fabookie | fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe
Size

932KB
MD5

364e0486f9f1cbb9ce6ce7fe35914436
SHA1

36fd6cfb15550b60a220f807746a4185f8715fef
SHA256

fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e
SHA512

a97bc21f5057d08244219f8857c3bf93ef5d648fc61605d125abba1a96f38e73dab6b9e5d687107c64335328ae971fb24de00dc32e4ce7cfe1838b5bb87c711e
SSDEEP

12288:lMrny90XWkzXKyO80vPg5mxnmWbSsdrpvCnv92jdOm5jcga0il3RYKD15V+idNil:eykzX5ivamxnVbt9g928Sa0a3V8l

Malware Config

Extracted

Family

redline

Botnet

nanya

77.91.124.82:19071

Attributes

auth_value
640aa5afe54f566d8795f0dc723f8b52

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2116-361-0x0000000002F30000-0x0000000003061000-memory.dmp	family_fabookie

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4288-578-0x0000000002CF0000-0x00000000030F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4288-579-0x0000000002CF0000-0x00000000030F0000-memory.dmp	family_rhadamanthys

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4484-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3168-639-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4520-41-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/4820-301-0x0000000000510000-0x00000000006E8000-memory.dmp	family_redline
behavioral1/memory/4980-302-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/4820-322-0x0000000000510000-0x00000000006E8000-memory.dmp	family_redline
behavioral1/memory/492-362-0x0000000000560000-0x00000000005BA000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

15B6.exe

description pid process target process

PID 4288 created 3160 4288 15B6.exe Explorer.EXE
Downloads MZ/PE file

description	pid	process	target process
PID 4288 created 3160	4288	15B6.exe	Explorer.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F4AD.exekos1.exekos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	F4AD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	kos.exe

Executes dropped EXE 31 IoCs

Processes:

v4092387.exev6306347.exev7935400.exea0921377.exeb8693880.exec7812629.exed2588345.exee7618196.exewtwvhsbF4AD.exess41.exetoolspub2.exepreviewer.exe31839b57a4f11171d6abc8bbc4451ee4.exekos1.exeFF3E.exe3E2.exeset16.exekos.exeis-8TS9F.tmp15B6.exepreviewer.exe15B6.exetoolspub2.exeald]W(x.exe15v(T4l3C.exeald]W(x.exe15v(T4l3C.exeald]W(x.exeald]W(x.exe

pid	process
2132	v4092387.exe
3972	v6306347.exe
4964	v7935400.exe
456	a0921377.exe
3992	b8693880.exe
2696	c7812629.exe
1644	d2588345.exe
4744	e7618196.exe
4836	wtwvhsb
3316	F4AD.exe
2116	ss41.exe
3200	toolspub2.exe
1072	previewer.exe
3168	31839b57a4f11171d6abc8bbc4451ee4.exe
4816	kos1.exe
4820	FF3E.exe
492	3E2.exe
1540	set16.exe
5152	kos.exe
5244	is-8TS9F.tmp
5496	15B6.exe
5124	previewer.exe
4288	15B6.exe
1072	previewer.exe
3488	toolspub2.exe
1608	ald]W(x.exe
5720	15v(T4l3C.exe
5884	ald]W(x.exe
3156	15v(T4l3C.exe
3028	ald]W(x.exe
1292	ald]W(x.exe

Loads dropped DLL 3 IoCs

Processes:

is-8TS9F.tmp

pid process

5244 is-8TS9F.tmp
5244 is-8TS9F.tmp
5244 is-8TS9F.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
5244	is-8TS9F.tmp
5244	is-8TS9F.tmp
5244	is-8TS9F.tmp

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exev4092387.exev6306347.exev7935400.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4092387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6306347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7935400.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 12 IoCs

Processes:

a0921377.exeb8693880.exec7812629.exed2588345.exeFF3E.exepreviewer.exe15B6.exetoolspub2.exeaspnet_compiler.exeald]W(x.exe15v(T4l3C.exeald]W(x.exe

description	pid	process	target process
PID 456 set thread context of 4484	456	a0921377.exe	AppLaunch.exe
PID 3992 set thread context of 4556	3992	b8693880.exe	AppLaunch.exe
PID 2696 set thread context of 4520	2696	c7812629.exe	AppLaunch.exe
PID 1644 set thread context of 3468	1644	d2588345.exe	AppLaunch.exe
PID 4820 set thread context of 4980	4820	FF3E.exe	vbc.exe
PID 1072 set thread context of 5208	1072	previewer.exe	aspnet_compiler.exe
PID 5496 set thread context of 4288	5496	15B6.exe	15B6.exe
PID 3200 set thread context of 3488	3200	toolspub2.exe	toolspub2.exe
PID 5208 set thread context of 3548	5208	aspnet_compiler.exe	AddInProcess.exe
PID 1608 set thread context of 5884	1608	ald]W(x.exe	ald]W(x.exe
PID 5720 set thread context of 3156	5720	15v(T4l3C.exe	15v(T4l3C.exe
PID 3028 set thread context of 1292	3028	ald]W(x.exe	ald]W(x.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-8TS9F.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\is-T13SG.tmp	is-8TS9F.tmp
File created	C:\Program Files (x86)\PA Previewer\is-SE7V7.tmp	is-8TS9F.tmp
File created	C:\Program Files (x86)\PA Previewer\is-ORAO3.tmp	is-8TS9F.tmp
File created	C:\Program Files (x86)\PA Previewer\is-H98CK.tmp	is-8TS9F.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-8TS9F.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-8TS9F.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-8TS9F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2940	456	WerFault.exe	a0921377.exe
2872	3992	WerFault.exe	b8693880.exe
4620	4556	WerFault.exe	AppLaunch.exe
2420	2696	WerFault.exe	c7812629.exe
528	1644	WerFault.exe	d2588345.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe15v(T4l3C.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	15v(T4l3C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	15v(T4l3C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	15v(T4l3C.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exeExplorer.EXE

pid	process
4484	AppLaunch.exe
4484	AppLaunch.exe
3468	AppLaunch.exe
3468	AppLaunch.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

676
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

3468 AppLaunch.exe
3488 toolspub2.exe

pid	process
3160	Explorer.EXE

pid	process
676

pid	process
3468	AppLaunch.exe
3488	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXEpreviewer.exekos.exe15B6.exepreviewer.exeaspnet_compiler.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4484	AppLaunch.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	1072	previewer.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	5152	kos.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	5496	15B6.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	5124	previewer.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	5208	aspnet_compiler.exe
Token: SeDebugPrivilege	1072	previewer.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	4980	vbc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exeAddInProcess.exe

pid	process
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
3548	AddInProcess.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE

pid	process
3160	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exev4092387.exev6306347.exev7935400.exea0921377.exeb8693880.exec7812629.exed2588345.exeExplorer.EXEcmd.exemsedge.exe

description	pid	process	target process
PID 4628 wrote to memory of 2132	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	v4092387.exe
PID 4628 wrote to memory of 2132	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	v4092387.exe
PID 4628 wrote to memory of 2132	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	v4092387.exe
PID 2132 wrote to memory of 3972	2132	v4092387.exe	v6306347.exe
PID 2132 wrote to memory of 3972	2132	v4092387.exe	v6306347.exe
PID 2132 wrote to memory of 3972	2132	v4092387.exe	v6306347.exe
PID 3972 wrote to memory of 4964	3972	v6306347.exe	v7935400.exe
PID 3972 wrote to memory of 4964	3972	v6306347.exe	v7935400.exe
PID 3972 wrote to memory of 4964	3972	v6306347.exe	v7935400.exe
PID 4964 wrote to memory of 456	4964	v7935400.exe	a0921377.exe
PID 4964 wrote to memory of 456	4964	v7935400.exe	a0921377.exe
PID 4964 wrote to memory of 456	4964	v7935400.exe	a0921377.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 456 wrote to memory of 4484	456	a0921377.exe	AppLaunch.exe
PID 4964 wrote to memory of 3992	4964	v7935400.exe	b8693880.exe
PID 4964 wrote to memory of 3992	4964	v7935400.exe	b8693880.exe
PID 4964 wrote to memory of 3992	4964	v7935400.exe	b8693880.exe
PID 3992 wrote to memory of 3544	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 3544	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 3544	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3992 wrote to memory of 4556	3992	b8693880.exe	AppLaunch.exe
PID 3972 wrote to memory of 2696	3972	v6306347.exe	c7812629.exe
PID 3972 wrote to memory of 2696	3972	v6306347.exe	c7812629.exe
PID 3972 wrote to memory of 2696	3972	v6306347.exe	c7812629.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2696 wrote to memory of 4520	2696	c7812629.exe	AppLaunch.exe
PID 2132 wrote to memory of 1644	2132	v4092387.exe	d2588345.exe
PID 2132 wrote to memory of 1644	2132	v4092387.exe	d2588345.exe
PID 2132 wrote to memory of 1644	2132	v4092387.exe	d2588345.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 1644 wrote to memory of 3468	1644	d2588345.exe	AppLaunch.exe
PID 4628 wrote to memory of 4744	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	e7618196.exe
PID 4628 wrote to memory of 4744	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	e7618196.exe
PID 4628 wrote to memory of 4744	4628	fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe	e7618196.exe
PID 3160 wrote to memory of 980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 980	3160	Explorer.EXE	cmd.exe
PID 980 wrote to memory of 3596	980	cmd.exe	msedge.exe
PID 980 wrote to memory of 3596	980	cmd.exe	msedge.exe
PID 3596 wrote to memory of 4492	3596	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe
"C:\Users\Admin\AppData\Local\Temp\fa923e64f39dd2c03b0b56a1c282ab7b7e6ce9383dda080ca2af06c3fe67972e.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4092387.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4092387.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6306347.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6306347.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7935400.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7935400.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0921377.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0921377.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 552
7⤵
- Program crash
PID:2940

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8693880.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8693880.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 540
8⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 204
7⤵
- Program crash
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7812629.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7812629.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 552
6⤵
- Program crash
PID:2420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2588345.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2588345.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 552
5⤵
- Program crash
PID:528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7618196.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7618196.exe
3⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E951.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5fc746f8,0x7ffb5fc74708,0x7ffb5fc74718
4⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4483272061630349674,3368240785437033062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
4⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4483272061630349674,3368240785437033062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
4⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:8
4⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:3
4⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3216 /prefetch:2
4⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
4⤵
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
4⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
4⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
4⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
4⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
4⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
4⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
4⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
4⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
4⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
4⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
4⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
4⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
4⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,17960697852681851854,4044237374765215355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
4⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\F4AD.exe
C:\Users\Admin\AppData\Local\Temp\F4AD.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3316

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3200

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3488

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
4⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\is-Q3S98.tmp\is-8TS9F.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q3S98.tmp\is-8TS9F.tmp" /SL4 $80118 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5244

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\FF3E.exe
C:\Users\Admin\AppData\Local\Temp\FF3E.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Users\Admin\AppData\Local\Temp\F99F.exe
C:\Users\Admin\AppData\Local\Temp\F99F.exe
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
4⤵
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Users\Admin\AppData\Local\Temp\3E2.exe
C:\Users\Admin\AppData\Local\Temp\3E2.exe
2⤵
- Executes dropped EXE
PID:492

C:\Users\Admin\AppData\Local\Temp\15B6.exe
C:\Users\Admin\AppData\Local\Temp\15B6.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 456 -ip 456
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3992 -ip 3992
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4556 -ip 4556
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2696 -ip 2696
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1644 -ip 1644
1⤵
PID:4560

C:\Users\Admin\AppData\Roaming\wtwvhsb
C:\Users\Admin\AppData\Roaming\wtwvhsb
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb5fc746f8,0x7ffb5fc74708,0x7ffb5fc74718
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
1⤵
PID:5168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
2⤵
PID:5696

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Users\Admin\AppData\Local\Temp\15B6.exe
C:\Users\Admin\AppData\Local\Temp\15B6.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4288

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
"C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1608

C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
2⤵
- Executes dropped EXE
PID:5884

C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
"C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028

C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
C:\Users\Admin\AppData\Local\Microsoft\ald]W(x.exe
4⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Local\Microsoft\15v(T4l3C.exe
"C:\Users\Admin\AppData\Local\Microsoft\15v(T4l3C.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5720

C:\Users\Admin\AppData\Local\Microsoft\15v(T4l3C.exe
C:\Users\Admin\AppData\Local\Microsoft\15v(T4l3C.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0987267c265b2de204ac19d29250d6cd

SHA1
247b7b1e917d9ad2aa903a497758ae75ae145692

SHA256
474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264

SHA512
3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
4207aa321a7eac8788dcbbd5b03f2da0

SHA1
f7cd503898c4c189a5566c1e6386d21f062afdfe

SHA256
eac634d05bb8b6570a668b2c45f2254ce1f85e416aea60c9698e2b0363a3a93c

SHA512
2f00bd6e47e462c71c3e01084f578a94770c2c8c764a397c373c02a1317d5271ecdb3d7f641386b8ba7ea3133a78bcb0434bcf7adfbf8ba2d3116cbb9a0e9bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
821B

MD5
b56be80d1af70697abf8a9b071521949

SHA1
4b978213a167f0f19125caa873847d8191476b4a

SHA256
cd6b165fba7a5d747efc50f94e9d0c8aea32b88584b9971657b7bd3bbda21732

SHA512
412748eae6e4b87399486d84ffd2b6810c601118754f2cedd8f86e8bffae04b3f56845183b94a3fde176ce5816c86d658ab01aa5969dc012483b02c74b276ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a24dd52b845f1dfd4daabcab06ea81f5

SHA1
d3089ba62fa162e14819f1f9e2ac3e618b44f5c5

SHA256
5cb7c76409251d004c890d91dd90dc572ea865298819a789e4a9578fec8baefc

SHA512
f8f9ff30691d242abb8796518375ebf257248ddf29e7f1d48e9cc5b18e3a7554641637d9ec2b5b836a3a382b285ba0016212b83a953742c8c86485fb7c71430c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da0573d8348ae6c6809a11f436675907

SHA1
577515ecaa4e9420e33bf90edd7a7310c6d5d2a8

SHA256
b92bc9c63b43f159ec46abb38db852940156784d4fe2583ebc6be4f325a02bd8

SHA512
cd6085c6cb6e9c1d1031d99e0539150412c6fc1ba4cbd887c572261dabc3c27334caa0e70001143c8bcca78302b0d1dcf70591df8ae7788e45501f93746ab238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8af7ac07db4e6e1d914ab515af19cced

SHA1
0e74a96766268c93f745154eb8103768d82060c6

SHA256
caa6dd859803c7f0b87ac6e8c476ec40cc40af0082673535630b93cda0cb6c58

SHA512
f5a108691b226f71be61d881ff5d17bf967d6b253859e3ac9e482791cf8d26b906d458f3747fa504d296324d07788ef6d9c02390d0402b43ddcf804d2cf4bd60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac1d0471a91cedf5c34b7e584883dcd6

SHA1
755466ee0171ae8bbaef362a50989617c5281514

SHA256
456974f18d37871ecf326434d52830d6851f3bbff680c824be83ae99375f9157

SHA512
7c92292d32836d3f6d59ea02bef8696082ff4e94d2e3cba7921ae9b5c7d6dfc34d4282d8e96ecff8dd1f22fb45d821b2bf899aa5e6fdfa74b3143a2bdb709cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f962cfe2dbce22b9d1c9e75408d49010

SHA1
e72d613a0cb11f0904f542e02d595da3c0ddbfa9

SHA256
cc4eb59b28d5bb5bc845c08cbc40057898e639fde09f9686a4f17dc41625c047

SHA512
3f0cc913d7b41be6e8c105868d882b8d910a5f3dd45d805cff914a62e2b55d08f57b40561e425920065aea8c68bb6266b7eceddb9662b7bd6bec8477e8b5519d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0c2b40bf3a8b5d1e7b190dbfa8d33dee

SHA1
4fa6a08893b9a5ac388c6851c63200df28fb8a52

SHA256
6e69e7b7a2435ea60f88542127b4f8c3b13d03a6d59f8d632269e46efb9f9f4a

SHA512
5a39b0ffa0dfd83a9089bbc40eb5d4e0c0772cff3225d9e9a5556895da42a1ad75c6f879b83b1703a4c9db22a284b0422e44564e290a17490e2969d53d03b62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab4b5b85c3ff924c633e37e3010771ba

SHA1
0247e41674c04ae319422825682e0d9b7c015d42

SHA256
96e50edd7a4bf5c5e8660bb519cc9e06553be1152eb69a2de0c87b99c92c9d52

SHA512
3c2cc5a86e9cb0377e2c05261dd18fa34adaa43e5a30417852aca5b2f9d25b39a4a4f151892282651a59b491afd3779159d59cdf3181974adc7b9b7344f7db63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab4b5b85c3ff924c633e37e3010771ba

SHA1
0247e41674c04ae319422825682e0d9b7c015d42

SHA256
96e50edd7a4bf5c5e8660bb519cc9e06553be1152eb69a2de0c87b99c92c9d52

SHA512
3c2cc5a86e9cb0377e2c05261dd18fa34adaa43e5a30417852aca5b2f9d25b39a4a4f151892282651a59b491afd3779159d59cdf3181974adc7b9b7344f7db63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0c2b40bf3a8b5d1e7b190dbfa8d33dee

SHA1
4fa6a08893b9a5ac388c6851c63200df28fb8a52

SHA256
6e69e7b7a2435ea60f88542127b4f8c3b13d03a6d59f8d632269e46efb9f9f4a

SHA512
5a39b0ffa0dfd83a9089bbc40eb5d4e0c0772cff3225d9e9a5556895da42a1ad75c6f879b83b1703a4c9db22a284b0422e44564e290a17490e2969d53d03b62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15B6.exe

Filesize
1.9MB

MD5
1b87684768db892932be3f0661c54251

SHA1
e5acdb93f6eb75656c9a8242e21b01bf978dc7cf

SHA256
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

SHA512
0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\15B6.exe

Filesize
1.9MB

MD5
1b87684768db892932be3f0661c54251

SHA1
e5acdb93f6eb75656c9a8242e21b01bf978dc7cf

SHA256
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

SHA512
0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
d974162e0cccb469e745708ced4124c0

SHA1
2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929

SHA256
77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5

SHA512
ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
d974162e0cccb469e745708ced4124c0

SHA1
2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929

SHA256
77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5

SHA512
ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
d974162e0cccb469e745708ced4124c0

SHA1
2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929

SHA256
77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5

SHA512
ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E2.exe

Filesize
415KB

MD5
bf58b6afac98febc716a85be5b8e9d9e

SHA1
4a36385b3f8e8a84a995826d77fcd8e76eba7328

SHA256
16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d

SHA512
a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E2.exe

Filesize
415KB

MD5
bf58b6afac98febc716a85be5b8e9d9e

SHA1
4a36385b3f8e8a84a995826d77fcd8e76eba7328

SHA256
16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d

SHA512
a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\E951.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4AD.exe

Filesize
6.5MB

MD5
6b254caca548f0be01842a0c4bd4c649

SHA1
79bbeed18d08c3010e8954f6d5c9f52967dcc32e

SHA256
01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434

SHA512
b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4AD.exe

Filesize
6.5MB

MD5
6b254caca548f0be01842a0c4bd4c649

SHA1
79bbeed18d08c3010e8954f6d5c9f52967dcc32e

SHA256
01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434

SHA512
b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\F99F.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\F99F.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF3E.exe

Filesize
1.5MB

MD5
52c2f13a9fa292d1f32439dde355ff71

SHA1
03a9aa82a8070de26b9a347cfbd4090fd239f8df

SHA256
020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316

SHA512
097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF3E.exe

Filesize
1.5MB

MD5
52c2f13a9fa292d1f32439dde355ff71

SHA1
03a9aa82a8070de26b9a347cfbd4090fd239f8df

SHA256
020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316

SHA512
097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7618196.exe

Filesize
19KB

MD5
86ee9a57513465231547334aa8437d67

SHA1
7eb1660349f3246dd1e30b21501b024ad434f1b9

SHA256
050d65d237e8468f52ccd92a9913d445eb414c51574938b4b097401056001955

SHA512
c2e9417c8dc3851f4383623814f409b742168919e46a07d119214ea6e5ec6b3734d5ef22bd7914e4f00e1c2ebf7c97d7542768fc6842ec0a17b6069280eb1a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7618196.exe

Filesize
19KB

MD5
86ee9a57513465231547334aa8437d67

SHA1
7eb1660349f3246dd1e30b21501b024ad434f1b9

SHA256
050d65d237e8468f52ccd92a9913d445eb414c51574938b4b097401056001955

SHA512
c2e9417c8dc3851f4383623814f409b742168919e46a07d119214ea6e5ec6b3734d5ef22bd7914e4f00e1c2ebf7c97d7542768fc6842ec0a17b6069280eb1a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4092387.exe

Filesize
830KB

MD5
f6c18be437a423bd6c51f8852475ab1d

SHA1
7c72b95c2bf73d4e06c4e69d76b9f248b0ecddea

SHA256
183e391a076e3837e8b9ef771227d70e7bb576a788ac69c4c69848b1bcd4b12e

SHA512
9e635fe37ff4e400ab95dd3922c3de1ffd6dd4cb4ef4c263a41003e75462039ba555899d5eb3dea9f30bc128e26f2c3ccbb7fd370b28456ad8f45dae8b94bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4092387.exe

Filesize
830KB

MD5
f6c18be437a423bd6c51f8852475ab1d

SHA1
7c72b95c2bf73d4e06c4e69d76b9f248b0ecddea

SHA256
183e391a076e3837e8b9ef771227d70e7bb576a788ac69c4c69848b1bcd4b12e

SHA512
9e635fe37ff4e400ab95dd3922c3de1ffd6dd4cb4ef4c263a41003e75462039ba555899d5eb3dea9f30bc128e26f2c3ccbb7fd370b28456ad8f45dae8b94bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2588345.exe

Filesize
239KB

MD5
ec85f63694f6c455542a038df9e1a9a3

SHA1
974c3c1e494a332abab90247663826f4b02b6d93

SHA256
de47e4ea08c1472b03673d2f85467854fdf7861d3007fee0748cb5c6924f8771

SHA512
236d52615acf82712a3634866413e5179943da48ff761a2841570436c22e2537dfb7ad4446742333783e9087536d50c2fbc8a65da85da0fc7c9e58bc21621a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2588345.exe

Filesize
239KB

MD5
ec85f63694f6c455542a038df9e1a9a3

SHA1
974c3c1e494a332abab90247663826f4b02b6d93

SHA256
de47e4ea08c1472b03673d2f85467854fdf7861d3007fee0748cb5c6924f8771

SHA512
236d52615acf82712a3634866413e5179943da48ff761a2841570436c22e2537dfb7ad4446742333783e9087536d50c2fbc8a65da85da0fc7c9e58bc21621a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6306347.exe

Filesize
602KB

MD5
4788d013e3251ba273c0b9b5e98a6871

SHA1
7fd120d3ac6fa5ec0b6cae9ddb2072524090ec69

SHA256
0249f77ad43a939d9d01c43343823f56d5103e094557d8718cbbc867666b1004

SHA512
7c39c3a0a40a392f60ae851c81db9b67d65fb1ac9c76080b855a33e2dd9848c1db4bc6def2b62f5d6a5f350a58427a069a8f7158be1d066595a22fd9e152ff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6306347.exe

Filesize
602KB

MD5
4788d013e3251ba273c0b9b5e98a6871

SHA1
7fd120d3ac6fa5ec0b6cae9ddb2072524090ec69

SHA256
0249f77ad43a939d9d01c43343823f56d5103e094557d8718cbbc867666b1004

SHA512
7c39c3a0a40a392f60ae851c81db9b67d65fb1ac9c76080b855a33e2dd9848c1db4bc6def2b62f5d6a5f350a58427a069a8f7158be1d066595a22fd9e152ff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7812629.exe

Filesize
383KB

MD5
f087377c3b133c87182cc95d159562fd

SHA1
a11fd2c9a6c35911a5faba41ba385721c53c8181

SHA256
c099666080ef9a984f009cde96eac60dee5fa216deb267f355d5146f4ba658dc

SHA512
d24a43a12f2bb0499ac5f69823feeaff89cc5b71a44157c3559e636be6fb300cb3c32e34929085a1cdd5569931d092ad43a84ff944b6fa07714215d2f1ba9d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7812629.exe

Filesize
383KB

MD5
f087377c3b133c87182cc95d159562fd

SHA1
a11fd2c9a6c35911a5faba41ba385721c53c8181

SHA256
c099666080ef9a984f009cde96eac60dee5fa216deb267f355d5146f4ba658dc

SHA512
d24a43a12f2bb0499ac5f69823feeaff89cc5b71a44157c3559e636be6fb300cb3c32e34929085a1cdd5569931d092ad43a84ff944b6fa07714215d2f1ba9d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7935400.exe

Filesize
343KB

MD5
fdb517ed84eb2682d49f4a5cdce24e71

SHA1
fc1f7ed6af1aeb18817f613f789ad0dbb6a344bf

SHA256
2ef4fa9be7dac4c0df739efbef0866c169da749c956ad1e6cc0934e0fbfd9e9a

SHA512
59c40a6f599bbd32af0bea259fdf28930d54aa94266947ed4328ec7e8354d8d9a9e14f8016dc6a88f399b254e7dc41c93a64ff73dede5d5f93c648ef2029ee92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7935400.exe

Filesize
343KB

MD5
fdb517ed84eb2682d49f4a5cdce24e71

SHA1
fc1f7ed6af1aeb18817f613f789ad0dbb6a344bf

SHA256
2ef4fa9be7dac4c0df739efbef0866c169da749c956ad1e6cc0934e0fbfd9e9a

SHA512
59c40a6f599bbd32af0bea259fdf28930d54aa94266947ed4328ec7e8354d8d9a9e14f8016dc6a88f399b254e7dc41c93a64ff73dede5d5f93c648ef2029ee92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0921377.exe

Filesize
220KB

MD5
b52554aea644d08513f4691b9a33de07

SHA1
80f14d1aa3b15f29540ea674c60b6929736c97f6

SHA256
882d1cc81e549b3b7cacbae2deb8ffdbdc49510bb2b2488837c045b14507701e

SHA512
d757c29c2082d0654a969e064f29592d2737aba1b9e045ac7565c51eaece0e7ae5fb5898cdd76b3dcde0f5631588d7b74cecadafe7f644808a18ee4bd9499d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0921377.exe

Filesize
220KB

MD5
b52554aea644d08513f4691b9a33de07

SHA1
80f14d1aa3b15f29540ea674c60b6929736c97f6

SHA256
882d1cc81e549b3b7cacbae2deb8ffdbdc49510bb2b2488837c045b14507701e

SHA512
d757c29c2082d0654a969e064f29592d2737aba1b9e045ac7565c51eaece0e7ae5fb5898cdd76b3dcde0f5631588d7b74cecadafe7f644808a18ee4bd9499d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8693880.exe

Filesize
364KB

MD5
6959b71418a4c832362cb5be239343d7

SHA1
9f7fa9187b98433527d530e19843dfaf2248a797

SHA256
e00b40ccf90c3765b881f3defffcfba3984fe27f2eddbce14b27cf7302aa09b6

SHA512
d51cc27a4526cffbfbab898a875569bd5ddb414610879f68b7a023eedbe17d0c8f9a8bfcbfa89c95a7871228c8443905b4677bfbc304fcc0e06c06b95ff897c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8693880.exe

Filesize
364KB

MD5
6959b71418a4c832362cb5be239343d7

SHA1
9f7fa9187b98433527d530e19843dfaf2248a797

SHA256
e00b40ccf90c3765b881f3defffcfba3984fe27f2eddbce14b27cf7302aa09b6

SHA512
d51cc27a4526cffbfbab898a875569bd5ddb414610879f68b7a023eedbe17d0c8f9a8bfcbfa89c95a7871228c8443905b4677bfbc304fcc0e06c06b95ff897c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0o2zv2x.jac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BLIM0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BLIM0.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BLIM0.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q3S98.tmp\is-8TS9F.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q3S98.tmp\is-8TS9F.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
860KB

MD5
2527628a2b3b4343c614e48132ab3edb

SHA1
0d60f573a21251dcfd61d28a7a0566dc29d38aa6

SHA256
04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf

SHA512
416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
860KB

MD5
2527628a2b3b4343c614e48132ab3edb

SHA1
0d60f573a21251dcfd61d28a7a0566dc29d38aa6

SHA256
04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf

SHA512
416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
860KB

MD5
2527628a2b3b4343c614e48132ab3edb

SHA1
0d60f573a21251dcfd61d28a7a0566dc29d38aa6

SHA256
04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf

SHA512
416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
186KB

MD5
f0ba7739cc07608c54312e79abaf9ece

SHA1
38b075b2e04bc8eee78b89766c1cede5ad889a7e

SHA256
9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f

SHA512
15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
186KB

MD5
f0ba7739cc07608c54312e79abaf9ece

SHA1
38b075b2e04bc8eee78b89766c1cede5ad889a7e

SHA256
9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f

SHA512
15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
186KB

MD5
f0ba7739cc07608c54312e79abaf9ece

SHA1
38b075b2e04bc8eee78b89766c1cede5ad889a7e

SHA256
9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f

SHA512
15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

Download Submit
C:\Users\Admin\AppData\Roaming\wtwvhsb

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Roaming\wtwvhsb

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
\??\pipe\LOCAL\crashpad_1736_CWLDIYOGQKNCMFCK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3596_VRZOFLPTZMUOXKRZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/492-411-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/492-362-0x0000000000560000-0x00000000005BA000-memory.dmp

Filesize
360KB

Download
memory/1072-364-0x00007FFB5C4D0000-0x00007FFB5CF91000-memory.dmp

Filesize
10.8MB

Download
memory/1072-273-0x0000022432290000-0x0000022432376000-memory.dmp

Filesize
920KB

Download
memory/1072-284-0x00007FFB5C4D0000-0x00007FFB5CF91000-memory.dmp

Filesize
10.8MB

Download
memory/1072-293-0x0000022433FF0000-0x0000022434000000-memory.dmp

Filesize
64KB

Download
memory/1072-294-0x000002244C9B0000-0x000002244C9FC000-memory.dmp

Filesize
304KB

Download
memory/1072-291-0x000002244C8E0000-0x000002244C9B0000-memory.dmp

Filesize
832KB

Download
memory/1072-289-0x000002244C800000-0x000002244C8E2000-memory.dmp

Filesize
904KB

Download
memory/1540-574-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1540-339-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2116-361-0x0000000002F30000-0x0000000003061000-memory.dmp

Filesize
1.2MB

Download
memory/2116-261-0x00007FF60EB90000-0x00007FF60EC69000-memory.dmp

Filesize
868KB

Download
memory/2812-616-0x000002AB9E7F0000-0x000002AB9E7F3000-memory.dmp

Filesize
12KB

Download
memory/3160-677-0x0000000002790000-0x00000000027A6000-memory.dmp

Filesize
88KB

Download
memory/3160-87-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-86-0x0000000006E60000-0x0000000006E70000-memory.dmp

Filesize
64KB

Download
memory/3160-85-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-84-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-83-0x0000000006E60000-0x0000000006E70000-memory.dmp

Filesize
64KB

Download
memory/3160-82-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-81-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-89-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/3160-104-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-103-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-88-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-91-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-79-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-100-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-77-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-95-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-96-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-70-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-99-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-76-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-93-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-97-0x0000000006E60000-0x0000000006E70000-memory.dmp

Filesize
64KB

Download
memory/3160-75-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-74-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-61-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3160-102-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-73-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-72-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/3160-71-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-101-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-98-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-105-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/3168-639-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3468-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3488-678-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3488-600-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4288-642-0x0000000003B40000-0x0000000003B76000-memory.dmp

Filesize
216KB

Download
memory/4288-521-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4288-526-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4288-650-0x0000000003B40000-0x0000000003B76000-memory.dmp

Filesize
216KB

Download
memory/4288-577-0x0000000000F90000-0x0000000000F97000-memory.dmp

Filesize
28KB

Download
memory/4288-578-0x0000000002CF0000-0x00000000030F0000-memory.dmp

Filesize
4.0MB

Download
memory/4288-579-0x0000000002CF0000-0x00000000030F0000-memory.dmp

Filesize
4.0MB

Download
memory/4484-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4484-29-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-57-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-53-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-49-0x000000000A620000-0x000000000A632000-memory.dmp

Filesize
72KB

Download
memory/4520-43-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-42-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/4520-51-0x000000000A680000-0x000000000A6BC000-memory.dmp

Filesize
240KB

Download
memory/4520-66-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4520-54-0x000000000A7F0000-0x000000000A83C000-memory.dmp

Filesize
304KB

Download
memory/4520-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4520-50-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4520-48-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

Filesize
1.0MB

Download
memory/4520-47-0x000000000AB80000-0x000000000B198000-memory.dmp

Filesize
6.1MB

Download
memory/4520-65-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4556-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4556-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4556-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4556-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4816-292-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-288-0x0000000000C80000-0x0000000000DF4000-memory.dmp

Filesize
1.5MB

Download
memory/4816-355-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-301-0x0000000000510000-0x00000000006E8000-memory.dmp

Filesize
1.8MB

Download
memory/4820-322-0x0000000000510000-0x00000000006E8000-memory.dmp

Filesize
1.8MB

Download
memory/4820-299-0x0000000000510000-0x00000000006E8000-memory.dmp

Filesize
1.8MB

Download
memory/4980-340-0x0000000008060000-0x0000000008070000-memory.dmp

Filesize
64KB

Download
memory/4980-323-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-331-0x0000000007E20000-0x0000000007EB2000-memory.dmp

Filesize
584KB

Download
memory/4980-328-0x0000000008330000-0x00000000088D4000-memory.dmp

Filesize
5.6MB

Download
memory/4980-349-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

Filesize
40KB

Download
memory/4980-302-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5124-516-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5152-347-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/5152-358-0x00007FFB5C4D0000-0x00007FFB5CF91000-memory.dmp

Filesize
10.8MB

Download
memory/5208-368-0x00007FFB5C4D0000-0x00007FFB5CF91000-memory.dmp

Filesize
10.8MB

Download
memory/5208-353-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5208-381-0x00000223DA1A0000-0x00000223DA1B0000-memory.dmp

Filesize
64KB

Download
memory/5208-360-0x00000223DA1B0000-0x00000223DA2B2000-memory.dmp

Filesize
1.0MB

Download
memory/5244-581-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5496-373-0x00000000005C0000-0x00000000007A6000-memory.dmp

Filesize
1.9MB

Download
memory/5496-429-0x0000000005130000-0x00000000051A8000-memory.dmp

Filesize
480KB

Download
memory/5496-451-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download