Analysis
-
max time kernel
912s -
max time network
914s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 16:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://upload.advgroup.ru/o1O7nLYV
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
https://upload.advgroup.ru/o1O7nLYV
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
https://upload.advgroup.ru/o1O7nLYV
Resource
win10v2004-20240508-en
General
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4648-1147-0x0000000000170000-0x00000000001D2000-memory.dmp family_redline -
XMRig Miner payload 8 IoCs
Processes:
resource yara_rule behavioral4/memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2140 powershell.exe 764 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
FieroHack.exeWeMod.exeSirus.exeleirdnhqqedj.exepid process 3536 FieroHack.exe 4756 WeMod.exe 4648 Sirus.exe 4680 leirdnhqqedj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral4/memory/2904-1272-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1273-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1275-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1274-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1271-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 648 powercfg.exe 1764 powercfg.exe 420 powercfg.exe 2064 powercfg.exe 4964 powercfg.exe 4144 powercfg.exe 4480 powercfg.exe 2940 powercfg.exe -
Drops file in System32 directory 6 IoCs
Processes:
leirdnhqqedj.exepowershell.exeWeMod.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4680.obs leirdnhqqedj.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe leirdnhqqedj.exe File opened for modification C:\Windows\system32\MRT.exe WeMod.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439} leirdnhqqedj.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
WeMod.exeleirdnhqqedj.exepid process 4756 WeMod.exe 4680 leirdnhqqedj.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
leirdnhqqedj.exedescription pid process target process PID 4680 set thread context of 1496 4680 leirdnhqqedj.exe conhost.exe PID 4680 set thread context of 2904 4680 leirdnhqqedj.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2400 sc.exe 4588 sc.exe 2460 sc.exe 3944 sc.exe 556 sc.exe 1228 sc.exe 1852 sc.exe 1552 sc.exe 2516 sc.exe 1520 sc.exe 2556 sc.exe 3460 sc.exe 3360 sc.exe 4932 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exetaskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeWeMod.exetaskmgr.exeSirus.exepid process 4520 msedge.exe 4520 msedge.exe 744 msedge.exe 744 msedge.exe 3260 identity_helper.exe 3260 identity_helper.exe 1184 msedge.exe 1184 msedge.exe 2844 msedge.exe 2844 msedge.exe 2844 msedge.exe 2844 msedge.exe 4932 msedge.exe 4932 msedge.exe 4756 WeMod.exe 4756 WeMod.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 1728 taskmgr.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 4648 Sirus.exe 1728 taskmgr.exe 4756 WeMod.exe 4648 Sirus.exe 4648 Sirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
7zG.exetaskmgr.exeSirus.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeRestorePrivilege 1968 7zG.exe Token: 35 1968 7zG.exe Token: SeSecurityPrivilege 1968 7zG.exe Token: SeSecurityPrivilege 1968 7zG.exe Token: SeDebugPrivilege 1728 taskmgr.exe Token: SeSystemProfilePrivilege 1728 taskmgr.exe Token: SeCreateGlobalPrivilege 1728 taskmgr.exe Token: SeDebugPrivilege 4648 Sirus.exe Token: SeBackupPrivilege 4648 Sirus.exe Token: SeSecurityPrivilege 4648 Sirus.exe Token: SeSecurityPrivilege 4648 Sirus.exe Token: SeSecurityPrivilege 4648 Sirus.exe Token: SeSecurityPrivilege 4648 Sirus.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeShutdownPrivilege 1764 powercfg.exe Token: SeCreatePagefilePrivilege 1764 powercfg.exe Token: SeShutdownPrivilege 420 powercfg.exe Token: SeCreatePagefilePrivilege 420 powercfg.exe Token: SeShutdownPrivilege 2064 powercfg.exe Token: SeCreatePagefilePrivilege 2064 powercfg.exe Token: SeShutdownPrivilege 648 powercfg.exe Token: SeCreatePagefilePrivilege 648 powercfg.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeShutdownPrivilege 4480 powercfg.exe Token: SeCreatePagefilePrivilege 4480 powercfg.exe Token: SeShutdownPrivilege 4144 powercfg.exe Token: SeCreatePagefilePrivilege 4144 powercfg.exe Token: SeShutdownPrivilege 2940 powercfg.exe Token: SeCreatePagefilePrivilege 2940 powercfg.exe Token: SeShutdownPrivilege 4964 powercfg.exe Token: SeCreatePagefilePrivilege 4964 powercfg.exe Token: SeLockMemoryPrivilege 2904 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe 1728 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
FieroHack.exeWeMod.exepid process 3536 FieroHack.exe 4756 WeMod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 744 wrote to memory of 1128 744 msedge.exe msedge.exe PID 744 wrote to memory of 1128 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4556 744 msedge.exe msedge.exe PID 744 wrote to memory of 4520 744 msedge.exe msedge.exe PID 744 wrote to memory of 4520 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe PID 744 wrote to memory of 568 744 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://upload.advgroup.ru/o1O7nLYV1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0763cb8,0x7ffda0763cc8,0x7ffda0763cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4844 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7160 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004AC1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Melonity_Installer v3.6\" -spe -an -ai#7zMap16484:108:7zEvent265341⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe"C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\WeMod.exeC:\Users\Admin\AppData\Roaming\WeMod.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "BFFESVJT"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "BFFESVJT"3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Roaming\Sirus.exeC:\Users\Admin\AppData\Roaming\Sirus.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeC:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e4bf11ed97b6b312e938ca216cf30e
SHA1ff6b0b475e552dc08a2c81c9eb9230821d3c8290
SHA256296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad
SHA512ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD523da8c216a7633c78c347cc80603cd99
SHA1a378873c9d3484e0c57c1cb6c6895f34fee0ea61
SHA25603dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3
SHA512d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD54c762adde8a4e22c5ce418a4df988759
SHA1b81a0b2f8f29328bf676ed309c3e8b8f0d3429fa
SHA256f55a0784201f5ce631b31902042c2179f4e4750ed20fdcd2a860ff8ae1694033
SHA512d2d75aa3174ba9d3d22a76d2bf5c1b27b4f2596ebd65309f9349657d0d943f68ea545fa7ffcccc0da34b1e8784cc66ed534e6a775df13f4c40072031ebb41960
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD54197e41a2bec3a4c44deea33c0f2afcc
SHA13b2b66b14298a5b3dc695f3f790c5ab928567063
SHA256a45710e20006c5e8305d9599a07f08b826616999fa55bbbe4f25f452355648b2
SHA5125d54cad39fcade2d946d7e0e012e22973db6588e7a5c39448e5a4f7018d49f92b2eafe58d57f09f667b9527544bafc026c230134a217124f98a4c71c30db58f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD51bc8d7c20c1f284260780961d20b76df
SHA15ab4ea34169bf715d1eee36131f8adcf031cd200
SHA256c699840d3d1af034aa1876f65ce8616525b1341da54e6489b8966fd0f7b891fb
SHA5128f15d618a988725105784a450933c4b02e50024179027b91b28f9f8385bb37f2cb47825465c32b1ee5556f4fb90c4d64f75a0767c024ab20907c06ea6a04b4dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
900B
MD50f4c3c599a653b772bf653099bd783a0
SHA149ef15121eb143f1eb63cd8f00739d5b4556e931
SHA256588f4d9213d4412338ae2c818fd3344a76f94ccc7dad62fd9cfc9cc94f63b34f
SHA5122dd20b66d1fc2544a2cb222f1130479413ad4fd870431922c1ae8a923e5ad21ea5abef6874d8a05ff615be9259d3049c8bd127c01d3d2fa87a309aabef9636ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
869B
MD5f14561fe15475dd3a5929dd32194251a
SHA1d0e44035608e98642b0cede3e3668279580f3212
SHA2565615db85939524ca7eb3ae72aba95a03a74c6ea2fb7d3deca68d9c9e09f524d1
SHA512e7c66c8dc3aa54e1933a14e719b3425980da80250f4087072a246f388fe837477668960c730845d7eb5b8b27546d2ccc754a542f273947e20962added3e84a3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5003676720d10cb8a18320c0ec57d0be9
SHA15b828e50db5d0c2d4fcfc91e125f62deb8e49e43
SHA25660a2317a2043a1eb1ccfc6909cdee1a1c6a179d9562d2738228a58f68dacf90e
SHA51253a849bbb2a1265da4ef512d61b5c86f9e84b92cc3e22b5c9c58d79637429692763fc5a7c41afc424ad7e6d1c1f4235df62697a254e34eb1b61c64fb7426f9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a51bd4a5c0e8fdbdbf18f4203275dc9d
SHA19d6c2b89ee85a430c8478d5a8c1873f6fcf60a79
SHA25659f733992c53688d0171eba4e85cb1ecfc51c4f298426aafc5c50c19518238a1
SHA5124f19efc5837e92ded735611d3adc0dfdfe48c979c4a78e4e30788c86f68fac78ebb201c7bbb586c7c75c70e6c807b08f7301d9326287e208b37eecc97ee63c9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD561883ded0daf9dc291e6e2722ac123a8
SHA1dd6d88da1f2a7c645e2677dc004bf9a0bbc4fb8c
SHA256487903ea01f65c34f08f4a684b676d635302c354f07d24cf49c7ffb134c0ec62
SHA51297427c19d6981b18bda3b57a928772de881c1b23aa710d3dfdc8ea1060630c218127f139598d53459ffe951f1db9dbad30bc5b0944cc137c0cdcaabf4ff309df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD590a063480401b8dc95eec17c295eefb1
SHA177e6036adeb3a5f02f898f69f4019bfdc2a87c04
SHA25617fd968bceea29836763a673f3be36b5fd91f5031e2a821385e2b5a3cf8fede4
SHA51254d8a347196e28cbf7ae53ec81640b40f7e56b3694961e6b14db1b6a0e548f6e6045c49a5f8a745f459017ccd9112534d7f7294a25291486ea8d0264d40ccbb4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD565c94053db162203bb0a0ca161f62b50
SHA1c88bf26b9fbb9d7cf1a36103263537d9f79a2f57
SHA2560538ab722179f2962f098b9276c05d3cdde8d669720c466fd14a8016324fb9e8
SHA512fe94b6aea007b27927e0d3cde9852dc85f51bd8c6037537892f88e579256bb2082e1f3eed7e5106d017b10269428e8b59cb9742d0a5e8655e433ae616bdc2b5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD57be904dd6d5ca1082ff4b577a94b72c6
SHA1221efdd60a32200c25ad354070eed3fee41c383d
SHA256815ac6965c65dae8edeaebd6bcf5c834be509648f6d64a0bb73da9fda7dfe5e4
SHA51254a4c1701ece00d637baa0622b1781c59a179cd961753407544d7628970330815e0617c1a765c43d06df134ff3f838ba6b35f053520545e1acc224e44f6ba4cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5dfeddb10ad211870d60ff8ed6f9088c6
SHA1114bd5f737b8cf2604b698589e8b9debf32a2ce3
SHA25679b68f63efdc2882d99728d0c7a241a4ed755e5965e9eeacc06fb89a968ed4fe
SHA512dd09ae066b35328f78684005f3ac058efb6899683213012ad400dc10164c72e1eab8de17ea7a90f1a8530b0d14c1fa8110379da8062123707bdd6563ee865f68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5abac320c300343e0a162d0bd959a1425
SHA132b04efca48a32b10c932b0e836659d9098d4a8b
SHA256f7fb063a7df5e21ec4c89c60283789cb2835594385e26240ebb867db902d08b6
SHA51216b3bd9f12359b980b90ed5dcd5479958524de584af846bfdce3ed88486c1ae90e574731f5a6af47c24a931c0b19f5242517582ba3894391d3a0192203aa7470
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b92fa3a65d40597e3606bd6b594d555b
SHA1b3013dc4c704da50e20e25bc702586a250b59108
SHA256c20feb0226f692fe7617e63005f599fde961608a2613e2749a26e502722b6f4e
SHA512cf1197b727a9e2baf9a1a1944ff3b212b3c36f16acfb71ab925999b88264341a92bc6e056d387c39f128ce59db4b8c5b01fcad6ec77db3afd963adcea2672a56
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59548587aea5b35bb3b581f438b7fb1b6
SHA1f5ae6e83cd72a97b82925396f8ba273e5497e250
SHA256a891b5f74959301b55d544284d7a58083206a841496c0184aa64bca5fb6a5531
SHA512cf7ffa2ca145a1077f6eca0e0bb0651c63ec186c6c062ed90fc61e59684aeaf261d62113d799e2644e9705cfa65e61f20e5eee467df25cda7805fa7f1140f676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD516af75373a7dc838db54ae1237bdae8b
SHA15d1e0f8a5412f30ce501d16d51dec516c7fdba76
SHA256beaae823e00a507b970728904f8559358080137c31c4bdc32e4faaf2f36d285f
SHA5126d421d76b473f4dcc0b35dc349f8388831b0dae46ce24ec5bfe648a438dd6c575849d9402f63bdccd8f9fb54240e5418b117996b07b4b5442cc6322ad0121c35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53d0bed2ac2aa6848eb061450545ac07f
SHA1c58f2fad4408c445ffb1a396c5b7133406502818
SHA25603ac9e02ce6f5658c3a26268ad488b904b5a2e9e4142671e2a6d169c47eeaabb
SHA51260134b6a8de0bca3f5ba10b621706029cb5600c0b7559c247b7956b4ad7bccf8b83552fbdf56971896d902b77b9271793637bd5073c1478a65ca35d68d097557
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d66a.TMPFilesize
1KB
MD5008dc2d3c79fa6e2a220f4cae36f68c7
SHA145b19b9a88b5e9fa459962358caa432c06709a08
SHA256baef523e87b1e8b2a1a922a5a99d9badbb54d36e72d4e50c236344e9c725ec84
SHA512832b68c0a9c78186dfbcddbba5bd427de11f68edcccb929b5dd7f2a8e6228c40fb901464fcccd7855f07fad592436244cad4a2bb791f2b188ad8049d21e706aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD549f348df6acce9622776524c00cd35b7
SHA1d0506af19020de23af9d5f50124e249b6ac0e8f7
SHA2569b5f6b353bc1ef6286cbb616f2f881d314c71febc2d45e5b1c997e09d5dda1d9
SHA51256edd4c29b858b03aa77634a0d6aa0603bba013703b032a4f1458f2483c0a8765656cce86c7a06a23233e80548cd1ce9d6a354625dce2ce28a2b589a1e486105
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ba0538b5a8df88f7fd6d4b0a295c70e5
SHA1b71cfcd694a8b4acd74ee27280fe65e6566061a4
SHA256ca2a4061902955ca4a7a388bbb6e9476b3f12fcb3d60f87977d775bc3c2749c1
SHA51228f461a39b697b4ff72130995667487efc99f01d58726edd5059f96dcb32a3e41d3fe3ac6b45b4b7f3c28276ceb2800ce442a8fe5593e567f195f772ab05fd0a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svrjgnlf.gpi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp2C92.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmp2D02.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_744_BKLWSTNDNVVGGHUYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/764-1256-0x0000017B6D180000-0x0000017B6D18A000-memory.dmpFilesize
40KB
-
memory/764-1258-0x0000017B6D5D0000-0x0000017B6D5D8000-memory.dmpFilesize
32KB
-
memory/764-1257-0x0000017B6D610000-0x0000017B6D62A000-memory.dmpFilesize
104KB
-
memory/764-1254-0x0000017B6D170000-0x0000017B6D17A000-memory.dmpFilesize
40KB
-
memory/764-1253-0x0000017B6D510000-0x0000017B6D5C3000-memory.dmpFilesize
716KB
-
memory/764-1255-0x0000017B6D5F0000-0x0000017B6D60C000-memory.dmpFilesize
112KB
-
memory/764-1252-0x0000017B6D4F0000-0x0000017B6D50C000-memory.dmpFilesize
112KB
-
memory/764-1260-0x0000017B6D630000-0x0000017B6D63A000-memory.dmpFilesize
40KB
-
memory/764-1259-0x0000017B6D5E0000-0x0000017B6D5E6000-memory.dmpFilesize
24KB
-
memory/1496-1265-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1496-1264-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1496-1266-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1496-1267-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1496-1263-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1496-1270-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/1728-1133-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1136-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1124-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1126-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1125-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1132-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1130-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1135-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1134-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/1728-1131-0x000001D8A4100000-0x000001D8A4101000-memory.dmpFilesize
4KB
-
memory/2140-1207-0x00000293796B0000-0x00000293796D2000-memory.dmpFilesize
136KB
-
memory/2904-1274-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1273-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1275-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1272-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1278-0x0000000000520000-0x0000000000540000-memory.dmpFilesize
128KB
-
memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1271-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4648-1160-0x0000000007F70000-0x0000000007FBC000-memory.dmpFilesize
304KB
-
memory/4648-1149-0x00000000055E0000-0x0000000005B86000-memory.dmpFilesize
5.6MB
-
memory/4648-1147-0x0000000000170000-0x00000000001D2000-memory.dmpFilesize
392KB
-
memory/4648-1148-0x0000000004D10000-0x0000000004D2E000-memory.dmpFilesize
120KB
-
memory/4648-1150-0x00000000050D0000-0x0000000005162000-memory.dmpFilesize
584KB
-
memory/4648-1151-0x0000000005060000-0x000000000506A000-memory.dmpFilesize
40KB
-
memory/4648-1156-0x0000000008330000-0x0000000008948000-memory.dmpFilesize
6.1MB
-
memory/4648-1157-0x0000000007E60000-0x0000000007F6A000-memory.dmpFilesize
1.0MB
-
memory/4648-1158-0x0000000007DA0000-0x0000000007DB2000-memory.dmpFilesize
72KB
-
memory/4648-1159-0x0000000007E00000-0x0000000007E3C000-memory.dmpFilesize
240KB
-
memory/4648-1161-0x0000000008BA0000-0x0000000008C06000-memory.dmpFilesize
408KB
-
memory/4648-1165-0x000000000A650000-0x000000000AB7C000-memory.dmpFilesize
5.2MB
-
memory/4648-1164-0x00000000097E0000-0x00000000099A2000-memory.dmpFilesize
1.8MB
-
memory/4648-1163-0x0000000007BB0000-0x0000000007BCE000-memory.dmpFilesize
120KB
-
memory/4648-1162-0x00000000093B0000-0x0000000009426000-memory.dmpFilesize
472KB
-
memory/4680-1228-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4680-1229-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4680-1231-0x0000016C93B60000-0x0000016C93BA7000-memory.dmpFilesize
284KB
-
memory/4680-1280-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmpFilesize
2.0MB
-
memory/4680-1230-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4680-1282-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmpFilesize
652KB
-
memory/4680-1226-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4680-1281-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmpFilesize
3.5MB
-
memory/4680-1283-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4680-1227-0x00007FF68FFC0000-0x00007FF690500000-memory.dmpFilesize
5.2MB
-
memory/4756-1155-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmpFilesize
652KB
-
memory/4756-1223-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmpFilesize
652KB
-
memory/4756-1152-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1220-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1154-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmpFilesize
3.5MB
-
memory/4756-1221-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmpFilesize
2.0MB
-
memory/4756-1222-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmpFilesize
3.5MB
-
memory/4756-1153-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmpFilesize
2.0MB
-
memory/4756-1121-0x000001BDC3160000-0x000001BDC3161000-memory.dmpFilesize
4KB
-
memory/4756-1115-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1114-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1117-0x000001BDC3180000-0x000001BDC31C7000-memory.dmpFilesize
284KB
-
memory/4756-1116-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1112-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB
-
memory/4756-1113-0x00007FF63C930000-0x00007FF63CE70000-memory.dmpFilesize
5.2MB