0ce151b0d9d7cdfa5356212fbed8f0b57534e553f17acdd61306a599b7db3602

Analysis

max time kernel
89s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqlyog_MfbFy-1.exe
Size

1.7MB
MD5

4e0ddcbac69d0f9fafa52486e2b58460
SHA1

4b2f2e57406be4ef044965d758440b879696900e
SHA256

0ce151b0d9d7cdfa5356212fbed8f0b57534e553f17acdd61306a599b7db3602
SHA512

a94c139fd1e8d43d0975ce6a1ce4f3696dd61232a56f0e2bc629723539aad263a8d29d81f4cb173912eebb2f2fa1fe1208524d4ed14e44d7d73e861494f87a34
SSDEEP

24576:x4nXubIQGyxbPV0db26W8ODmac/uOmU+g4v/GGfx1FqjyxKzMOnwY2Aznpf9DUvl:xqe3f6gc/u3Ucv1IjCKzM7id9DqR

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023223-130.dat	acprotect
behavioral1/files/0x0006000000023223-128.dat	acprotect
behavioral1/files/0x0006000000023223-767.dat	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023223-130.dat	upx
behavioral1/files/0x0006000000023223-128.dat	upx
behavioral1/files/0x0006000000023223-767.dat	upx

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\AVAST Software\Avast	file_MfbFy-1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	file_MfbFy-1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	file_MfbFy-1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\AVG\AV\Dir	file_MfbFy-1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	file_MfbFy-1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	file_MfbFy-1.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	file_MfbFy-1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-utility-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\odbcimport-withwhere.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\pvio_npipe.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\libsasl2.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-errorhandling-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-misc-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\mysql_clear_password.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-file-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-runtime-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\zlib.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\L10n.db	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-filesystem-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\exportjobs-alldbs.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\odbcimport-withtrigger.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\sha256_password.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-sysinfo-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\uninst.exe	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\notification.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SciLexer.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-synch-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\msvcp140.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\odbcimport-dsnless.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-stdio-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SQLyog.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\auth_gssapi_client.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\Keywords.db	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-synch-l1-2-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-heap-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-time-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\ssleay32.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJA.exe	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-interlocked-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-libraryloader-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\libeay32MD.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-handle-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-profile-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-util-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-console-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-file-l1-2-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-namedpipe-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-processthreads-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\htmlayout.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-processthreads-l1-1-1.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\dialog.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-datetime-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\datasync-alltables.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\exportjob-alltables.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-processenvironment-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SJASchemas\datasync-seltables.xml	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-memory-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-rtlsupport-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-timezone-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-crt-math-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\msvcr120.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\SQLyogTunnel.php	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-debug-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-file-l2-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\ucrtbase.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-heap-l1-1-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\api-ms-win-core-localization-l1-2-0.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\plink.exe	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\libeay32.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\libetpan.dll	sqlyog.exe
File created	C:\Program Files\SQLyog Trial\ssleay32MD.dll	sqlyog.exe

Executes dropped EXE 6 IoCs

pid	Process
4976	sqlyog_MfbFy-1.tmp
3856	file_MfbFy-1.exe
4496	file_MfbFy-1.tmp
4684	saBSI.exe
1696	sqlyog.exe
1352	SQLyog.exe

Loads dropped DLL 22 IoCs

pid	Process
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
1696	sqlyog.exe
1696	sqlyog.exe
1696	sqlyog.exe
1696	sqlyog.exe
1696	sqlyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe
1352	SQLyog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000002321f-101.dat	nsis_installer_1
behavioral1/files/0x000600000002321f-101.dat	nsis_installer_2
behavioral1/files/0x000600000002321f-120.dat	nsis_installer_1
behavioral1/files/0x000600000002321f-120.dat	nsis_installer_2
behavioral1/files/0x000600000002321f-121.dat	nsis_installer_1
behavioral1/files/0x000600000002321f-121.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file_MfbFy-1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	file_MfbFy-1.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
4684	saBSI.exe
468	msedge.exe
468	msedge.exe
1188	msedge.exe
1188	msedge.exe
3212	identity_helper.exe
3212	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	sqlyog.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4976	sqlyog_MfbFy-1.tmp
4496	file_MfbFy-1.tmp
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4976	4436	sqlyog_MfbFy-1.exe	87
PID 4436 wrote to memory of 4976	4436	sqlyog_MfbFy-1.exe	87
PID 4436 wrote to memory of 4976	4436	sqlyog_MfbFy-1.exe	87
PID 4976 wrote to memory of 3856	4976	sqlyog_MfbFy-1.tmp	92
PID 4976 wrote to memory of 3856	4976	sqlyog_MfbFy-1.tmp	92
PID 4976 wrote to memory of 3856	4976	sqlyog_MfbFy-1.tmp	92
PID 3856 wrote to memory of 4496	3856	file_MfbFy-1.exe	94
PID 3856 wrote to memory of 4496	3856	file_MfbFy-1.exe	94
PID 3856 wrote to memory of 4496	3856	file_MfbFy-1.exe	94
PID 4496 wrote to memory of 4684	4496	file_MfbFy-1.tmp	99
PID 4496 wrote to memory of 4684	4496	file_MfbFy-1.tmp	99
PID 4496 wrote to memory of 4684	4496	file_MfbFy-1.tmp	99
PID 4496 wrote to memory of 1696	4496	file_MfbFy-1.tmp	100
PID 4496 wrote to memory of 1696	4496	file_MfbFy-1.tmp	100
PID 4496 wrote to memory of 1696	4496	file_MfbFy-1.tmp	100
PID 4496 wrote to memory of 468	4496	file_MfbFy-1.tmp	102
PID 4496 wrote to memory of 468	4496	file_MfbFy-1.tmp	102
PID 468 wrote to memory of 1124	468	msedge.exe	101
PID 468 wrote to memory of 1124	468	msedge.exe	101
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 4312	468	msedge.exe	107
PID 468 wrote to memory of 1188	468	msedge.exe	103
PID 468 wrote to memory of 1188	468	msedge.exe	103
PID 468 wrote to memory of 4976	468	msedge.exe	106
PID 468 wrote to memory of 4976	468	msedge.exe	106
PID 468 wrote to memory of 4976	468	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\sqlyog_MfbFy-1.exe
"C:\Users\Admin\AppData\Local\Temp\sqlyog_MfbFy-1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\is-L9VJJ.tmp\sqlyog_MfbFy-1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L9VJJ.tmp\sqlyog_MfbFy-1.tmp" /SL5="$50162,831488,831488,C:\Users\Admin\AppData\Local\Temp\sqlyog_MfbFy-1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\is-BK18N.tmp\file_MfbFy-1.exe
    "C:\Users\Admin\AppData\Local\Temp\is-BK18N.tmp\file_MfbFy-1.exe" /LANG=en /NA=Rh85hR64
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\is-OR205.tmp\file_MfbFy-1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OR205.tmp\file_MfbFy-1.tmp" /SL5="$1022A,1559708,780800,C:\Users\Admin\AppData\Local\Temp\is-BK18N.tmp\file_MfbFy-1.exe" /LANG=en /NA=Rh85hR64
      4⤵
      Checks for any installed AV software in registry
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\saBSI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
    - - C:\Users\Admin\Downloads\sqlyog.exe
        
        "C:\Users\Admin\Downloads\sqlyog.exe"
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1696
      - C:\Program Files\SQLyog Trial\SQLyog.exe
        
        "C:\Program Files\SQLyog Trial\SQLyog.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.download.it/?typ=1
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
        6⤵
        
        PID:1752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        6⤵
        
        PID:4436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
        6⤵
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        6⤵
        
        PID:4312
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:416
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,670143430205925270,5641877152504202248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
        6⤵
        
        PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a39046f8,0x7ff9a3904708,0x7ff9a3904718
1⤵
PID:1124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SQLyog Trial\Keywords.db

Filesize
114KB

MD5
a0cb2d0cd25c9edf86a27737f8785a91

SHA1
f7b376b3abd4092f02041506830ac7c18acf0df1

SHA256
5af3c274f2f6e26ab4f9153d9c2000b448e7659ad3079929354599a832fd7c4d

SHA512
c09c3becba247785f220f0aea835be30306d6a05d1f10a170996e2db31f639fd037bed5524d2d48b1d321111d77641957ff3e4184a9a4131a5482d50d9f0c567

Download Submit
C:\Program Files\SQLyog Trial\LIBEAY32.dll

Filesize
2.0MB

MD5
935d0ee1c6bc686eef0e4ad927404355

SHA1
a58d065643e3d985f9533ea5b9b7d8a483340fe8

SHA256
bfe93014e10178dc7ef089cfc56e67c34a2d22b554372aff39a041e65bd0448d

SHA512
092cee6640d46bd710b1561b1f5290b083825fe0449d481a804add0193b20dd192bbf304fae51aba6ac510fa0163785b3535db96547828919e14adbab2449def

Download Submit
C:\Program Files\SQLyog Trial\LIBEAY32MD.dll

Filesize
1.7MB

MD5
852ce6c6a4697a8f1c82f293e0492cc6

SHA1
48183cedb7710ebc625fed115a9371e6cea07210

SHA256
38055bbd642c1cfc4c7dab27d1712cba7e64b92ecee2efc49cc9c06b5442de50

SHA512
f3c58550b1852f625ac7eba318a9a2e15730d1b70c602bf5c5bdd44e9e7a67056dbb4c49c049edd4be239b253709cdd36e0a893d8cccf10a8b2e79144d8b797c

Download Submit
C:\Program Files\SQLyog Trial\MSVCR120.dll

Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Program Files\SQLyog Trial\SQLyog.dll

Filesize
3.3MB

MD5
652165a278e915d9045f8c8eec197677

SHA1
62949b92cb6cfbfa22186dfe14e3d489b8dc3ce9

SHA256
d3d516200749a8c843e9c5c32638edc50640a849224f299b6906434ae03bdce6

SHA512
f90b22068b6bc524b252702d99d8ef0254bfc6e15c6b6249066b5851a0e68ca4fc7d872b07ba2d5e9a50b069eef40a62d527de220190911147f72cbff47e2df7

Download Submit
C:\Program Files\SQLyog Trial\SQLyog.dll

Filesize
3.3MB

MD5
652165a278e915d9045f8c8eec197677

SHA1
62949b92cb6cfbfa22186dfe14e3d489b8dc3ce9

SHA256
d3d516200749a8c843e9c5c32638edc50640a849224f299b6906434ae03bdce6

SHA512
f90b22068b6bc524b252702d99d8ef0254bfc6e15c6b6249066b5851a0e68ca4fc7d872b07ba2d5e9a50b069eef40a62d527de220190911147f72cbff47e2df7

Download Submit
C:\Program Files\SQLyog Trial\SQLyog.exe

Filesize
8.7MB

MD5
efef4af2daaccdf7ca192fcd54dcd108

SHA1
11f201576846600013e4ee7472c8f6c3f145a7f1

SHA256
4d2a88c1225b14f7638d9c68878414623a57a0fc154bf82723907047b84b21ca

SHA512
2ba7f7142be5b85732890a984e54d48b8ab83a31e136d84202a1b9aa5e8ec1841d1b18d8fb77f89422b214683916f3ca3fbc26ba1f2167385b9866c0a0eb7030

Download Submit
C:\Program Files\SQLyog Trial\SQLyog.exe

Filesize
8.7MB

MD5
efef4af2daaccdf7ca192fcd54dcd108

SHA1
11f201576846600013e4ee7472c8f6c3f145a7f1

SHA256
4d2a88c1225b14f7638d9c68878414623a57a0fc154bf82723907047b84b21ca

SHA512
2ba7f7142be5b85732890a984e54d48b8ab83a31e136d84202a1b9aa5e8ec1841d1b18d8fb77f89422b214683916f3ca3fbc26ba1f2167385b9866c0a0eb7030

Download Submit
C:\Program Files\SQLyog Trial\SQLyog.exe

Filesize
8.7MB

MD5
efef4af2daaccdf7ca192fcd54dcd108

SHA1
11f201576846600013e4ee7472c8f6c3f145a7f1

SHA256
4d2a88c1225b14f7638d9c68878414623a57a0fc154bf82723907047b84b21ca

SHA512
2ba7f7142be5b85732890a984e54d48b8ab83a31e136d84202a1b9aa5e8ec1841d1b18d8fb77f89422b214683916f3ca3fbc26ba1f2167385b9866c0a0eb7030

Download Submit
C:\Program Files\SQLyog Trial\SSLEAY32.dll

Filesize
345KB

MD5
56248f2e9131e7bb6bf4659770679fb6

SHA1
203a47e7f1537a839f13ec7614164d9f1c61b542

SHA256
4033d5bbd7ef4bdff6cf6071bd8255d8ee76f295b79e015049fefd75609ac59a

SHA512
2ecabcf0d3c320aa3c704480ce709e063881612d6a55dd6e254d400b40db20f4f95599447eb9890fc7d3d249627c323ea883ef708c32ead8278c3db6a8aa5588

Download Submit
C:\Program Files\SQLyog Trial\SciLexer.dll

Filesize
1.1MB

MD5
f7ca22af1d4ff0d3eedfe95b798f2d1d

SHA1
22c4007b08dc4e6ddceea567a08bb167a18b7bd2

SHA256
332facb25c64c0c60e32986134929534284b3a36bfb64e2abdb0fde2e63e1982

SHA512
ceaffda65dd465a1b1c11072bdbbfd75ca96b019046e7f5e6ecb3ae632950d7d57211b95a6846a9183b0e0d5279a4f897c46baabe90f094a4f39709e3ad57285

Download Submit
C:\Program Files\SQLyog Trial\SciLexer.dll

Filesize
1.1MB

MD5
f7ca22af1d4ff0d3eedfe95b798f2d1d

SHA1
22c4007b08dc4e6ddceea567a08bb167a18b7bd2

SHA256
332facb25c64c0c60e32986134929534284b3a36bfb64e2abdb0fde2e63e1982

SHA512
ceaffda65dd465a1b1c11072bdbbfd75ca96b019046e7f5e6ecb3ae632950d7d57211b95a6846a9183b0e0d5279a4f897c46baabe90f094a4f39709e3ad57285

Download Submit
C:\Program Files\SQLyog Trial\VCRUNTIME140.dll

Filesize
86KB

MD5
6c2c88ff1b3da84b44d23a253a06c01b

SHA1
488c95acda13dce2f099774ee506e47869e9284e

SHA256
acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c

SHA512
e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

Download Submit
C:\Program Files\SQLyog Trial\htmlayout.dll

Filesize
3.7MB

MD5
448a821ad52dd12ec6ca1bfafd1079b4

SHA1
0af750945284692d0c63e63679b2caa9e66324e0

SHA256
7dbdd38b43a03a6b7846ecd7e3de1f35490c2496113e820e3673604d3289fc12

SHA512
5fc83d280a537adca3f42ba704b00e1c381d38d220c05624683e5ea0a7f6171549e093dd7e7f149731e8ccc7173c28034b01c4467653291cdacf2bc95af60f38

Download Submit
C:\Program Files\SQLyog Trial\htmlayout.dll

Filesize
3.7MB

MD5
448a821ad52dd12ec6ca1bfafd1079b4

SHA1
0af750945284692d0c63e63679b2caa9e66324e0

SHA256
7dbdd38b43a03a6b7846ecd7e3de1f35490c2496113e820e3673604d3289fc12

SHA512
5fc83d280a537adca3f42ba704b00e1c381d38d220c05624683e5ea0a7f6171549e093dd7e7f149731e8ccc7173c28034b01c4467653291cdacf2bc95af60f38

Download Submit
C:\Program Files\SQLyog Trial\l10n.db

Filesize
860KB

MD5
3c3d381ab689067814059b86fb9becb9

SHA1
4208e6aed5c767ce8bc75d081755a22d23b7a34e

SHA256
f735fc065e50756eeed2ea95d7045db42d9a25f4c547cb6f6318c89e900cd44a

SHA512
b34c320f71ff6eeb6b81f728641eff7ecb0d61959851d412c60a311522403a32e506a0a400728da2c03551558aa1b16584eafcbc1396c2c5c8a2713a1fbb0958

Download Submit
C:\Program Files\SQLyog Trial\libeay32.dll

Filesize
2.0MB

MD5
935d0ee1c6bc686eef0e4ad927404355

SHA1
a58d065643e3d985f9533ea5b9b7d8a483340fe8

SHA256
bfe93014e10178dc7ef089cfc56e67c34a2d22b554372aff39a041e65bd0448d

SHA512
092cee6640d46bd710b1561b1f5290b083825fe0449d481a804add0193b20dd192bbf304fae51aba6ac510fa0163785b3535db96547828919e14adbab2449def

Download Submit
C:\Program Files\SQLyog Trial\libeay32.dll

Filesize
2.0MB

MD5
935d0ee1c6bc686eef0e4ad927404355

SHA1
a58d065643e3d985f9533ea5b9b7d8a483340fe8

SHA256
bfe93014e10178dc7ef089cfc56e67c34a2d22b554372aff39a041e65bd0448d

SHA512
092cee6640d46bd710b1561b1f5290b083825fe0449d481a804add0193b20dd192bbf304fae51aba6ac510fa0163785b3535db96547828919e14adbab2449def

Download Submit
C:\Program Files\SQLyog Trial\libeay32MD.dll

Filesize
1.7MB

MD5
852ce6c6a4697a8f1c82f293e0492cc6

SHA1
48183cedb7710ebc625fed115a9371e6cea07210

SHA256
38055bbd642c1cfc4c7dab27d1712cba7e64b92ecee2efc49cc9c06b5442de50

SHA512
f3c58550b1852f625ac7eba318a9a2e15730d1b70c602bf5c5bdd44e9e7a67056dbb4c49c049edd4be239b253709cdd36e0a893d8cccf10a8b2e79144d8b797c

Download Submit
C:\Program Files\SQLyog Trial\libetpan.dll

Filesize
534KB

MD5
83cfcddff9d468aa99485a2b33b41ae5

SHA1
34079047c3585a3e1930336835f7629f821b38d1

SHA256
119dcdab95f65979bdf69fde5d575777efce78b627cdbc8d3a633c09de4f9484

SHA512
28ceb15389deb3f7f13e65d742a1ce57f5ad93c0bfdd9bd8bf462e47b93195a3755a3d30c904e824bad2468a730bfb3cc4355e2a4d1d7e8460f186f2fd1c808a

Download Submit
C:\Program Files\SQLyog Trial\libetpan.dll

Filesize
534KB

MD5
83cfcddff9d468aa99485a2b33b41ae5

SHA1
34079047c3585a3e1930336835f7629f821b38d1

SHA256
119dcdab95f65979bdf69fde5d575777efce78b627cdbc8d3a633c09de4f9484

SHA512
28ceb15389deb3f7f13e65d742a1ce57f5ad93c0bfdd9bd8bf462e47b93195a3755a3d30c904e824bad2468a730bfb3cc4355e2a4d1d7e8460f186f2fd1c808a

Download Submit
C:\Program Files\SQLyog Trial\libetpan.dll

Filesize
534KB

MD5
83cfcddff9d468aa99485a2b33b41ae5

SHA1
34079047c3585a3e1930336835f7629f821b38d1

SHA256
119dcdab95f65979bdf69fde5d575777efce78b627cdbc8d3a633c09de4f9484

SHA512
28ceb15389deb3f7f13e65d742a1ce57f5ad93c0bfdd9bd8bf462e47b93195a3755a3d30c904e824bad2468a730bfb3cc4355e2a4d1d7e8460f186f2fd1c808a

Download Submit
C:\Program Files\SQLyog Trial\libsasl2.dll

Filesize
253KB

MD5
80f775356eeef55147c83257382c2c49

SHA1
fd9ccafed76a0b4fafe53b8ec7de4add238efc64

SHA256
107e4c19ebaa15bfb7a3470781486b3116601db4591bb6a23810a1da3568b439

SHA512
cdb87155829cd2bce43266f41a8f782bb1dc572466b7d325da2d09734b23295127a7144e3f3f6cd27551f272388da31443631ebaf4e53f9116238d58f03a13e5

Download Submit
C:\Program Files\SQLyog Trial\libsasl2.dll

Filesize
253KB

MD5
80f775356eeef55147c83257382c2c49

SHA1
fd9ccafed76a0b4fafe53b8ec7de4add238efc64

SHA256
107e4c19ebaa15bfb7a3470781486b3116601db4591bb6a23810a1da3568b439

SHA512
cdb87155829cd2bce43266f41a8f782bb1dc572466b7d325da2d09734b23295127a7144e3f3f6cd27551f272388da31443631ebaf4e53f9116238d58f03a13e5

Download Submit
C:\Program Files\SQLyog Trial\msvcr120.dll

Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Program Files\SQLyog Trial\msvcr120.dll

Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Program Files\SQLyog Trial\ssleay32.dll

Filesize
345KB

MD5
56248f2e9131e7bb6bf4659770679fb6

SHA1
203a47e7f1537a839f13ec7614164d9f1c61b542

SHA256
4033d5bbd7ef4bdff6cf6071bd8255d8ee76f295b79e015049fefd75609ac59a

SHA512
2ecabcf0d3c320aa3c704480ce709e063881612d6a55dd6e254d400b40db20f4f95599447eb9890fc7d3d249627c323ea883ef708c32ead8278c3db6a8aa5588

Download Submit
C:\Program Files\SQLyog Trial\vcruntime140.dll

Filesize
86KB

MD5
6c2c88ff1b3da84b44d23a253a06c01b

SHA1
488c95acda13dce2f099774ee506e47869e9284e

SHA256
acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c

SHA512
e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

Download Submit
C:\Program Files\SQLyog Trial\zlib.dll

Filesize
78KB

MD5
4fd6bccf8880de52ac124fb0f8dba6df

SHA1
57e98f798831b4d139c5c63ddf00558825f951e2

SHA256
8d2123f8d8e0b91ed8b690f4fe72e372bf1644c9f150bb3c10c91c19c161698f

SHA512
cf0259f2cf1094dd58833ac0426e61c61634c3e18c83a45b5ed43214acc80436c1a4ac4fcfe027030d9a8b73d34e6920543a5b8986c52cac375d77b2dcb21e1e

Download Submit
C:\Program Files\SQLyog Trial\zlib.dll

Filesize
78KB

MD5
4fd6bccf8880de52ac124fb0f8dba6df

SHA1
57e98f798831b4d139c5c63ddf00558825f951e2

SHA256
8d2123f8d8e0b91ed8b690f4fe72e372bf1644c9f150bb3c10c91c19c161698f

SHA512
cf0259f2cf1094dd58833ac0426e61c61634c3e18c83a45b5ed43214acc80436c1a4ac4fcfe027030d9a8b73d34e6920543a5b8986c52cac375d77b2dcb21e1e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
e37d24d5cc1a2d774901ae799797fb65

SHA1
114082c0642dbe7d8b407e81be243f9cdbe7ea52

SHA256
9982fb1f2c4b62354c6c6a5a6b45426dc4ba3c00e4a9678e8df8d7f004bdc082

SHA512
458db05c33221066e16f1c2b5cf83a465a416a050c6f68d395a5bfb91eb0438657354cb2b2dbdd503dfc9b03d23be309c77315e13878bb3047002efdae2d20bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
c4df7ddd106ccc2d48cd546c25004f13

SHA1
5f2b14c09319bc37475a5ca45ddde9a647f9ab93

SHA256
1d9d8238d1068c7c06a4a2e13eda459ba3b5b610dd265731df18a1f2e971f595

SHA512
f565a775aa8bed904e8027f12c79f404994e84c4ba71669bc78b9c449125923a19b54ddb9f91dac4922568aff83123fe8345921292498f42ba1faa6271e31bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
acbdb5170e78b1a39b489b7f99115c4a

SHA1
c020f0e297aca68990aa611e2990c3cb2a9b1cc4

SHA256
eb60aef7bbb0a3ead3989240e199c040c0373227e8247890491da664cf6b9d97

SHA512
e4c95836717d54728fb824e27eaa013321fd9345de19d6b1dda8db1f217b38a5458062f458c274ad1770f6f64a59e214f4258f44fbb44394bbc8dae4a7d0d385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8f482e98299ad47655df704ea1e148b

SHA1
10f81360af4f60f9e1263dc13f3f9e32ba1e70b5

SHA256
dcdc036738b50b5971a1b9186336f3a74064cbcf73c8923aedd71909b6f12722

SHA512
7be9ee3e3e8beb05ed4232a22686e36ef668638f2b531b90728f7ee1b4a2c28c4edde8b0445c72eed7f20c00b9c31bcc2712ff25971bc0cce4a1b6f34ffd5331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6f873ff65971253e1c03562e3890ce6

SHA1
f37583a4b2795bec5eca27d8e19589d3c6eb3fe1

SHA256
daa93b4fb0c8ee8ad540c171f213eb084b2c7d2c9c007a6e31088f48ccdcf0fe

SHA512
2c36d3a1e0a30b0329d0a2789019b38fc967b5d8ae774a17819cf7530f116942f2a5ec1712a6643b158f9adce2fadb2c106fbb4a2aa74fc4669d05abbf2cbbe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e916c369c6e4aa5c0ad932e697c24e15

SHA1
fac579e0ce1fb90284314590bf6352390b00daa7

SHA256
f13331ab987d98e3a19e54504f059fdd8fc702e85759cdfe23d513464e078222

SHA512
ae07b522bbecd6bdace343ac8c4b5f6dff2c9dc14efbd2fe6cf8a56e9ef2c01beadedba33f82492a55f752700c2e17441fbd760beb34875dc8acaca2e510f062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b9b2ee1c419ba426b0b779bb5a92ef3

SHA1
acb43b0b3d45d950d69fc71dd0deda383a8c3f04

SHA256
059424b1db53e0722cc25a12ddca9f8f73a24c7d0ed34ba57dba2ed449e44364

SHA512
d91ff8db7edbce9f0b3708ad64ebf8da03db3a2eee3ff829401a46de05a4707d454f03fd8d9189030361bfa1e46c8ae1f1fd2f86ded9e4a24f1ad43434271e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6168ae02c55c22816ec3f4c211f66ba

SHA1
08943a927796609b69094b97ab2e5d309dd61738

SHA256
446f1e652abdf2cbc1ff8056bb1b8a5efcdd4609271c87777ad529ef26773c3b

SHA512
e73c7bd4e73cf44c766af15aeb6b5fd3688739df60cb6a18ab34c558a2d3fd8a827700970c195afc08a5fc01abf64d66e55a519c8d3246b185861b4eb937b216

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCC97.tmp

Filesize
255KB

MD5
dcf47ce0e0e75796fb3d28e2cfbb53c2

SHA1
84edf183be4a2f51e685bcef4469a58d0360aec1

SHA256
66f881b3645606dbf917e461d72edc72afb6a0dee66d73d85b2917b71dfaba96

SHA512
405271cd05f68568d8979949173488cc490dd4aa6fc465f77e7edac7f7a3c70ba46605d4239a948b58e75f9b26dbb102eb66669c1ccde7af46b9e196f0845b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\AVG_AV.png

Filesize
114KB

MD5
5ef5291810c454a35f76d976105f37cc

SHA1
8ce0cc65ae1786cef1c545d40d081eda13239fa6

SHA256
03e69e8c87732c625df2f628ac63bd145268f9dea9c5f3dd3670b1cf349a995c

SHA512
3bec461bb3cbbbdb3c05171fcc5ab7e648b2b60d7b811261662f14d35c3836148b14cda1a3f2be127c89cc732de8cf1644d2e55e049eeeb2da8e397c58cc919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\finish.png

Filesize
2KB

MD5
7afaf9e0e99fd80fa1023a77524f5587

SHA1
e20c9c27691810b388c73d2ca3e67e109c2b69b6

SHA256
760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

SHA512
a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\mainlogo.png

Filesize
6KB

MD5
208cfb7ab79e72cb88ffcbfaf4c4dbe8

SHA1
9ee60f2c1c8dfcf24ee1008239f3d857f778f843

SHA256
8766dce58774170918578b7a1e31296233771f1d4e0d36b57de277d42a391cf8

SHA512
09de158712d58019c42ea24a0dcfd91f2e731390a3b3facac8c83a0270676cd91f9c97e1084b5fcfdd746544a17da959ae42ca4d4b072a4c3007dd59e7369fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0.zip

Filesize
499KB

MD5
cd9c77bc5840af008799985f397fe1c3

SHA1
9b526687a23b737cc9468570fa17378109e94071

SHA256
26d7704b540df18e2bccd224df677061ffb9f03cab5b3c191055a84bf43a9085

SHA512
de82bd3cbfb66a2ea0cc79e19407b569355ac43bf37eecf15c9ec0693df31ee480ee0be8e7e11cc3136c2df9e7ef775bf9918fe478967eee14304343042a7872

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\installer.exe

Filesize
27.6MB

MD5
e5222038e5264c7d85ee2eb2f2e053ce

SHA1
673a1bba914eceb6e03efa49ccbb4577e4819a61

SHA256
5296c1ebe140d5a8fbd179b5c6a5d57f53f0259f542f5fae97bfd288ffe7613d

SHA512
b22bf83b194442a8656597fdc5275bf60d9caa80aa9ae2ff3013ed59f15ad32c1b7958f1b37dffe57ae5cb5624456a2246e56b5c2623ca0f059285760d71bb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5KHVN.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BK18N.tmp\file_MfbFy-1.exe

Filesize
2.3MB

MD5
d6fa7e9996185d7b3a9ac80eadc96b35

SHA1
0e9c0875ce921430cbf6b26126150b9ec7d34108

SHA256
511b0ed3d883906abc31092cd9f9aa2f135f0469c94a38acdb6e5ba74bc4643e

SHA512
c85cac8b260c404cae0da4159493dc4551b6ae1e9841c2cc985a944d724d3fd0e50e3ccafae130ceb219570d5ea821d0e94b20a1bb4fb5274697896f499c8bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BK18N.tmp\file_MfbFy-1.exe

Filesize
2.3MB

MD5
d6fa7e9996185d7b3a9ac80eadc96b35

SHA1
0e9c0875ce921430cbf6b26126150b9ec7d34108

SHA256
511b0ed3d883906abc31092cd9f9aa2f135f0469c94a38acdb6e5ba74bc4643e

SHA512
c85cac8b260c404cae0da4159493dc4551b6ae1e9841c2cc985a944d724d3fd0e50e3ccafae130ceb219570d5ea821d0e94b20a1bb4fb5274697896f499c8bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L9VJJ.tmp\sqlyog_MfbFy-1.tmp

Filesize
3.1MB

MD5
9d4b9cf80d13423280a5e0065bb14576

SHA1
4d66c2e3eedd253367be1af05a66c0c5e7bc66dd

SHA256
742d664596663260b44b9a8b9be592d5598ab0045bfe72da9b6d51f3d61cb94f

SHA512
ab11d532247a8a959f2db6373d37db27c1ceffdcc5e24f96a2465b18f59bd67d0a1604af08214aa854ff74369cdfd1392e1e8ee955e3c20c747b7b0b40ffbdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OR205.tmp\file_MfbFy-1.tmp

Filesize
2.9MB

MD5
623a3abd7b318e1f410b1e12a42c7b71

SHA1
88e34041850ec4019dae469adc608e867b936d21

SHA256
fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3

SHA512
9afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\InstallOptions.dll

Filesize
14KB

MD5
5d195f1ac9869c208f6c02a5bde6f9c1

SHA1
a8ec993a12708572ca8ca3d1fcbdc25230bdaf10

SHA256
78012f560bb917218435f4b3ef2e3491bab15647e11ccb90bc117731181134c4

SHA512
1f6a2e909e3a7188f24758715cdc7c9d8c17450a67c37cc74487924b00d5402c125ff8ec27b42038e20b560016f086b05133bf2bd04e670a1c46fa38c1b20672

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\LangDLL.dll

Filesize
5KB

MD5
de3558ce305e32f742ff25b697407fec

SHA1
d55c50c546001421647f2e91780c324dbb8d6ebb

SHA256
98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a

SHA512
7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\ioSpecial.ini

Filesize
395B

MD5
ab44958118737ccba30eba8b07b3d863

SHA1
a8584a4afe01b2c307fedcd6b5f4b2da9ebb5f15

SHA256
b03e380e16ea4e6430139abba5b21010a06fdb97da45135fddfa7249f2be250d

SHA512
d31f7674943018d88ad2ae478b9313bb5dafaea0391ac2dfd48e46dafb7a842b0452e7adad4adefc8eb742945e594bfdbeb606c626a89284180de977c84dfdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\ioSpecial.ini

Filesize
735B

MD5
a2e582bfcc8d3c691e2f775d3e0ad7fa

SHA1
5665a895213084cc9c2553e02a551543489f70ea

SHA256
03588495a588c51e703a76bc25bb483aa0f7e67100b49b7dbfa2da16223c3c30

SHA512
ff68fd0b91f3899f14a884bf710dfa75f582d350f65f8d7bf043944539c018d7ab74c5e46693a71ce63ca1a35e927b5b451871796ae57cb273442f3fc6739b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\ioSpecial.ini

Filesize
673B

MD5
9cb7670a7120a1d1ba0dec063443b322

SHA1
0f9a324dfd8e595c512ad3b165790a9b6e9ef98b

SHA256
8c7b890ce75b901501906bf6cb5ae30536104c33bb53d0a363fb22c5be28a87e

SHA512
910685ae3c7ff1ff8c0d76bf784518ede04e6f4dd27fab50dd4da684e035803b689da9fafbb5fb0886a49d2ba9d46d321e2857fdd0a793d9d9bda8e23692a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\ioSpecial.ini

Filesize
687B

MD5
7d72550c16d3e8eebcfd42099086ec04

SHA1
adb06ccecbcd52ff2861283fff7a6255d86a1410

SHA256
a9846641a33455925e4c45b0b4e23ca3af40e3536b6c772c65e82020243f866c

SHA512
3a9b47206b1177befcd2242fcbdb795a737fabb9a6e05ac70c9d3cf56f3b678402040238231bdf505c28ec70e99472bfb202d4d2f3ea1db0d003480d770da316

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Roaming\SQLyog\sqlyog.ini

Filesize
85B

MD5
e49ca6af380a1c71ec16f953f5a19a49

SHA1
83730c2ba4075519a1a174922eae505fd68f85ee

SHA256
ef0897d1e50e41d7fb0adffe8dccfd9ee038521dab127120188cc9d9a857a914

SHA512
4685c4bc5afb63ce688a02192f88f88d2a776c64dcab5a5f86cd235775406a3c32f8445311ea22f6bebed1f56138fbd045c312240b7bf6c6ef07e2b553aa8e22

Download Submit
C:\Users\Admin\AppData\Roaming\SQLyog\sqlyog.ini

Filesize
110B

MD5
3d5badcb5ec5771a6ed558da3c7e86f8

SHA1
85f9e7fa398dd6f5ba4afc3beaf10cd5b3b8b86f

SHA256
0afc40ec9883bbea0363cf3f153094890ca7b766bf7e800f084107ce545b3d2f

SHA512
25d72d9fb8e0d8e0802cce9bbb7e7054fec017549623e0e178bc848f6af22e17c502fe4edf2988da2f4126c8bd074602db7737f6d77f235986346293840cfb2c

Download Submit
C:\Users\Admin\Downloads\sqlyog.exe

Filesize
9.1MB

MD5
2fa32dc3b9ca8e6f5c4b321b811a053b

SHA1
ce14235c0af4d7e20dabc65fc324fbe1a30a3ac2

SHA256
c7d917cbe4477fa140b58d50204b9219ff348eb02ba305ff9829573c20c3842f

SHA512
c8089f935e6d1555fcecdd25156d05692187a22eacb49e6c1a44a7cf177f2d0b36f4de926e6000f2d00812696709ce2faefd8f6d68be89dcd903d2f87c7cace5

Download Submit
C:\Users\Admin\Downloads\sqlyog.exe

Filesize
9.1MB

MD5
2fa32dc3b9ca8e6f5c4b321b811a053b

SHA1
ce14235c0af4d7e20dabc65fc324fbe1a30a3ac2

SHA256
c7d917cbe4477fa140b58d50204b9219ff348eb02ba305ff9829573c20c3842f

SHA512
c8089f935e6d1555fcecdd25156d05692187a22eacb49e6c1a44a7cf177f2d0b36f4de926e6000f2d00812696709ce2faefd8f6d68be89dcd903d2f87c7cace5

Download Submit
C:\Users\Admin\Downloads\sqlyog.exe

Filesize
9.1MB

MD5
2fa32dc3b9ca8e6f5c4b321b811a053b

SHA1
ce14235c0af4d7e20dabc65fc324fbe1a30a3ac2

SHA256
c7d917cbe4477fa140b58d50204b9219ff348eb02ba305ff9829573c20c3842f

SHA512
c8089f935e6d1555fcecdd25156d05692187a22eacb49e6c1a44a7cf177f2d0b36f4de926e6000f2d00812696709ce2faefd8f6d68be89dcd903d2f87c7cace5

Download Submit
memory/1352-772-0x000002B62E140000-0x000002B62E1CA000-memory.dmp

Filesize
552KB

Download
memory/1696-136-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/3856-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3856-59-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3856-212-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4436-53-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4436-44-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4436-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4496-184-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4496-18-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4496-63-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4496-61-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4496-38-0x0000000003F80000-0x0000000003F8F000-memory.dmp

Filesize
60KB

Download
memory/4496-210-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4496-62-0x0000000003F80000-0x0000000003F8F000-memory.dmp

Filesize
60KB

Download
memory/4976-50-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4976-5-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download