gcleaner | d182c08bed51b78f1dace83a6aa4bdb26954e7c89c9e7c8f8ae0992d6a315934

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

756KB
MD5

a9926757f1a1882142e369cc4617d356
SHA1

07ef28c5842a5068619a6b30356e46cddbb4fda6
SHA256

d182c08bed51b78f1dace83a6aa4bdb26954e7c89c9e7c8f8ae0992d6a315934
SHA512

61ec6b4216dd6f9015825f71aa3f9decbde30e90a2bddac3cff5840573e36db62f7689f094c5aab196a8e52e41ec0f4e8c8b4ee20cafa80339284a72daa590b6
SSDEEP

12288:VQi3dMjv6m6URA3Phdp1hf39Wkv8xwJZ3Ep:VQiWjChhdpdUMZ0p

Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sfasue20/

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2136	rundll32.exe	55

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0001000000023120-216.dat	family_socelars
behavioral2/files/0x0001000000023120-215.dat	family_socelars

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	fITNESS.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	fITNESS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Mifyxyfijo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Executes dropped EXE 8 IoCs

pid	Process
3612	file.tmp
4280	fITNESS.exe
1384	Mifyxyfijo.exe
2156	Mifyxyfijo.exe
5128	gcleaner.exe
5448	handdiy_3.exe
6116	chenp.exe
4524	chenp.exe

Loads dropped DLL 2 IoCs

pid	Process
3612	file.tmp
3540	elevation_service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\Mifyxyfijo.exe\""	fITNESS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	handdiy_3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230222134457.pma	setup.exe
File created	C:\Program Files\Microsoft Office\TQZNFLFBEK\poweroff.exe	fITNESS.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	handdiy_3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2974e866-3bcc-4a85-921a-508e96c97dbf.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Mifyxyfijo.exe	fITNESS.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	handdiy_3.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	handdiy_3.exe
File created	C:\Program Files (x86)\Microsoft\Mifyxyfijo.exe.config	fITNESS.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	handdiy_3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
5436	5128	WerFault.exe	89
4288	5128	WerFault.exe	89
2416	5128	WerFault.exe	89
4840	5128	WerFault.exe	89
1028	3540	WerFault.exe	119
1204	5128	WerFault.exe	89
5760	5128	WerFault.exe	89
6028	5128	WerFault.exe	89
4728	5128	WerFault.exe	89
3016	5128	WerFault.exe	89

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3888	taskkill.exe
4504	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133215470956567132"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Mifyxyfijo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Mifyxyfijo.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe
1384	Mifyxyfijo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	fITNESS.exe
Token: SeDebugPrivilege	1384	Mifyxyfijo.exe
Token: SeDebugPrivilege	2156	Mifyxyfijo.exe
Token: SeCreateTokenPrivilege	5448	handdiy_3.exe
Token: SeAssignPrimaryTokenPrivilege	5448	handdiy_3.exe
Token: SeLockMemoryPrivilege	5448	handdiy_3.exe
Token: SeIncreaseQuotaPrivilege	5448	handdiy_3.exe
Token: SeMachineAccountPrivilege	5448	handdiy_3.exe
Token: SeTcbPrivilege	5448	handdiy_3.exe
Token: SeSecurityPrivilege	5448	handdiy_3.exe
Token: SeTakeOwnershipPrivilege	5448	handdiy_3.exe
Token: SeLoadDriverPrivilege	5448	handdiy_3.exe
Token: SeSystemProfilePrivilege	5448	handdiy_3.exe
Token: SeSystemtimePrivilege	5448	handdiy_3.exe
Token: SeProfSingleProcessPrivilege	5448	handdiy_3.exe
Token: SeIncBasePriorityPrivilege	5448	handdiy_3.exe
Token: SeCreatePagefilePrivilege	5448	handdiy_3.exe
Token: SeCreatePermanentPrivilege	5448	handdiy_3.exe
Token: SeBackupPrivilege	5448	handdiy_3.exe
Token: SeRestorePrivilege	5448	handdiy_3.exe
Token: SeShutdownPrivilege	5448	handdiy_3.exe
Token: SeDebugPrivilege	5448	handdiy_3.exe
Token: SeAuditPrivilege	5448	handdiy_3.exe
Token: SeSystemEnvironmentPrivilege	5448	handdiy_3.exe
Token: SeChangeNotifyPrivilege	5448	handdiy_3.exe
Token: SeRemoteShutdownPrivilege	5448	handdiy_3.exe
Token: SeUndockPrivilege	5448	handdiy_3.exe
Token: SeSyncAgentPrivilege	5448	handdiy_3.exe
Token: SeEnableDelegationPrivilege	5448	handdiy_3.exe
Token: SeManageVolumePrivilege	5448	handdiy_3.exe
Token: SeImpersonatePrivilege	5448	handdiy_3.exe
Token: SeCreateGlobalPrivilege	5448	handdiy_3.exe
Token: 31	5448	handdiy_3.exe
Token: 32	5448	handdiy_3.exe
Token: 33	5448	handdiy_3.exe
Token: 34	5448	handdiy_3.exe
Token: 35	5448	handdiy_3.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	4504	svchost.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe
Token: SeCreatePagefilePrivilege	6096	chrome.exe
Token: SeShutdownPrivilege	6096	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5172	msedge.exe
5172	msedge.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6116	chenp.exe
6116	chenp.exe
4524	chenp.exe
4524	chenp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3612	4560	file.exe	83
PID 4560 wrote to memory of 3612	4560	file.exe	83
PID 4560 wrote to memory of 3612	4560	file.exe	83
PID 3612 wrote to memory of 4280	3612	file.tmp	84
PID 3612 wrote to memory of 4280	3612	file.tmp	84
PID 4280 wrote to memory of 1384	4280	fITNESS.exe	85
PID 4280 wrote to memory of 1384	4280	fITNESS.exe	85
PID 4280 wrote to memory of 2156	4280	fITNESS.exe	86
PID 4280 wrote to memory of 2156	4280	fITNESS.exe	86
PID 1384 wrote to memory of 4744	1384	Mifyxyfijo.exe	87
PID 1384 wrote to memory of 4744	1384	Mifyxyfijo.exe	87
PID 4744 wrote to memory of 5128	4744	cmd.exe	89
PID 4744 wrote to memory of 5128	4744	cmd.exe	89
PID 4744 wrote to memory of 5128	4744	cmd.exe	89
PID 2156 wrote to memory of 5172	2156	Mifyxyfijo.exe	90
PID 2156 wrote to memory of 5172	2156	Mifyxyfijo.exe	90
PID 5172 wrote to memory of 5228	5172	msedge.exe	91
PID 5172 wrote to memory of 5228	5172	msedge.exe	91
PID 1384 wrote to memory of 5276	1384	Mifyxyfijo.exe	92
PID 1384 wrote to memory of 5276	1384	Mifyxyfijo.exe	92
PID 5276 wrote to memory of 5448	5276	cmd.exe	96
PID 5276 wrote to memory of 5448	5276	cmd.exe	96
PID 5276 wrote to memory of 5448	5276	cmd.exe	96
PID 1384 wrote to memory of 5652	1384	Mifyxyfijo.exe	101
PID 1384 wrote to memory of 5652	1384	Mifyxyfijo.exe	101
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97
PID 5172 wrote to memory of 5664	5172	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\is-HONO7.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HONO7.tmp\file.tmp" /SL5="$C01C4,506086,422400,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\is-AAKED.tmp\fITNESS.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AAKED.tmp\fITNESS.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe
      "C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe /mixfive
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 452
        7⤵
        Program crash
        
        PID:5436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 764
        7⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 772
        7⤵
        Program crash
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 816
        7⤵
        Program crash
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 824
        7⤵
        Program crash
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 964
        7⤵
        Program crash
        
        PID:5760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1016
        7⤵
        Program crash
        
        PID:6028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1344
        7⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe" & exit
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 496
        7⤵
        Program crash
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1uaawnpc.dzu\handdiy_3.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\1uaawnpc.dzu\handdiy_3.exe
        
        C:\Users\Admin\AppData\Local\Temp\1uaawnpc.dzu\handdiy_3.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9525a9758,0x7ff9525a9768,0x7ff9525a9778
        8⤵
        
        PID:2688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:2
        8⤵
        
        PID:3152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:4972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:3608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3208 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:1
        8⤵
        
        PID:772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3344 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:1
        8⤵
        
        PID:4316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3872 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:1
        8⤵
        
        PID:2492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4720 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:1
        8⤵
        
        PID:5436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:6104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:5024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:3336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:8
        8⤵
        
        PID:5044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 --field-trial-handle=1792,i,17525816318457944134,2870560299151167406,131072 /prefetch:2
        8⤵
        
        PID:4828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe & exit
        5⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe
        
        C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe" -h
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe
      "C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff954fe46f8,0x7ff954fe4708,0x7ff954fe4718
        6⤵
        
        PID:5228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:5664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        6⤵
        
        PID:5716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        6⤵
        
        PID:5728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
        6⤵
        
        PID:5160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
        6⤵
        
        PID:4080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        6⤵
        
        PID:3952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        6⤵
        
        PID:6108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
        6⤵
        
        PID:3860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
        6⤵
        
        PID:3160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        6⤵
        
        PID:5056
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:5972
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7c2115460,0x7ff7c2115470,0x7ff7c2115480
        7⤵
        
        PID:1740
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:3124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6950600049502564997,13693089772236814035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5076 /prefetch:2
        6⤵
        
        PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5128 -ip 5128
1⤵
PID:5400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5128 -ip 5128
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5128 -ip 5128
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5128 -ip 5128
1⤵
PID:2840

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3708
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 604
    3⤵
    - Program crash
    PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3540 -ip 3540
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5128 -ip 5128
1⤵
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5128 -ip 5128
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5128 -ip 5128
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5128 -ip 5128
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5128 -ip 5128
1⤵
PID:3188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Loads dropped DLL
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
3b421aacad2c7bddc8c80f4c6f4fd390

SHA1
901ce3ebe38202e206f3afb76dc71e113cb877da

SHA256
c959ea9502b1683a9a5ac73cb8990494f07e78afdee6c81c58d414e46b5a90d9

SHA512
506bb26ed9ef55983d6870e0cda7d732c8faf32249a73816e52ad17ae00655014a6d8b908fff4c4e1855581094e02806dfa877c91b6ea63e3d89581acee80ecd

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
be9e3ff1450a23ce3e7aeea3afcb3c5d

SHA1
395f212b42611a3a1d0183cff0c22c5d067ac1ba

SHA256
c2c053aae9fb05f02239e0e2cd1fe3c500bcbad607debb9bab5b09b9b1d4310f

SHA512
479a847fd6e407e5cc57c58f5f3665e56bea87bc0cda558585635a9653146ca1e133de16534daa03b36f7c04ad5cfc2cf8f47434079e1d77c983b6ae41883ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
e86a6599670f1b572b574db40b2769a5

SHA1
0bc53fefe636f35bd469c376580ea8a897c76b3a

SHA256
aadf8953598122e0c635e3637281b4e17dfcd8e10b56a13971df0bc2789c3439

SHA512
d757b29607864f5f9a97a02494497b6b00af11f5271db2b80f801f60376256af9c6e10d7a77d8b8382a940919b76678f09199f468e0b633f0c644b031a40c46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
d6bc6cb7b22aebb28695062a70c94202

SHA1
6962938ec51335d98e79ddf9ee4f5afb2a4bb36e

SHA256
b68a3dd1015ac166f76ddd117095be46d5e763a66fb76c7db1b83c3377bea4fc

SHA512
eaf2630aa1e1210934fdcf9d72e3b47bbc27db6d6570057f519e9e3adb5610ee8689e58f0dae285f239ec21a2496ccbe6d5e57fe6a0194893f8e79b07e70d512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
f172fe1cf0ecededb5cf29868978392e

SHA1
6f71112da4b8f2661a6ac9b2a8134127368a21f2

SHA256
badd3d169b559138b8fa4198a0daa4bab97acd3f2e0f7c453bc921d2bdc55bbc

SHA512
0f518be14d892ae666693ad73d1735c43fecfb5d2c89f7085cfebe2c975ae88b3f0ebb4ecc9b1666c5f0d0fe3c949f209cf3e78442031620eb0490d628521fe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
452dbc865d2b24072badd9b2b3269760

SHA1
13cf4d1303502febc68e2be359cd1131f606edb8

SHA256
239adde7fd68e733f2b4f1d27c79d827909666656cc982a1569413d4e6f25829

SHA512
0de8ab1a906818bd86a76a557ab7f4d0864c2a94f18059dc0f639b5adfd375f32bcd4a9e3fe14476dba0b2c0377ba2804236824f0991fc91de0a229306599280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d48a0c83b1f026204725c5ede2e60e29

SHA1
4c2ec3119081d8967642e211468cee6f892291ee

SHA256
29f5a463a6cf1ae65551653773a7e356f6edf3ce357cfe7d6009807e8ab8cb6e

SHA512
a462eeba6bbae09b0c017a1ae662cd325038a7cfd5a5e3c40b35e96b21481f90804b179bfdb0967394bb66addc51b701be184ff3bc17a9f592e43094f7ec0bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fb32d8b3d6a527049a83546601558b65

SHA1
d0dbd8d486e478fb38e7934ad68bf864b28cd067

SHA256
2c818ab82dadeae673d04c81ef41fc67263ce09387fd9b429b37b9c318a6ca2b

SHA512
f061c638575fd9cef14f034b132a4b64ee1dff1a72457522877952049fde26d559283d2c11852344f06ba2fc457dc5cfa435689aae3b1a2d35fd1285881c1d87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
2bd089522b71dd2e6569cf4dbd69b222

SHA1
a2b4409d48376f611aa238341e60f4a19f9625f6

SHA256
147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009

SHA512
359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b0d0d02b-bb80-485c-bc56-1dacb308b615.tmp

Filesize
11KB

MD5
50946888df1f28e14cbd7501be8b3640

SHA1
20f08ff5e25de15c6b2c859b58086f5094bbd471

SHA256
a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547

SHA512
893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
b5fcb68c7979a292d40145d82219ff15

SHA1
429d34178882393fe30cb9ccda0961c104e72f07

SHA256
0c7bb3d27159280d7d4af1574650982bdeaaaa48d7834d0bfd75daec583096bf

SHA512
9c2ecd6cd9f292b6979798abdcd664f31996e7db78d3737df8b34d990a1f5297ee70e3c0beff18c51d5e4dcb03dbaf39641332050e29dba1424cbecdddd4ddcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7fa4eb6bd367e8c33bd5a8b1c488bc20

SHA1
5a488e36594be4756125618099f1ebd79c74ccde

SHA256
47ca9693aad5fd8b9b95aeac789341f252a0f6ece20b4592e62352b6489e12bf

SHA512
a92616986296f9e728174673993ae95f64239fafc631d19165f3f7c2bf689f6b9ca9776469246650ad313c1afce5c7bde2966604adb86e9b9a379abf96655cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
445bd0c01600684052a299bf2b55ac6e

SHA1
26632dcf5ea83e1200dd7311ce847d82e1d3ea1c

SHA256
b4dd4ea4f4dc1fa01ffe1097ea762ee932fd35c7c90cdefbec4f482487e6a7e4

SHA512
b8f8bbb9737b6f8890aecbab4cab6425fa50f4d9da271f409af1a495334f55f14897bae4f4380e74c14e82119b6e4634e821473070eca77dc2dd2c9bf7b753b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
fa9f8803f32cdd5c34b995da02e4fc08

SHA1
3f3bf6dd77070ed08d90b6fe548f1875abb3a5de

SHA256
76d89ee654b4e8da1dd4e9ca97ca790ee630f9e22eabb2142cc6745ec091eb30

SHA512
68bfb9b25602b5235164d4d697e7ea57e071d8776266befa149a9e5411be4312b4448c536dfe4f779736cb8bdb2b7e280163b59a877942d73e667ac5f0681d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
249B

MD5
c40bd8ca638dfbc17ba005def362c670

SHA1
91fb857f243f2d356491b6c63bc7aef93d6c8c21

SHA256
b9160841b65b8848ee446f7439af925c6f181eb35fdb6bd4583ac7bfa576c7cf

SHA512
e1683ba03fdda6f576d0f00d975b87e28d85cf6aee99a965b2e308106299659dfa1b5d812ecfb90bad1af19c348afc9536ec8e670225fb505526177c138541a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
de54df964483a78f4725b040f1c63e4a

SHA1
b3134aa37d3ab4ef9060d91997b74911998e7430

SHA256
752c23908ad1b72d4999c34af50347849df7bc3ed5092a21ce89fcedd1fb853c

SHA512
5bc3e48e94529be1a8f2222e3fb98f3a9078f8d686bd42d907f2f5229a8bebcffbf720b6dd7bb754b195ae137175330ba4b3efcc7cfc00efb425b1b482777646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
25f719cce08151e1201da8bdd94c3b61

SHA1
baf5fef0cd78ba956fce1daa2a2bcb1cf83eeca6

SHA256
66ca7a1439adf76d92488c54657e7edeef2f5601a6b5672f27ef5121e95b0585

SHA512
bddaebafdd02de093c890a8706dc74895e31c880d28e32970a8efee1cb5252d1847635965f8db3b0cff60bb30e49cd89b2b61fcb911eaabbd794a998e0d91502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8422c607f110bcf64a5fb7e16cdfc450

SHA1
c8e97c4e50b4174bad91b4589229b8ec161c9832

SHA256
afb49093a9c884bef1c6bb194451af9f8f08db0fb75e72f110e22882a0b6191b

SHA512
dbf783950d17e6fa30a8216285c3a7ec50b8010afc65af6727da674eeeb4103fd536dc320cfb946dc960f99fb5c2b2cfe72f448ce40cee2b65878da5b3411919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7382c5f18d33f7d6d53d83a8ee4f407b

SHA1
545accc1c6d0cb3eb834430c6e56b4c0a0cfd04d

SHA256
e4f9fee3e739fd86ac83d2b2d0c3e834e03152998544a604353cff586251c8cf

SHA512
425d6e6dfc2fc361bdab13997897b3ae2651868eb1b4dbdd42d1e8a72ac4ae602e5a8c9638e98207c5e2ab31c7c4e7bece4c20cb91a744561926a066f4621d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
9228ab70837ad6fda2e19c8227f0f3fa

SHA1
3493e7d044f1ec3de2519bf953b5810e34778040

SHA256
738f7ef4eba1ac33da41a601c1c0de9fcab2dcc763e3d9edd588ed14af7ac871

SHA512
ee84be2ba810571b8e309b8ddabd866c944c18ba930fea37d4a9d4c07d4f4743523f5d822ce6532faa5c9fc72e061d6522f37107c65b5c4791f5f92640f50507

Download Submit
C:\Users\Admin\AppData\Local\Temp\1uaawnpc.dzu\handdiy_3.exe

Filesize
1.4MB

MD5
1bb6d985b8842b3d23d10b96e9c85afb

SHA1
c6328a00f7f0f4003888704828de1f371dde7b92

SHA256
a29e436e7e209a545f314516f58fef84718871270da8b5c4aede7048b8ee0c31

SHA512
5b13ec6d5ebfda08780f58e5e5c5d6853c5f45d4bd86bb06023c727cd64fb8263c3b2f1d7b0a7f23fb0fdb357b8d546037b793cc549453d5f305074c0a451f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1uaawnpc.dzu\handdiy_3.exe

Filesize
1.4MB

MD5
1bb6d985b8842b3d23d10b96e9c85afb

SHA1
c6328a00f7f0f4003888704828de1f371dde7b92

SHA256
a29e436e7e209a545f314516f58fef84718871270da8b5c4aede7048b8ee0c31

SHA512
5b13ec6d5ebfda08780f58e5e5c5d6853c5f45d4bd86bb06023c727cd64fb8263c3b2f1d7b0a7f23fb0fdb357b8d546037b793cc549453d5f305074c0a451f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1-71bb7-c25-aa097-4e76bddba6525\Mifyxyfijo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-7ec63-917-0769a-d9e5d36818afb\Mifyxyfijo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AAKED.tmp\fITNESS.exe

Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AAKED.tmp\fITNESS.exe

Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AAKED.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HONO7.tmp\file.tmp

Filesize
1.0MB

MD5
cc646fa6fa6af2fbc50f37cfbd67da29

SHA1
7516d944830c012d8663439e9fe6515de6ce6d1c

SHA256
7833d6629388d8b2f5b2e47fcf263e48a61f8147cb68b573f8103802cdcbf9c6

SHA512
0cd1740d89d7f09812fa7926a4f0aadff45e7608173bff05c9e8940ebf0d29e7c670c345164d6ee718a01c57cd8eae6c97fb6c07d9dd2cb983133084d05d4cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe

Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe

Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\manzjvn3.kkm\chenp.exe

Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe

Filesize
282KB

MD5
bae2fda3079bd3e78c36218b5c81ef6d

SHA1
140b6bdab3108ae6002d939f98523ee535d67409

SHA256
8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b

SHA512
212d08fafb3d517ae8165add85ef54ef36274d80c81010d3410fb9fb2c48719881cb86489e7bc8a107bd77c389f209c78129d585cd05919272c69b081b7fcbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wewg0yy3.evl\gcleaner.exe

Filesize
282KB

MD5
bae2fda3079bd3e78c36218b5c81ef6d

SHA1
140b6bdab3108ae6002d939f98523ee535d67409

SHA256
8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b

SHA512
212d08fafb3d517ae8165add85ef54ef36274d80c81010d3410fb9fb2c48719881cb86489e7bc8a107bd77c389f209c78129d585cd05919272c69b081b7fcbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0a5883d92962bef047327e888b6054ee

SHA1
ed22e8e446d93be2f85985e03a0edd0334637655

SHA256
16db29b1a6912c2fcc02be394e4084a0f0eb485d29393d41b64ec99ab44b21ac

SHA512
78863981224b56de1f07d1b571fa466158bf7a1846de2690021f4d1bc04cc09767554250a9ffaee490279acadec592d1eb48d27e7de407690e44312bf2fd0408

Download Submit
memory/1384-196-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

Filesize
32KB

Download
memory/1384-195-0x000000001BE60000-0x000000001BEFC000-memory.dmp

Filesize
624KB

Download
memory/1384-192-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1384-193-0x000000001AF40000-0x000000001AFA6000-memory.dmp

Filesize
408KB

Download
memory/1384-394-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1384-376-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1384-194-0x000000001B7A0000-0x000000001BC6E000-memory.dmp

Filesize
4.8MB

Download
memory/1384-189-0x0000000000170000-0x00000000001EA000-memory.dmp

Filesize
488KB

Download
memory/1384-197-0x000000001D5A0000-0x000000001D5FE000-memory.dmp

Filesize
376KB

Download
memory/1384-198-0x000000001DFF0000-0x000000001E2FE000-memory.dmp

Filesize
3.1MB

Download
memory/1384-199-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1384-205-0x0000000020570000-0x00000000205D2000-memory.dmp

Filesize
392KB

Download
memory/2156-375-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/2156-191-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/2156-190-0x0000000000480000-0x00000000004EA000-memory.dmp

Filesize
424KB

Download
memory/3152-422-0x00007FF9739E0000-0x00007FF9739E1000-memory.dmp

Filesize
4KB

Download
memory/3612-186-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3612-151-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4280-152-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/4280-150-0x0000000000230000-0x00000000002C6000-memory.dmp

Filesize
600KB

Download
memory/4560-188-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4560-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4828-690-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-696-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-700-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-702-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-701-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-698-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-699-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-691-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-692-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/4828-697-0x0000018BD54F0000-0x0000018BD54F1000-memory.dmp

Filesize
4KB

Download
memory/5128-425-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5128-405-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5128-217-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/5664-233-0x00007FF9739E0000-0x00007FF9739E1000-memory.dmp

Filesize
4KB

Download
memory/6104-492-0x00007FF9739F0000-0x00007FF9739F1000-memory.dmp

Filesize
4KB

Download
memory/6104-491-0x00007FF9733F0000-0x00007FF9733F1000-memory.dmp

Filesize
4KB

Download