redline | hxxps://github[.]com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z

Analysis

max time kernel
182s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z

Score

10^/10

redline @xcdaxfszx discovery execution infostealer persistence privilege_escalation

Malware Config

Extracted

Family

redline

Botnet

@xcdaxfszx

94.228.166.68:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/5424-894-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4184 powershell.exe
5484 powershell.exe
3228 powershell.exe
4380 powershell.exe
Downloads MZ/PE file

resource	yara_rule
behavioral1/memory/5424-894-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

pid	process
4184	powershell.exe
5484	powershell.exe
3228	powershell.exe
4380	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Launcher.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 9 IoCs

Processes:

7z2407-x64.exe7z2407-x64.exe7zFM.exeLauncher.exereborncnezfc.exereborncnezfc.exeLauncher.exereborncnezfc.exereborncnezfc.exe

pid process

5088 7z2407-x64.exe
4656 7z2407-x64.exe
3928 7zFM.exe
4664 Launcher.exe
788 reborncnezfc.exe
5808 reborncnezfc.exe
1188 Launcher.exe
3404 reborncnezfc.exe
548 reborncnezfc.exe
Loads dropped DLL 2 IoCs

Processes:

7zFM.exe

pid process

3464
3928 7zFM.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5088	7z2407-x64.exe
4656	7z2407-x64.exe
3928	7zFM.exe
4664	Launcher.exe
788	reborncnezfc.exe
5808	reborncnezfc.exe
1188	Launcher.exe
3404	reborncnezfc.exe
548	reborncnezfc.exe

pid	process
3464
3928	7zFM.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

reborncnezfc.exereborncnezfc.exereborncnezfc.exereborncnezfc.exe

description	pid	process	target process
PID 788 set thread context of 5424	788	reborncnezfc.exe	RegAsm.exe
PID 5808 set thread context of 5872	5808	reborncnezfc.exe	RegAsm.exe
PID 3404 set thread context of 856	3404	reborncnezfc.exe	RegAsm.exe
PID 548 set thread context of 6136	548	reborncnezfc.exe	RegAsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2407-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2407-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5516 788 WerFault.exe reborncnezfc.exe
5916 5808 WerFault.exe reborncnezfc.exe
3852 3404 WerFault.exe reborncnezfc.exe
6116 548 WerFault.exe reborncnezfc.exe

pid	pid_target	process	target process
5516	788	WerFault.exe	reborncnezfc.exe
5916	5808	WerFault.exe	reborncnezfc.exe
3852	3404	WerFault.exe	reborncnezfc.exe
6116	548	WerFault.exe	reborncnezfc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 26 IoCs

Processes:

msedge.exe7z2407-x64.exemsedge.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{42E71B92-45BF-4EBD-A370-5AF84A845DDF}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 637066.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 637066.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4516	msedge.exe
4516	msedge.exe
3712	msedge.exe
3712	msedge.exe
208	identity_helper.exe
208	identity_helper.exe
3152	msedge.exe
3152	msedge.exe
3944	msedge.exe
3944	msedge.exe
4480	msedge.exe
4480	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
5484	powershell.exe
5484	powershell.exe
5484	powershell.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

4524 OpenWith.exe
3928 7zFM.exe

pid	process
4524	OpenWith.exe
3928	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zFM.exepowershell.exeLauncher.exepowershell.exepowershell.exeLauncher.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3928	7zFM.exe
Token: 35	3928	7zFM.exe
Token: SeSecurityPrivilege	3928	7zFM.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4664	Launcher.exe
Token: SeDebugPrivilege	5484	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	1188	Launcher.exe
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3928	7zFM.exe
3928	7zFM.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

OpenWith.exeOpenWith.exemsedge.exe7z2407-x64.exe7z2407-x64.exeOpenWith.exeOpenWith.exeLauncher.exereborncnezfc.exeRegAsm.exereborncnezfc.exeRegAsm.exeLauncher.exereborncnezfc.exeRegAsm.exereborncnezfc.exeRegAsm.exe

pid	process
1784	OpenWith.exe
1580	OpenWith.exe
3712	msedge.exe
3712	msedge.exe
5088	7z2407-x64.exe
4656	7z2407-x64.exe
3508	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4524	OpenWith.exe
4664	Launcher.exe
4664	Launcher.exe
788	reborncnezfc.exe
5424	RegAsm.exe
5808	reborncnezfc.exe
5872	RegAsm.exe
1188	Launcher.exe
1188	Launcher.exe
3404	reborncnezfc.exe
856	RegAsm.exe
548	reborncnezfc.exe
6136	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3712 wrote to memory of 8	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 8	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2512	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 4516	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 4516	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe
PID 3712 wrote to memory of 2784	3712	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc763c46f8,0x7ffc763c4708,0x7ffc763c4718
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
2⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
2⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
2⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6180 /prefetch:8
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5888 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
2⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
2⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
2⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6928 /prefetch:8
2⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
2⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
2⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
2⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6632 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
2⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:220

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Project.v1.0.2.7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3928

C:\Users\Admin\Desktop\aah\Launcher.exe
"C:\Users\Admin\Desktop\aah\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe
"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 300
3⤵
- Program crash
PID:5516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe
"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 308
3⤵
- Program crash
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 788 -ip 788
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5808 -ip 5808
1⤵
PID:5888

C:\Users\Admin\Desktop\aah\Launcher.exe
"C:\Users\Admin\Desktop\aah\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe
"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 272
3⤵
- Program crash
PID:3852

C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe
"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 308
3⤵
- Program crash
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3404 -ip 3404
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 548 -ip 548
1⤵
PID:5232

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll
Filesize
99KB

MD5
8af282b10fd825dc83d827c1d8d23b53

SHA1
17c08d9ad0fb1537c7e6cb125ec0acbc72f2b355

SHA256
1c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca

SHA512
cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8

Download Submit
C:\Program Files\7-Zip\7z.dll
Filesize
1.8MB

MD5
0009bd5e13766d11a23289734b383cbe

SHA1
913784502be52ce33078d75b97a1c1396414cf44

SHA256
3691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129

SHA512
d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
960KB

MD5
79e8ca28aef2f3b1f1484430702b24e1

SHA1
76087153a547ce3f03f5b9de217c9b4b11d12f22

SHA256
5bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7

SHA512
b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Launcher.exe.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\61009cc4-8c53-4821-a5e1-f21aab362606.tmp
Filesize
779B

MD5
93cf7b6b76236ee8abaefd0131fc9446

SHA1
be3750cb2c4d7c99f3c223e21206ec7c3c1dbd35

SHA256
d57eb169a62a927fa53407dc5ad2fd8f5fb19b97c47de965c1f83e3c3e3edda3

SHA512
f2a7534e1200cd6bbfe136387d58ef2e1608607cbfffd6a142bb4b1431e87ab6ad2eaeaf0052a6bde71a61f5786f1319dec949068549afc3cfce2e53f5e5ebf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
31d6e8357984278c6b1a5ccbd6560ffc

SHA1
4d80a31056bfb5c54492c711cbad3ac20090bd3f

SHA256
555c3583dcb1f4cf938f5b438d4adcf54198160e4003db9794779f225fe38d93

SHA512
d10e06f94969387e5cb6ded3861295024b34d8f9286a1e9fbf1ab0f6e65475934bcaaf7109e6f2e93ffa9bd4f73ac9d50d0e2c39f3dc6de927b5ae054799bea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
80ad31da088d0efc5b56c97eb36ea86c

SHA1
a173597683bbfd3f897532c8ef3a77984be2fcf3

SHA256
6b804a9657ec6b6ba19b2783e12e9e92d9af5a4995427c402d4d30741f9fce97

SHA512
12bf93c6f0863166aff17870fc0027a59f3755609135d4c2c73354682ad67f752922153ef7bf58aed2578a2edee3df4feaad47eb8511a1a588161ec13bf41834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
583bce9075f0ac08b3f3b971222ceb51

SHA1
d77acea5d2aa18510aa093c3a7ca9931adff332a

SHA256
86f3f31c039e4f5980d0afc09cadbd2f8f05b11d6a79d802756a03dd1d79c730

SHA512
a3ec14d762b39d0f3c4b3595ec046d1db8dab4a8486ab4f731ed90a0b8e498e18da0b1019c22ba8b127d3eac0e0a73f3a665673c975e2315cc96f87755a93669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c4c56ea2ac6152604b50a17b114d21dc

SHA1
98b7bd40fe8634aa369d3b4d01776725ca5af142

SHA256
61932f09a56af9dec30905d34fe60274d572adaf280104f61790d4e3d6e39102

SHA512
aa5a77b7741dde964336a44accec2ade0a8aa0ffd5c1ca1147de847ae330b181a8d97d6814ae23c2ab241c062ee0e876808d9e2795b052c4cffeb5c3cf61d4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0e9e3511fa1de5517e85c1d471b44a99

SHA1
b29a5cd1795442cd8aab3883c2600294612f9a36

SHA256
e4f35ecf4dc3fd767314e31bcf873b80d7e5f2fac6b6dafe2da8a5b49d5b6ab7

SHA512
cee9d5497b0932d41f4d29f1d69283f067cc42fc908cc04479c102a090106040abb2fe8c3dfc2028e234e52e2e10647b1ecaf25ae27075d4269cf0b99e79071a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
7df5ebe1751a72c42ae33e092d8c330c

SHA1
a8dfec590e8687811232daf080a9fd9b89ada580

SHA256
8127309bfb00e0f0c04715dbb25186fc57c04953ce1c59c8dee4b9d05fe2eb37

SHA512
229044e19deb2a27f484698be0022b56bf98f8e1b23a65fed9c8deb90195c0bc79811d65d1bcf90d4e9dd69b7b7e328898f71b62e2d96a06d9649228d915afdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
592fabc1f0be6c35af6d119656e35103

SHA1
f74fa0e5c7406712d55f9376ee359471775652f8

SHA256
9fcd6f8618adbc2e143a7865e6104f2cc6041cf52e6c3085cd428a6d09d7110f

SHA512
c7d4a0bb29b08e506abc278dd612335fa07b311132c0c62ada353e380f7fcf808d6e34c8e8e88828424f40e61649356a3549e779d3874ea37ad6f92fcba855f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8571604706b83e518db7892e23f776e4

SHA1
f26f23271e41ee63e88b1619d618a2e452850feb

SHA256
188db783196a254ada859a848b708c5098e90e9af790c3e104852134616f1102

SHA512
34c7710ad3c66327d0186cce88f9bed72ea2c563f03b01ebfaee3c8ec5bbcb72d088dbcc3859fb5662314a16188904e587d094fb5f382ea2fb0d2245856a3520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cf33a3c81de37e097d83f20348548fc3

SHA1
b5aebdcadda3ee32d8967f7bac5e99d4c9ff8629

SHA256
4624b15c958d12b77faff838545625cbc88213338919ae5a66b40ef464cfb51f

SHA512
52ee9c238a857bdae0004d1dd1ffe9314ddd945098e5fd8479f53bf8c64c998cc60376fc1a4969430620439ef3960b5298bfc777c9df3eec52e514744e90c677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
0757deebd7683773fa67d74e079ba614

SHA1
e644f160c809d0d1728241f5521ad318e9c1bba8

SHA256
0a456674485ebcd3556dddd8e2c6210ea0773cfc8489f7356294bbbacb0073ce

SHA512
f01620e75f2aa9b1b0ddcaf24033b66f0787170e93cd571a5cf35ca07856ee5b710fb9662a18779b713c9d9ade2107697b1ee9619b851510509b5444fce5be3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f29b44aed2343bd8de155a167d1511a0

SHA1
85c722d88398bb14966e9cedac73abb93da6bf8b

SHA256
e506099f0f831b014a6d9a1e7ae4bc4d247d645c322cec075c0ea9aa7d763267

SHA512
12a1414ac09c829bc02899be14dbe2a3875760a5d7be1173212c4b65ad151d4c92525f54102a454caf1b57ade86b55e5144b1ab6b9352ee57cfb86981ee9c403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3a1ee869e645f20f051dce4304d5c187

SHA1
8acd33be91d4fc504428da0cc32476683b4f9b21

SHA256
9f170d44b757027d0e2b7a48a0e98dfbbe39f7b0e42a44a99adde45a380a9050

SHA512
799c61186955981c9ed56d51af55092a6da5ea2ec4f18549f0a5d081dd79b5240d5ac06ee92bba6096b97a1236ff743cdff1aee6c1a42917857661a7b700981e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c767.TMP
Filesize
874B

MD5
e8b035e48c20c12e9c5301c0cf065799

SHA1
d2afc55c4a35bd3b45233f3857db97ac4d839f3f

SHA256
29f6cae98df2b2aa262e75a60b0d0498db27510b1388ba984b83ca98adf06304

SHA512
afa7933fc8540495390ddd51cccecbe3da3ff1c300f02889f3c4b56d71f1cf2f8a6897c68995376ec26c45c37de87edbc43f293f9125647848d41991e21f081a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
77f6fd1d4ed8a59b2359be9ed4686e88

SHA1
a9f6fbbcd731facfff42487effc3e4a02429eb7f

SHA256
5defc7811e9bd185805a14366f95b7e221095b5a4f43ccc3731b66c30d9dc5f4

SHA512
41a8d2483b1ed8fb0171dfd5018a65bec9c16ebee57b7828a48e8e1ea9458adcf42f7bba3ad20b2881ccf16947d7552804a5bef1042039c4d9bad55896864b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
9b3f98a4ac09cbe7d789ccbf77a0b338

SHA1
6ad9b9e0face92617b68b578255d950867409bd7

SHA256
67bfa093cd1224658fbefd017362355483929103e20c5715f7688eee753668a8

SHA512
545b8dfd65cf3e90c82d8de078e790692bfa67aa4569a431e2b21b69a367c23c5d627515fe4e3606d57b2df104e051fc491d942362487680cd585db5c7937983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
6ed8675f693483617389a2839fc135d5

SHA1
aab4ee5b3344b8c8604d82d6798802f2440b5915

SHA256
67321ccb97dce42a7b75f0e4c9918c3d643f8923dc5af4fc4e37850e3b19cfdb

SHA512
ace5d8e5d23f36201c328ba9083ca1ce32175135942f6e36ab09946e1e38a5c20f1453b85094a7b14c54b76cf62ab2a894c2779ce1dea861b0ab5e17fef594a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b4a5e8f6a3533d957075895050f51f47

SHA1
943a994e61d53660b3a63438112ac7e96a941f3d

SHA256
750567f3d7c1f9e527a0b97ca64accd6826cdc0521a91be01db9906f2c6db566

SHA512
5523702ec6dcf6053bf9f10a809fd5b97e3d86b168003690c7f0e42b4199ea4f73091da1abd75be3e690e7a3c2998057dadb8037beac211171b231ac86284e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
40d77a99d85ff2b61af87a66dc6b3efb

SHA1
5d99d4461e66c0a63c00527564f15b8886a03d5d

SHA256
17e9d64243564fbca852ec03db4a22ff9f46d15acecaec12fa81e5c6bb56ffc3

SHA512
cba17a07566626c11bbb8df66b5af7694217e3bd702d8bd09e9dd2fa20995f3539391d7118cfe2709e64a08e830194a75ab7ef900cb8fabf89b50c74f6e82cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
70a4f7a2e561ca20743d50fa1c480ca0

SHA1
1b8006e7c15ac5182aae0969aa4e8c49a7fbc9e5

SHA256
5eb30bc49361c59da3d07cd8a260abafacf7f8f5257557d5c5ed7aa424fda7fa

SHA512
d6d5c108abd40e70bffa9d805faab71f53f2a18d94899bceacaeb6108ed9dc385e50c6fb1305c58fb82f159d9ba79d79c8d99e671a1e870c6ee5a184af8ba24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2uwamjgu.oip.zip
Filesize
407KB

MD5
8c6cfba0b48c41af9968530b70299dd8

SHA1
c430ad791529800549ce1988aa725b797cf34713

SHA256
c222866d1914892925d67dd58dba4d2a06217b20abc58aca9bbff5ba700b8bb9

SHA512
e41d0224d81170099f381e8dc6bcff75ab1da3e15fc204e29f023d61919deb5598a9962180b951b71105519f9e5510cf22f7fad47df738ff898cd108daa42548

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE85F4F059\Libs\libgl.dll
Filesize
30.7MB

MD5
bdc3128b6c94339ca0d4df892b7c0eee

SHA1
26b4b64363cc89fe4d62f2b9404f41257b136f52

SHA256
e776b56d62b136c883b0da850ce52fa9e4a40e938f66cc687909b89f4bdb1db1

SHA512
d32013dad5d69e9d8c77f5f5291e8580e580daa4fe94c049e0f3b10f218c49c27227b1e1bd857afcd2a890e741ac14916e593775cea10bd3714f1f249d8254c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvfwowf4.otw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe
Filesize
500KB

MD5
bb080386871b5d568e94800795370c67

SHA1
bb881250022ae1fe088a5b88c410e88320ab97f1

SHA256
d8e2722a9a80a3777fa197e570118849e08de8a4897d0092994f4b7b6807df53

SHA512
c32c912267e35deb5b72d0c7b397bdb8d1ab4be327210fe8c9a805fe19ad7c4831f4f2e042bac164d991588a96d12ad639070a0f4bc4a5e75e70c64e3193a6a0

Download Submit
C:\Users\Admin\Desktop\aah\Launcher.exe
Filesize
4.6MB

MD5
9fc9cbd1edfd5eae867d0a6e38ce60b9

SHA1
e90a0e45679c56e1cd73a9bc143c9fe16ad3d37d

SHA256
f3244bd9393680656ad83011a1e200c18859b3d0f144bf9be1e9232238677473

SHA512
6022a1a40769486e445bc1a451effbe71b1b11e54d0bd1ae466d5f92812de1e0c3879a0563e00b2df1340fe59c6624074658da2e6a0c836ee8f16ed74fc69c67

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 637066.crdownload
Filesize
1.5MB

MD5
f1320bd826092e99fcec85cc96a29791

SHA1
c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed

SHA256
ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba

SHA512
c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 85646.crdownload
Filesize
2.1MB

MD5
a003cd3a36ba2fb0bb85d3d53b90d824

SHA1
31ef5c85467f3c58a5d6d31cd8f85fbcdb2f2f25

SHA256
9f2474e18ee8f5291d9fa924e7c295af7286b141cc2769e99c26172fb9e5d1fa

SHA512
b06238534f8360642073c4dfb0d2940f5a54be225205603d2679986eaee289ddcfe06aa8dcdcc4a1020245faa8480bdc9dc9442781fa98ff4360840236cdf098

Download Submit
\??\pipe\LOCAL\crashpad_3712_XVDYUPNGIYAZREZC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3228-978-0x0000000007710000-0x0000000007724000-memory.dmp

Filesize
80KB

Download
memory/3228-977-0x00000000076C0000-0x00000000076D1000-memory.dmp

Filesize
68KB

Download
memory/3228-976-0x0000000007430000-0x00000000074D3000-memory.dmp

Filesize
652KB

Download
memory/3228-966-0x000000006B0B0000-0x000000006B0FC000-memory.dmp

Filesize
304KB

Download
memory/3228-964-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-853-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4184-854-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

Filesize
200KB

Download
memory/4184-866-0x0000000006DF0000-0x0000000006E93000-memory.dmp

Filesize
652KB

Download
memory/4184-867-0x0000000007560000-0x0000000007BDA000-memory.dmp

Filesize
6.5MB

Download
memory/4184-868-0x0000000006F20000-0x0000000006F3A000-memory.dmp

Filesize
104KB

Download
memory/4184-869-0x0000000006F90000-0x0000000006F9A000-memory.dmp

Filesize
40KB

Download
memory/4184-870-0x00000000071A0000-0x0000000007236000-memory.dmp

Filesize
600KB

Download
memory/4184-871-0x0000000007120000-0x0000000007131000-memory.dmp

Filesize
68KB

Download
memory/4184-874-0x0000000007150000-0x000000000715E000-memory.dmp

Filesize
56KB

Download
memory/4184-875-0x0000000007160000-0x0000000007174000-memory.dmp

Filesize
80KB

Download
memory/4184-876-0x0000000007260000-0x000000000727A000-memory.dmp

Filesize
104KB

Download
memory/4184-877-0x0000000007240000-0x0000000007248000-memory.dmp

Filesize
32KB

Download
memory/4184-855-0x000000006E880000-0x000000006E8CC000-memory.dmp

Filesize
304KB

Download
memory/4184-837-0x00000000022F0000-0x0000000002326000-memory.dmp

Filesize
216KB

Download
memory/4184-838-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/4184-839-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/4184-845-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/4184-846-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4184-847-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-865-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/4184-852-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/4380-1017-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

Filesize
80KB

Download
memory/4380-1014-0x0000000007D70000-0x0000000007D81000-memory.dmp

Filesize
68KB

Download
memory/4380-1000-0x0000000007AB0000-0x0000000007B53000-memory.dmp

Filesize
652KB

Download
memory/4380-990-0x000000006B0B0000-0x000000006B0FC000-memory.dmp

Filesize
304KB

Download
memory/4664-836-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/4664-833-0x0000000000CC0000-0x0000000001160000-memory.dmp

Filesize
4.6MB

Download
memory/4664-834-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/4664-835-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/5424-896-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/5424-895-0x00000000066F0000-0x0000000006D08000-memory.dmp

Filesize
6.1MB

Download
memory/5424-894-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5424-897-0x0000000006610000-0x0000000006622000-memory.dmp

Filesize
72KB

Download
memory/5424-898-0x0000000006670000-0x00000000066AC000-memory.dmp

Filesize
240KB

Download
memory/5424-899-0x0000000008080000-0x00000000080CC000-memory.dmp

Filesize
304KB

Download
memory/5484-901-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/5484-924-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/5484-923-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/5484-922-0x00000000074A0000-0x0000000007543000-memory.dmp

Filesize
652KB

Download
memory/5484-912-0x000000006B0B0000-0x000000006B0FC000-memory.dmp

Filesize
304KB

Download