ddc1b9b81c0f29d1c48b34a37aa8e0e61b83410ade70d734250fcf2f593b2828088b1a48654487a6de90a86245927ce3bce3107e760add866e155969fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\f52685d4-c23f-4c26-bb7f-c126f164719a\0

Filesize
19.1MB

MD5
2da21bfd07babdd4612567031ba6063e

SHA1
6ed1fb4886974890352eeddcd6f738006c7d7f86

SHA256
a7f5cf7c331a60defe43ff794b49827dc4219cfd3ccaa26d0414b1e1706408b5

SHA512
9de8adfe7c032df5ea06c24133b1e75553e1a74304f829b310c1106032beb1e48933b095e96a6e9d396ca466376d29859b7c9b3317394ce7a9cd43b18720b115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
f28d49db8d2331a38611a2ba7041bc8d

SHA1
f811421917bb14df7503275a520bb45607089f7b

SHA256
dd8fda30ae25b784c5591bcb85bbb8a77870219e00059e7fc8a0fbf505a7a8e5

SHA512
86af595373f2bf1d2ff972d850a86b93e8db8f349cdd507e91e204c3bd54d2e5d9f4a6816d29f500dc5156f1ab4de7b7fd0907e8f51284049fb2a6ac33091ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
dc8dcffb72687e3345d2300801b37f85

SHA1
7a5c97833a95b7270be3f35b73fa5f9535e9aee9

SHA256
854410ab0069c16abd594f423c3deed242cde5095d6e30840e4cc410ffd0c570

SHA512
f509cae2696d8b75735493999978dee4346c2893637497d092ce4dee0613db337584c4c1d75248852153c86222e7153f86d733aba7b8fd34bad1c70978f0661a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
1921d00d184a1e424140e28f8ea03faa

SHA1
ac2408dfaed13ab7588aee607e20d8379201b7dc

SHA256
1254b5b3e76acea8f84f561cafce84b0b2e241d05934137bf8eb486bb0133ea7

SHA512
f210be4b447e222757a084cf15d23bded57c24b1dcfb61310fd4f40c7302798338363068e1b8ca572da9e3ee4218294812e8857c59108a9c896bc1cfb1390534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
e02062e60eebc5d3217be47e854a21ec

SHA1
a59571bc1032040b56e42767dc3e3f1bc2e060ed

SHA256
f568bf936082bce170fd4aef1744afbe0774e5ed24683c05df309d915bdc0ea8

SHA512
3399713f19e31fca13f9d6eb2a7691e932b8a1e5a0eeb6ce736394263a31111bc18b3a95e20237f4fc7620554f300305f2773852822b0d8314c66eabed91a48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
eb92cfde9be623cbeaeef7934a93939f

SHA1
5e06391e810f45c4ebc732b4490b4d9d2d8f69c0

SHA256
982504535706a49d3036f839cca89dffad6021411e9716e8ece6dbc58fb2bf20

SHA512
02980e6a572b459729b1b61b206b80aafd60ea560f784486c76fabb4bf1f7bc4b80cea2f514cc40dcf60a29cc587f2b728f6f2939556053db558da361b656236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
7c37de7d71f72fba0e647555b05529d9

SHA1
317ceef58e8cd25a4af3f641c02128e9a8cecdff

SHA256
cbf4b2cb074f701d19faf492b4dba73ba2701222080b4c3b8467d51f48e2df52

SHA512
81b2be74333dfe8f14c333e305db3e7bf51599c9686d5e8e0404ff43666be7cffe583f729fa8f95132db86fc7ce8d55c9823af151f14f2a60452940365db52ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
8c89b28056eeb268b0b27112f1e22916

SHA1
f0133a8ea7d23739767ee9a9a5942c62b1b027f9

SHA256
3ba57269c7b0514458a7b94fa6f71f8228334b99adcc1d2100a6ee4f73e8e015

SHA512
31e827335469bd77de6c16f3c8606c6140840e5f53ef37b66efe14ac59e725936825f244e0240cb4208969b4f067de09a6f93a5f9f4ecbde6d27dfa5b87ccee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
39e561a60a455d400243eea730fbc471

SHA1
8c6b0cbe0c1695f0086186eae59633301f5da0c1

SHA256
5105df802d6b717805ed4f723c53e972f164c943fb161dff48514525180ea64d

SHA512
ab2a4189a94c4e3d1c13b243763a8ffb3716712fd8a1819cbbdfbd9df13b6b958ea12fe391398569af94b86e40452a95ce14396015a7ac8313da55332f216ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
a9bc431e0e113f57bbd0e5eeb5fce2c1

SHA1
9dd3c674996fc022205039903fdd27a0adefe016

SHA256
f7f1438223d55eab00946c676d7579e3e7451f0763aa0b2548f3e35ff40d0491

SHA512
b3d2c4df43773f326e2ae0e578331609bfde5becac0dc4dbbb6e3bd08e074714383f478040140304a82520051d2c995a31fa4512d42a8fa57c4ebde7dc1cabe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ebb442dcedef21668872e43155663495

SHA1
82503376a83c67f59c89256cc60cdd18b81061b7

SHA256
e8bc1da409f803f0d1901de1017dbc971dc178cfaef5cbc3a9909056d5320e88

SHA512
66fd27e428384bc72db7167c2fd87a998022646b6b7d856fa5ca52b6c28f687a31183b4b02eb9fb48d6637845054e339f7e989ad0a65acc13b8b8dde95b3fcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
18704d0c8754e7d309e1c838714f27e0

SHA1
81326b98212e9cbf849492dbc73d987498be3a83

SHA256
78acaeffbb0927217b1bbe89840059c634382ae7e53ddb5b64dc09ab65e26221

SHA512
70ef7593c9216725b8c99725fc0c5d5cbdefb2f406f9436ad8fe81417d761067bcffe55f483670fd5ecc9f6df68c7ec9a76e63f7db382b1d8b9dab38f74ed1dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
c4ace9ffa4aef1e833d982a8499661ac

SHA1
3381b9bbe5636db31d98a09c52058fd4ef027938

SHA256
e6edf675584efc44d1749ccc3393600f3234920e0cc232af00c4a502e4083821

SHA512
ed4dda8eaf109f5753b82c9c1f569229333c1a2b894b2c3f771f94b401384d10fba4a434802861cdeb8fdbfcf9471836c60c9d8a7c80b6b06d3300e6f0d8c9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ac7255f995e27664458f5a607be8bd2d

SHA1
1359cc5824a1b68d3ed0dd8e960be2eaf4962df3

SHA256
86405da7d5eef6cf650fcd309fc5451cfe06adc1593cd1ef9882801100966c95

SHA512
034b852116eed56554a47dfac8c2a5d54a3f01bcb29ad04b82a7d0d896d77b75f47496c4a3d1e5dd4d6e7c9036b457a5d3480226b1085f244da9f718911c9482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58554f.TMP

Filesize
392B

MD5
8484a21a6cdff7a9d89a88e08e0ab0b7

SHA1
635cc953e4622861887f9ce4a54928d841b70f46

SHA256
56e441f93600a98f068df032de39787b46b4dfb8a82fa9b1116323d70ec962b0

SHA512
dd7d63af4accd3ab7a7aef31336036634d79af626f04e89e01037b4999c3495e5ac5850e241214ece1b510258d4ddecd3c00314907ce177afee4278fed75ef91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
ea3ef9372b9cb7896354cb9b63059dae

SHA1
fc397bf6f9cfdd680395963b43434aac56039a2b

SHA256
5c3b206e5c2045cd4131c7b0dccf6204d1022ea82c1edbf585c248b8ca01d768

SHA512
6f2b350dd8994bb34e70c9fd0d929bfb197cca3e6ddb6f2ef9bfcfa209ab2257671bac2e5d51c5f21bcb430af267e3888bee7c08902bb2d3335b38d9a1c3b03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Logger.bat

Filesize
920B

MD5
014efca3718fe34d627015b9f857d516

SHA1
2059c07f32cb2b718aa1752686972eb72b7cfc45

SHA256
fb7c75539943e5c9810bbd989070b36b9914b6584b6a8d9f7a68b32c6da0568a

SHA512
339e2d04df9f8525a61243b368b9a2591fee1830f5337c73b137d2fa778f4fd5bea0b61311bc2f05c2f4a7d0f5ba16090eb4a8a94d6d21ea55fa087cda96f694

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\_bz2.pyd

Filesize
82KB

MD5
aa1083bde6d21cabfc630a18f51b1926

SHA1
e40e61dba19301817a48fd66ceeaade79a934389

SHA256
00b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3

SHA512
2df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\_ctypes.pyd

Filesize
121KB

MD5
565d011ce1cee4d48e722c7421300090

SHA1
9dc300e04e5e0075de4c0205be2e8aae2064ae19

SHA256
c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7

SHA512
5af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\_lzma.pyd

Filesize
155KB

MD5
b86b9f292af12006187ebe6c606a377d

SHA1
604224e12514c21ab6db4c285365b0996c7f2139

SHA256
f5e01b516c2c23035f7703e23569dec26c5616c05a929b2580ae474a5c6722c5

SHA512
d4e97f554d57048b488bf6515c35fddadeb9d101133ee27a449381ebe75ac3556930b05e218473eba5254f3c441436e12f3d0166fb1b1e3cd7b0946d5efab312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\base_library.zip

Filesize
1.4MB

MD5
82956f3301f4b053e24f18e7a6f05feb

SHA1
2b227fe362097ffb2a866050d965f86f4782c123

SHA256
619d30bae5b0fb19eed2a1a37906a5ac76260b7b45ebdf22f95a207b23976def

SHA512
c492c5961dc356172af6dd56cdad8ebfb935093407e4e2ebbda2424a1f7ed9c7a3bd4e808be8e0568a15bac015b769b49a697504b44d8d7bc560d42bfdd45896

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\python3.dll

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52562\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\Downloads\Browser_Admin\Cookies_Admin.txt

Filesize
249B

MD5
62756cb36e13292b1d6d9f562cc88e91

SHA1
2e647a9ef74457725907ea8acdf7cac6d86fcaf5

SHA256
fbab9cd943a02ab2eaabc3f03ab10b410e1330168e528c9aa0a87b59aa9aec31

SHA512
7183f2b7d64f8e54558e9ec8e967c8933e3de7048f312906632f7417dbfb7860864d091b1ea3b5644bbefc22a38cc36c9900727e506232ed1d81d4221f92bb2b

Download Submit
C:\Users\Admin\Downloads\Browser_Admin\Downloads_Admin.txt

Filesize
790B

MD5
fc3be7931de130575d56abb86eeb11a0

SHA1
9d87038d2c296bb4b32617fdb641cdd12451c33b

SHA256
5c0945592d19912fcbc2dc4eba49d1b948747f979f2c75f568e422e6527cdfdc

SHA512
3a35c97a06dad1c471842a279c52a3c1fb12b249c35a7731ea2cdf96c3d0f02c83d2adca6f7ef72cf7b6f7fa1be5801e3d3993dcdd41d55ee3e9da2ad762c8c7

Download Submit
C:\Users\Admin\Downloads\Browser_Admin\History_Admin.txt

Filesize
2KB

MD5
f4226ee4597242cfe90125df7ccbe70a

SHA1
b8a1f94d24de170ab9c10d529a7958df59a8caea

SHA256
407bd7e957f93f1109b48772f5e7ae0dc1057c2d97ca11663abe5e314909ef54

SHA512
1ece3d90a2d164d623d1dff2a2a125bb5827f0fe2a9c7da53d0b558912a5004a3aab8902214da97bb618d9ef999aee001b2c88ce43a642f6e2993f24e7a9eebf

Download Submit
C:\Users\Admin\Downloads\Browser_Admin\Passwords_Admin.txt

Filesize
276B

MD5
a7a1f4f644a683d90617c1a9f6ca9322

SHA1
855f6f20969993ae7aad210eea07ba2c3c199896

SHA256
053190fb92c05eb92b1eb35ae1f662055b5f5fd9652580e6e08058401c871e7d

SHA512
f945d675c22f8b099306d5b68ec04046af919d2a47201d021cbd95d40d5a4f8b042de5c83e85d1b93b302a2c8ac55695f55fb62a64e6cb1a7371efa26effb65e

Download Submit
C:\Users\Admin\Downloads\Log.exe.crdownload

Filesize
24.1MB

MD5
48858d6b982c9ff9a3fcda4af97323e2

SHA1
e11fcf85bc009ab6da1ec2ad911ebc74d7a73461

SHA256
f6b3b83f270abc6446f6921a7791a6244a0e4e8b7c05d0f67cdfaf30caca1e6d

SHA512
b8e9d254cfe5f5c67252a4a8d34a8d843e9d4f94e40f8f6b44f8ab5d7aea74ef42d3867113bccdf65a5101e9d6c4d415e25dec543dfff379b0b8d089f5d39ffb

Download Submit
C:\Users\Admin\Downloads\Logger.exe

Filesize
164KB

MD5
249060b5228607adb181a84d996aad8f

SHA1
947888adf4003acf955fde300e966b2124dc8315

SHA256
cf2daf2ee156bbaa5538861e4e985b048fc381aaa1b0e6b23e7d85c792f9e740

SHA512
5868765e1962f3d30529742125fa6864343c1d20a0d32a81f7c66dec00e9ad8e57f3849639cd354cba5636a978008c39a0b070f4ac8546a2d7ed298cbae9bfd6

Download Submit
C:\Users\Admin\Downloads\downloads_db

Filesize
192KB

MD5
1e02e58c03bf359683390cb3fc5eeb9e

SHA1
7c6d9aa31caf65ef0ebb31a5a1258bf8f55679ef

SHA256
5531380780ac959432507b0625d81e3ee64c9fefca4e6928e07792c82820f23a

SHA512
bdee5527e758dd11072aa4572293104af14123678a043555d0119b074513adc5ecb09171b7ad54933da2d01881f14330d3dcd97323c4825a979106d914eade5f

Download Submit
C:\Users\Admin\Downloads\downloads_db

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\Downloads\password_db

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\Downloads\password_db

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit