amadey | aa80b73cd125316be25f70ca6a4caf5744b74305fb9a94d6b32ba8c327ea2812

Analysis

max time kernel
106s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe
Size

1.4MB
MD5

b10b2d7c3e870140d8001018e04a7c40
SHA1

b65b2b92e03c6f8da0f303c9808f24fc3b7653c2
SHA256

aa80b73cd125316be25f70ca6a4caf5744b74305fb9a94d6b32ba8c327ea2812
SHA512

60f3ce6a74d5aa9ad9d1a7ee23701c59ab202456968bb32fded5e726f91d40429cf194d098d62020775220cb89b845ce359704a2368c4cbd068c0befd8106628
SSDEEP

24576:pyI8H2FHqo7NG753E/v8/Pz/F0hYbrbQ2U0A7blV4OcDV1o7XfzuHajqk6puo:cFmHR70gv8/Ld0hYnbQxl7blV4f1Wv2T

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelnew

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

raccoon

Botnet

6a6a005b9aa778f606280c5fa24ae595

http://195.123.218.98:80

http://31.192.23

Attributes

user_agent
SunShineMoonLight

xor.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe
3480	schtasks.exe
7352	schtasks.exe
9996	schtasks.exe

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7924-447-0x0000000000220000-0x0000000000600000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7940-519-0x0000000002D80000-0x000000000366B000-memory.dmp	family_glupteba
behavioral1/memory/7940-525-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/7940-667-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/7940-1732-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/5164-2593-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

E023.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	E023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	E023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	E023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	E023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	E023.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5948-857-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/5948-864-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/5948-935-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4580-56-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\DF76.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\DF76.exe	family_redline
behavioral1/memory/5016-161-0x0000000000550000-0x00000000005AA000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe	family_redline
behavioral1/memory/2960-169-0x00000000008B0000-0x00000000008EE000-memory.dmp	family_redline
behavioral1/memory/5016-223-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline
behavioral1/memory/7048-538-0x00000000006F0000-0x000000000070E000-memory.dmp	family_redline
behavioral1/memory/6508-555-0x0000000000570000-0x00000000005AE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7048-538-0x00000000006F0000-0x000000000070E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

latestX.exe

description	pid	process	target process
PID 3736 created 672	3736	latestX.exe	Explorer.EXE
PID 3736 created 672	3736	latestX.exe	Explorer.EXE
PID 3736 created 672	3736	latestX.exe	Explorer.EXE
PID 3736 created 672	3736	latestX.exe	Explorer.EXE
PID 3736 created 672	3736	latestX.exe	Explorer.EXE

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exerundll32.exerundll32.exe

flow pid process

193 7328 powershell.exe
200 7328 powershell.exe
255 7732 rundll32.exe
257 3408 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5460 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
193	7328	powershell.exe
200	7328	powershell.exe
255	7732	rundll32.exe
257	3408	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
5460	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3C91.exeUtsysc.exe5wc3zL2.exeexplothe.exe215.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	3C91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	5wc3zL2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	215.exe

Executes dropped EXE 47 IoCs

Processes:

XA7aC20.exeqL7eT39.execn1lY30.exeAw3Ev67.exe1ZD08CJ5.exe2XD2882.exe3hj21Zc.exe4Li223Uq.exe5wc3zL2.exeexplothe.exe6nx6GN1.exeDCE3.exeDDBE.exeIN8gZ5gn.exexU8mT4YJ.exeFb6jM0Il.exeDF76.exenk2Rg5kr.exe1dI10GX0.exeE023.exeE14D.exeE371.exe2iI657iQ.exeexplothe.exe215.exe187D.exeInstallSetup5.exetoolspub2.exe2668.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroom.exepowershell.exetoolspub2.exe3C91.exelatestX.exe4CDE.exe5849.exenetsh.exeLzmwAqmV.exeis-7AQFA.tmpUtsysc.exeIsoBuster.exeIsoBuster.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplothe.exeUtsysc.exeupdater.exe

pid	process
5108	XA7aC20.exe
4392	qL7eT39.exe
1436	cn1lY30.exe
4912	Aw3Ev67.exe
1508	1ZD08CJ5.exe
832	2XD2882.exe
1296	3hj21Zc.exe
720	4Li223Uq.exe
2208	5wc3zL2.exe
3032	explothe.exe
2952	6nx6GN1.exe
396	DCE3.exe
2256	DDBE.exe
4764	IN8gZ5gn.exe
4068	xU8mT4YJ.exe
5048	Fb6jM0Il.exe
3052	DF76.exe
3284	nk2Rg5kr.exe
3648	1dI10GX0.exe
3852	E023.exe
3568	E14D.exe
5016	E371.exe
2960	2iI657iQ.exe
2120	explothe.exe
5368	215.exe
6360	187D.exe
5504	InstallSetup5.exe
7240	toolspub2.exe
7924	2668.exe
7940	31839b57a4f11171d6abc8bbc4451ee4.exe
8176	Broom.exe
7328	powershell.exe
7312	toolspub2.exe
4472	3C91.exe
3736	latestX.exe
7048	4CDE.exe
6508	5849.exe
5748	netsh.exe
7828	LzmwAqmV.exe
5392	is-7AQFA.tmp
6764	Utsysc.exe
5960	IsoBuster.exe
4884	IsoBuster.exe
5164	31839b57a4f11171d6abc8bbc4451ee4.exe
5328	explothe.exe
5728	Utsysc.exe
3816	updater.exe

Loads dropped DLL 8 IoCs

Processes:

E371.exeis-7AQFA.tmp2668.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5016 E371.exe
5016 E371.exe
5392 is-7AQFA.tmp
7924 2668.exe
7564 rundll32.exe
3852 rundll32.exe
7732 rundll32.exe
3408 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

E023.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" E023.exe

pid	process
5016	E371.exe
5016	E371.exe
5392	is-7AQFA.tmp
7924	2668.exe
7564	rundll32.exe
3852	rundll32.exe
7732	rundll32.exe
3408	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	E023.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

3C91.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exeqL7eT39.exeDCE3.exexU8mT4YJ.exeFb6jM0Il.exenk2Rg5kr.exeXA7aC20.execn1lY30.exeAw3Ev67.exeIN8gZ5gn.exe187D.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qL7eT39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DCE3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xU8mT4YJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fb6jM0Il.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	nk2Rg5kr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	XA7aC20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cn1lY30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Aw3Ev67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	IN8gZ5gn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\187D.exe'\""	187D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

197 api.ipify.org
204 api.ipify.org
Detected potential entity reuse from brand paypal.
phishing paypal

flow	ioc
197	api.ipify.org
204	api.ipify.org

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1ZD08CJ5.exe2XD2882.exe4Li223Uq.exe1dI10GX0.exetoolspub2.exe2668.exe

description	pid	process	target process
PID 1508 set thread context of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 832 set thread context of 4020	832	2XD2882.exe	AppLaunch.exe
PID 720 set thread context of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 3648 set thread context of 1276	3648	1dI10GX0.exe	AppLaunch.exe
PID 7240 set thread context of 7312	7240	toolspub2.exe	toolspub2.exe
PID 7924 set thread context of 5948	7924	2668.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 35 IoCs

Processes:

is-7AQFA.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-MDD0G.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-M90LH.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-TPGQV.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-8FH15.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-DRN09.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-00ASP.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-BKDO6.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-CRE4P.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-9RHVP.tmp	is-7AQFA.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-JG04F.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-72BOC.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-24GLS.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-V1IE8.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-HM67S.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-VMROO.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Help\is-S6U1R.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-QP6LV.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-14UJ5.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-7EDSQ.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-82B88.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-KDOMC.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-549QC.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-71N4I.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-DP0RJ.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-ESMFN.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-QHEB2.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-5F8QF.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-03NP5.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-IMCVU.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-I218L.tmp	is-7AQFA.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-SNEQN.tmp	is-7AQFA.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-7AQFA.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe	is-7AQFA.tmp

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5088 sc.exe
6972 sc.exe
7752 sc.exe
7752 sc.exe
3836 sc.exe
6980 sc.exe
5252 sc.exe
6436 sc.exe
5656 sc.exe
5612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5088	sc.exe
6972	sc.exe
7752	sc.exe
7752	sc.exe
3836	sc.exe
6980	sc.exe
5252	sc.exe
6436	sc.exe
5656	sc.exe
5612	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4620	4020	WerFault.exe	AppLaunch.exe
4908	1276	WerFault.exe	AppLaunch.exe
2596	5016	WerFault.exe	E371.exe
6572	5948	WerFault.exe	RegAsm.exe
7100	7940	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3hj21Zc.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3hj21Zc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3hj21Zc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3hj21Zc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3480 schtasks.exe
7352 schtasks.exe
9996 schtasks.exe

pid	process
3480	schtasks.exe
7352	schtasks.exe
9996	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3hj21Zc.exeAppLaunch.exeExplorer.EXE

pid	process
1296	3hj21Zc.exe
1296	3hj21Zc.exe
4256	AppLaunch.exe
4256	AppLaunch.exe
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

672 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3hj21Zc.exetoolspub2.exe

pid process

1296 3hj21Zc.exe
7312 toolspub2.exe

pid	process
672	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXEE023.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4256	AppLaunch.exe
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	3852	E023.exe
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	7328	powershell.exe
Token: SeShutdownPrivilege	672	Explorer.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exenetsh.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
5748	netsh.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

8176 Broom.exe

pid	process
8176	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exeXA7aC20.exeqL7eT39.execn1lY30.exeAw3Ev67.exe1ZD08CJ5.exe2XD2882.exe4Li223Uq.exe5wc3zL2.exeexplothe.exe

description	pid	process	target process
PID 2540 wrote to memory of 5108	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	XA7aC20.exe
PID 2540 wrote to memory of 5108	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	XA7aC20.exe
PID 2540 wrote to memory of 5108	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	XA7aC20.exe
PID 5108 wrote to memory of 4392	5108	XA7aC20.exe	qL7eT39.exe
PID 5108 wrote to memory of 4392	5108	XA7aC20.exe	qL7eT39.exe
PID 5108 wrote to memory of 4392	5108	XA7aC20.exe	qL7eT39.exe
PID 4392 wrote to memory of 1436	4392	qL7eT39.exe	cn1lY30.exe
PID 4392 wrote to memory of 1436	4392	qL7eT39.exe	cn1lY30.exe
PID 4392 wrote to memory of 1436	4392	qL7eT39.exe	cn1lY30.exe
PID 1436 wrote to memory of 4912	1436	cn1lY30.exe	Aw3Ev67.exe
PID 1436 wrote to memory of 4912	1436	cn1lY30.exe	Aw3Ev67.exe
PID 1436 wrote to memory of 4912	1436	cn1lY30.exe	Aw3Ev67.exe
PID 4912 wrote to memory of 1508	4912	Aw3Ev67.exe	1ZD08CJ5.exe
PID 4912 wrote to memory of 1508	4912	Aw3Ev67.exe	1ZD08CJ5.exe
PID 4912 wrote to memory of 1508	4912	Aw3Ev67.exe	1ZD08CJ5.exe
PID 1508 wrote to memory of 4360	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4360	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4360	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 1508 wrote to memory of 4256	1508	1ZD08CJ5.exe	AppLaunch.exe
PID 4912 wrote to memory of 832	4912	Aw3Ev67.exe	2XD2882.exe
PID 4912 wrote to memory of 832	4912	Aw3Ev67.exe	2XD2882.exe
PID 4912 wrote to memory of 832	4912	Aw3Ev67.exe	2XD2882.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 832 wrote to memory of 4020	832	2XD2882.exe	AppLaunch.exe
PID 1436 wrote to memory of 1296	1436	cn1lY30.exe	3hj21Zc.exe
PID 1436 wrote to memory of 1296	1436	cn1lY30.exe	3hj21Zc.exe
PID 1436 wrote to memory of 1296	1436	cn1lY30.exe	3hj21Zc.exe
PID 4392 wrote to memory of 720	4392	qL7eT39.exe	4Li223Uq.exe
PID 4392 wrote to memory of 720	4392	qL7eT39.exe	4Li223Uq.exe
PID 4392 wrote to memory of 720	4392	qL7eT39.exe	4Li223Uq.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 720 wrote to memory of 4580	720	4Li223Uq.exe	AppLaunch.exe
PID 5108 wrote to memory of 2208	5108	XA7aC20.exe	5wc3zL2.exe
PID 5108 wrote to memory of 2208	5108	XA7aC20.exe	5wc3zL2.exe
PID 5108 wrote to memory of 2208	5108	XA7aC20.exe	5wc3zL2.exe
PID 2208 wrote to memory of 3032	2208	5wc3zL2.exe	explothe.exe
PID 2208 wrote to memory of 3032	2208	5wc3zL2.exe	explothe.exe
PID 2208 wrote to memory of 3032	2208	5wc3zL2.exe	explothe.exe
PID 2540 wrote to memory of 2952	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	6nx6GN1.exe
PID 2540 wrote to memory of 2952	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	6nx6GN1.exe
PID 2540 wrote to memory of 2952	2540	NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe	6nx6GN1.exe
PID 3032 wrote to memory of 3480	3032	explothe.exe	schtasks.exe
PID 3032 wrote to memory of 3480	3032	explothe.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

3C91.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe

outlook_win_path 1 IoCs

Processes:

3C91.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3C91.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Local\Temp\NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b10b2d7c3e870140d8001018e04a7c40_JC.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XA7aC20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XA7aC20.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qL7eT39.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qL7eT39.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cn1lY30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cn1lY30.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aw3Ev67.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aw3Ev67.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD08CJ5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD08CJ5.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XD2882.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XD2882.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 540
9⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hj21Zc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hj21Zc.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1296

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Li223Uq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Li223Uq.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5wc3zL2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5wc3zL2.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:3480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2832

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:4576

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2884

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:2380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:7564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nx6GN1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nx6GN1.exe
3⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Temp\DCE3.exe
C:\Users\Admin\AppData\Local\Temp\DCE3.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fb6jM0Il.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fb6jM0Il.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3284

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 540
9⤵
- Program crash
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
7⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\Temp\DDBE.exe
C:\Users\Admin\AppData\Local\Temp\DDBE.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEC9.bat" "
2⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,13618643043944897911,14497603694530206792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
4⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,13618643043944897911,14497603694530206792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
4⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
4⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
4⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:8
4⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
4⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
4⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
4⤵
PID:6196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
4⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
4⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
4⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
4⤵
PID:7044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
4⤵
PID:7372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
4⤵
PID:7344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
4⤵
PID:6944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
4⤵
PID:6348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
4⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
4⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:1
4⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:8
4⤵
PID:6960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:8
4⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
4⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7664 /prefetch:8
4⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10843124107981209428,15021400288883710052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
4⤵
PID:6356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
3⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1672416308228957951,17989034301237444680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1672416308228957951,17989034301237444680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
3⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6375511771078329030,1186865031959317761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
4⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6375511771078329030,1186865031959317761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
3⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17516227546607852117,3366654209367936704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
4⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17516227546607852117,3366654209367936704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
4⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
3⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5968101006149404776,11463686350036503969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
4⤵
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5968101006149404776,11463686350036503969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
3⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
4⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14933202634251735815,14784474684240750554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
4⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14933202634251735815,14784474684240750554,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
4⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10506010094037371628,16760648415772947516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10506010094037371628,16760648415772947516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\DF76.exe
C:\Users\Admin\AppData\Local\Temp\DF76.exe
2⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\E023.exe
C:\Users\Admin\AppData\Local\Temp\E023.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\E14D.exe
C:\Users\Admin\AppData\Local\Temp\E14D.exe
2⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\E371.exe
C:\Users\Admin\AppData\Local\Temp\E371.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 796
3⤵
- Program crash
PID:2596

C:\Users\Admin\AppData\Local\Temp\215.exe
C:\Users\Admin\AppData\Local\Temp\215.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5368

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:5504

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8176

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7240

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7312

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:7940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:7332

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:5164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:5948

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Modifies data under HKEY_USERS
PID:3276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5020

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:9648

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:9996

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:10036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:10056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:7608

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 908
4⤵
- Program crash
PID:7100

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
PID:7828

C:\Users\Admin\AppData\Local\Temp\is-K919H.tmp\is-7AQFA.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K919H.tmp\is-7AQFA.tmp" /SL4 $C003E "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5464434 154112
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5392

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
6⤵
PID:8068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
7⤵
PID:8044

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe" -i
6⤵
- Executes dropped EXE
PID:5960

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe" -s
6⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:3736

C:\Users\Admin\AppData\Local\Temp\187D.exe
C:\Users\Admin\AppData\Local\Temp\187D.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6360

C:\Users\Admin\AppData\Local\Temp\2668.exe
C:\Users\Admin\AppData\Local\Temp\2668.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:7924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 572
4⤵
- Program crash
PID:6572

C:\Users\Admin\AppData\Local\Temp\3C91.exe
C:\Users\Admin\AppData\Local\Temp\3C91.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4472

C:\Users\Admin\AppData\Local\Temp\4CDE.exe
C:\Users\Admin\AppData\Local\Temp\4CDE.exe
2⤵
- Executes dropped EXE
PID:7048

C:\Users\Admin\AppData\Local\Temp\5849.exe
C:\Users\Admin\AppData\Local\Temp\5849.exe
2⤵
- Executes dropped EXE
PID:6508

C:\Users\Admin\AppData\Local\Temp\5E35.exe
C:\Users\Admin\AppData\Local\Temp\5E35.exe
2⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:6764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:7352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
4⤵
PID:7720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3264

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
5⤵
PID:5244

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
5⤵
PID:8080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:N"
5⤵
PID:8156

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:R" /E
5⤵
PID:1840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:3852

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3408

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5748

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
6⤵
PID:5140

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4164

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:6592

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3836

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5088

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6972

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:7752

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7328

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6392

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4788

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:8144

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5244

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:7592

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:8172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:3740

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:5316

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:7752

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6980

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5252

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6436

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5656

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6852

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5632

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:7984

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4816

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:3324

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:6796

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4020 -ip 4020
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1276 -ip 1276
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5016 -ip 5016
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefd9146f8,0x7ffefd914708,0x7ffefd914718
1⤵
PID:828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5948 -ip 5948
1⤵
PID:6564

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7940 -ip 7940
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
1⤵
- Executes dropped EXE
PID:5728

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\45bc31df-ca9c-4458-9038-59ac1e47ed8b.tmp
Filesize
2KB

MD5
11ca180570e53274ad1a61e51c4d1a93

SHA1
774a63f416d274efffa02d156389dc006bd5d5ad

SHA256
15010ca560f0135397fb40196fd7ca23e8e4dac0bffe28913900239621f58df4

SHA512
c41ac81357757e49529b1c00b004793e65700fdadf290c49b916b5256a4eb64cbdfbcb722534b2d6fdef02cf15f943ed8c3ed43bd93ef82b92186a58ec881b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a
Filesize
184KB

MD5
990324ce59f0281c7b36fb9889e8887f

SHA1
35abc926cbea649385d104b1fd2963055454bf27

SHA256
67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc

SHA512
31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
8ad772a5de7588207dba98566ac02647

SHA1
a4e35d24aaebb0c2ea85df1fc1388ad4878e562d

SHA256
9274db47cdf2a7f27edf589c74e44ccb7885d3d9d1da4dae815d43f831fb984f

SHA512
36e7d8f24ad8d485db09f5571114dc0e4ce986ecdf71367d6e811410a4125a73bd96ef9a67150378e1c44567c0835cb99b9ac7dc53cb242084b12e04a14cc8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
3d255191ed013cd9247feb54f2bac167

SHA1
35b711b0c8281e36dab2969926549ff8c49434d1

SHA256
552e799a59d9243e6593ef691141dfa0371919fba6f5ae97f8fbb96e3e116407

SHA512
8a258c6c89f112708c6a80dea434bd2741b05aa2afc8d93ea5f8a306e1d069af4bfe8d4c60e4335e33e2f6195cbbd61173d132e100ac9c1304e162a00418c9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
1a02124e16b4544a0a6c6cb805a04b4d

SHA1
ba43ddf422aaa3e58d50053f4811270c1b7ac7b5

SHA256
229495aaae38ab4a4e890d638a76c69d9e392ef6380a893cb4defa39c1b0aa85

SHA512
a82bdfdb7a1ce09f2cf7c760b3b33e434a1f8b725c820273327ad5996839000000b21b604623cb58f3526e28319756ce0e13cb52e8b3bef61286f8a13053054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0dbc42af7c3137f25c023811c868fe42

SHA1
c4bb10a0d12f28659b085453388d2b042b49d358

SHA256
efa9415216460266dc3aef859382cbcc04f8771e5fb36435bf03b762a38c25ef

SHA512
fef09aacd616c824991c1811509c6c22d12bc96d58827ba7b01d0019da313979f1faa169f5155c3a645a58ada101f9540c79102d92318fe85789e920509c3545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
f15fa78c5578013e295f6dd412c8acec

SHA1
c183b4df86ee9455f4784b33dcc1c5cdece9ac5c

SHA256
13053905074527f1c850cffd867601b0fddf759f0feadeee828c5e247a68c284

SHA512
72f4e1b44e77f6f25d2523308928e6e435a601ce7c7799fc6138fbb2f7bdb37cd87ed015f80a7d81a868ec7d07dbb1ce1e71f9f614937a2165136e28083223c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
be58d1a13a89194019436adc2866736e

SHA1
30e8211d6dfe84ed0dad917553898faa5ac01091

SHA256
6c38034a4c4a3c7c3b92f9336e190b6d7e23387c9d7aff238ecab4b60b95851e

SHA512
7fda56aaa31db297ef7f6d8901ced5a938cda852eb8733a6e3b070b9df272c7d5cc767419f0045d53944b472b44872540d7eb1f5a084ed0db3c8393b4ab7be21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
5180bfeba24a97fd28bd924f978df249

SHA1
91e6070a86f62c2e2b53f60869f2291302b47c77

SHA256
48ff9895dc9de9652e2981d04fb6e1c5507bcf674a190c7cb53d479f4dcc90d9

SHA512
6fd6f77bce779397bf3b7ed2bdb7d8fb3f60502a8f42732e01fd0f6e12f17b3230887ac1badc1a46316e39ceaf38320cae8f8d16a926f660e18c6fa1137b2b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\10e8aa61-d9c8-411e-af41-bd198d3c57df\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
080142d559c85e4bbe5e75389242d2f7

SHA1
daee1b4f898af40af3a59227284e3c493c2fa98c

SHA256
75fbe32c6141a18a45e0c2fde87d59933b1981846da06824966e287fb6425310

SHA512
cad54349002ae92ca1f51b4ef730465c9579d838972623a0b55f939b5af5f62f261434ee4b6474d3839276b799a21274e1a3de4433b12f8165348ad0046fc905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
155B

MD5
a3b416e8cd64b72fbbbb21b7efdcd4f0

SHA1
7192724d8b65c30f2adce99986659ed2bf467fbb

SHA256
cc09890c39c7b7ce3c194912313cb51092f5a7174528ac139c67d4aa545228fb

SHA512
6d0d90b96efb82ed67c90a843cc9f8cc2d4403e9eecd73661ea463ce866974e2d9e4c21c9dab731b5c60e8334e9a5657bf0877a8321a9d335f0e8684e03c8ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
d88f86c3a24dd00ce05a3fee7e4cfc29

SHA1
4f65482099c9075ad92a1dd337af0c242d25f396

SHA256
273212238ec645f08e22d84688a533e93b76733865cdec0207873b42778c5290

SHA512
e0cfee840bde2b61b0d9b0bcae78804352fa2a56c9cea8357b81e7df309b3b2a11ef917070451635ba44ab35b30ddc812dd7d7d1e6239d7570017f7291cd73a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59067e.TMP
Filesize
89B

MD5
b0314d14f4ffb83527d47369a2489665

SHA1
f0fe4b78c716574cfc055296dc589b21a87886bc

SHA256
c48347884a55d31487d0906d210a1cd9c058f6fe073b4a2ecf21c6390179e29e

SHA512
16b528ed340cc089129cfc5af7c3741387994e6de9c0b1c4bf3495acf47e38132f2ddda906ed967ad5573f593356f3ccca55badafe94e169b81ba91578701ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\cbaca601-660e-4bc0-9ec4-c6e13fbf9158\index-dir\the-real-index
Filesize
72B

MD5
a3a3a050ddc954d09646d4e76dcd70f5

SHA1
c1927036abf772b40cb8a0755c5d75e5a8121547

SHA256
60de48f628af3b9025437465516705a4a79a773a5091720ac1a1f2e9109a5928

SHA512
6af691b8355421ee4d563fc02d9e4050af746934f47d2619b55ec45b628080da6e59af9d7a2e222ea89daa7310f895f043e624b16bc1a99683ea7ab576b94f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\cbaca601-660e-4bc0-9ec4-c6e13fbf9158\index-dir\the-real-index~RFe58cb0b.TMP
Filesize
48B

MD5
adfc4a38b5a4afcd46b5269cb150cff9

SHA1
b196e3630704749abf0883fced756a8a6523426e

SHA256
5a2fab8bf4f491984dedfd3342e384c709eabdb06885ab530a64d603cd90952b

SHA512
699dd46765c59b70a6efee9d617c1f77819464f4a20018cec6e442a44fc53388ed45c5ff728d2f34697ed86d781f6d32d6f6cb45d7451c2a71042c268c99bfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize
140B

MD5
037753f2a32fbabcba103cdd83c86eb6

SHA1
1bea5db4bedf437df6bd57bad668a39117b8424c

SHA256
ca649704e4209eca18908e065069231bb72ce31590901c5a467386b8d42ad75d

SHA512
b5f8d9c011baf8a9f0677b2b76146ca1f7eac67756e7ac0d50903965f75af6da5ff0905fc9f23cf3d6fcf61c47b46b49160fe3e50aeb88ef943bf0da2fb44ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe587961.TMP
Filesize
83B

MD5
d4e4191b14303cc1e7944836b0cc921a

SHA1
53572e7133cba54e9e68975b39ea1d63fe645c81

SHA256
2ec53de926de5a37dabe0700bbb8c16f08abb3dc578c7abc8bf7c3ccfbd9ecf4

SHA512
e69fc0e33180f0482b31fed137c4001b948a69152e1fc5dc4835e8a28faa462cd82d22ff6f1d4c1c28b95b8f149288daac8433474b4f77a281fa11b729aafc6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
69e91d2ef09055c4fd7fd942f26302e3

SHA1
5a1301945a05caff8e4f3423000d28c0f9bc77a1

SHA256
5f7e0365bde8519a0145974e52c8e1c412159af78493ca1e4bc9d7df401eb6e4

SHA512
a5c8f9e623841de98952a007ba9a79321011b22cf32870e446d4b59445a4233f86136b1aa7dccbf12c29106b905a837385fd89581344a3e5bf1f05ce0a700401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c791.TMP
Filesize
48B

MD5
9ddd67fedc84badb0954e1f16eca1735

SHA1
5738fa0250b00a22d05c96b3def8f604eac4ccce

SHA256
ebdb7aa517a8a84075353380faaf8c5f011d2e3b87035bbd43c53cb49f99310b

SHA512
c7db54cba356eac118bd769692ea639d895f07341c994eb064536f65245609b5a708a3d31633e6a7067b540a8b77408f4fd9a2a9c85f649810f23d0ef49e545b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
9d233215539d7901c7d6a06de220f328

SHA1
92cc90fa28432d70076d28619eefa9bf02f4f441

SHA256
a13d735f60decfa5fa4ef0e7cb0a0af978907dda6a299569e1844869fe91c745

SHA512
30061fc5679814e4019981a7332aa37506bfd816e9535b3297ae069e574c60fa4634d07c4c66d73922fa07ea00866516d458bf4c1460bd74a8acc0326d4469c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
83334c8fb5268994cac468f87d9e79f5

SHA1
fd982009ed2424360c4d9386bcecdcbc70dda484

SHA256
d68e91f7eeb358b4d9aa471088c86154c6c70c722c0802a474e2a512c42bb588

SHA512
52888eec10ece341f87e8f49dae04e047525fc245756fb0d4a262b3331fbaa89705d33076c60e8e2a6f3abf6cce045d225b17f05c209eb47f2fc40360ddf0521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
883d8c71cd52f19b23b6b651bbc36318

SHA1
b9e4137caab48eb2f0bd2b4776bcd3ae66554a05

SHA256
538f49805f5bc88a74f0ccc8a6a5ad59cc095b6b2c01132f3c023edf46facdbf

SHA512
451ea1669dc0d96faa42d2a87d274a7be5874131945d1244c72f27d9b7c48ddc66931683c6c7bca7f67ee6a846c6cb687c920f5f319bbf160ea4ca0f69d5914e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
105fb9616e7cafb0e5dd988e0d37a241

SHA1
0d4f792ba64d78acd6e07eba534e90998afa47cc

SHA256
60670fe5f3eb2b0ad1673d9443bab5ecb2a4816b108b804ba458eef031aac431

SHA512
4a03b198fad89b2381baa7dfe706f6686fb3c1d756a10a8ea505c0e263571ce20a43b85f318a4714d3600f3304bbe92255382da891bba480f7d3dcc366164ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
605a2f4a772d38870ceedb89346c7bd8

SHA1
d6ce83a1a4472d5cd79d48eb6c3178eb1e24081b

SHA256
4415f0284a480e1c69c4a4273c36cee609418e007fd52f6321b84251f521b921

SHA512
2668a07c4c70c221cc759c1bea7fb2adb1c3b92f4ede059eefa2973c9fc0080c590e580d9539b7b16a8d743b89fca868f508bb9b9285520dc2e712bb25a119c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
24d2e17445843ff3ed7871757398f6ef

SHA1
766b0dc1bb6f6dd2384a7983feca9e27c684864f

SHA256
02d0211c2422f58c35e4031674deab2318b2f5f493a77b5ae2538827d941baac

SHA512
093e9086c6d9db4a0ab92aef2de36e7902adef0d3977e1dce2f98e15fe730409b4f573d411cffc63e3215f793c51b2428c11806db45661ef7db71dbfa81142e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
9b0bd310457e51e97b68295b9f30c3ea

SHA1
c3f9cafa794da0855934d3cf8cf6e2ae2a371449

SHA256
3b89a9610b366fd605f7231cd7b2a5c9173d40ea6fbdc7ab9416580e142a3b63

SHA512
844473898d1a01dd8ef5eced4a8892af106681aff97d2b27a67a8c01e22c40c01479a5d4a11a4fb78ca3fd7978351f4c2b89e745ed0761e321a143318af41115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ab00.TMP
Filesize
2KB

MD5
21b8f3802f9f5f167f23b8c75a43946b

SHA1
017dd9030a04186a7feb81b302d676789dd463b3

SHA256
47d36bb7f427b83f77218e8336ec921835a39c46de83c4ba1eb2cab67c7706ff

SHA512
c1b2a7ed913b4c5cee2b1c3ce26c7a79f2578912a0fb10d8d16b803fe0e9f0227fd8fe03503a3ba0f56f1346a2f6792fec66c059ac09a1e062cdc0e96c4b1ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
0091fc5308dd28b8a58b6c020280662f

SHA1
e076fa79c0e68f7b91bbc4fef66ea8a4a8308e29

SHA256
013d4e42a318c246354f79dd6ce6482c48b2dcea02208be7e14193c3feb3bb8b

SHA512
92f3a4d95d68235b857fa48a04538096cb325c49f7f235f25f7165e6462c420806e08797c8e2a98b1d9ae94adc903b5929c7366e5fa8b71610406c67476d4c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ec200ee3ccdbb643bcebec2ebd30a9c2

SHA1
de871b9d31399a169d6f21d43515ae7aa86e3840

SHA256
bbb982be4c64da1de9ea31f239c364c6bfbde24e0eae74b4ce7f8b69d82e223b

SHA512
ed44f3cbc2123ca4de9d96721fca51b8b69427c0252575b2039bb6ae2d6736817a165feb715bd81c663c9792512b7f30d3bb393d6f30563f47406189abd152e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c574f0af4c735b5075bbdf6c0380efb2

SHA1
a7a2e9bb1f7cb435d6a2c050d99fd74a7a566c4f

SHA256
4c475ca9804d72cfa02c1a70e33cdd369b896c8bfbed3e0e0504cd31d03329fc

SHA512
07a4ca18ca6640f2f52118b121c3ff66adb68f8c408e777cf563cc4397e2459f672a93e30c5be1d1b287829300719fe3396c16dccb95528d161858e1e6be4b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
dfaf39ff49e7dcc21399c1d2dbaba8b9

SHA1
6bc09d5753750011dd2cbd78786aba2781d07fc0

SHA256
9e8fa28ffe6c3fcaa243ee2429779204f8bd7346c894855c7bbe0c3199fb79e4

SHA512
9a37d71771f234b0466bdcda7149ce1901efc22d94d8481037108f4ee0760d9502f355a256597a80c2480f8e5cd1a5259c99070c6e247bf8aa7476d16177883c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
1a870032648c291473533afe6986d95c

SHA1
11f284044896ef6a8fc90f8420a3cc886ebff4e4

SHA256
cc5094809514f6e99fb275f8a0934b36340384152c172d3be651e735dc61d330

SHA512
156a97e45b4391e2e82c9c9c024823a3a5d08af24b232c941bd56dc39ac1abb9a44516b6c61b850294be8854f0aa4927143f950491c478caa059885d1895658b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9b8cee503a6f800f33fa55b05e9fb3b2

SHA1
17143e5743437f4708de58fde73efc9793c40579

SHA256
4c04df650285c365210fbcb66e947e88f440291d5f14ee1d96e0cf4a13fff4f1

SHA512
fc2df7f73f37e3efe1724b76e57d304efe8e653b9fcdb0bae3a3ba46cfef19ab6835fca28e57b4b064c8ba982698c9bcd8519c914a51e79a5346c38eb856150c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
706fbeda5ebd47567dc5abf92d7bb79f

SHA1
4de8543a4635accfb324fa96dd86234f85ea9d27

SHA256
973342b6045bf5045e4d76cb35213a7adfbacd4b294539b9acbb11f16ffc538c

SHA512
e410c7eba47c2d0fc382aae07416a2e3542a78f01d04e01922fa72bd8cdfce7092ff411d02ec90b71f4f76e804a17e018428f1e751c68943196bca988a1bb212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
fd4fac8fa59ff5b3255565ff40a5306b

SHA1
be07fee833b9943e17aa7b2d580c294a216c8337

SHA256
914391450d2318059730bd616c5d10a89329ecfe3c850fe9b87600f21045195d

SHA512
1905af9a06b7e94731fac5939fe0affd155475adf25ba1aea0d09c2a3acd1fad55f2628c1688d7cceb14774943ceb790b674473a955f679fb28f63c076d25c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
1bd13b29e6b12831ebb7dc34857c9593

SHA1
2d9fcf8f3d8a77a86a21697b76e68ebaf08921a5

SHA256
02ca3087d5fde7fd3fb9223bc5211236a9266bf8f8c7c3aa71da61e038f84143

SHA512
7fb740b35240734577f32c3b385f7cf58bc77aca48b93c2497b35c6350f46883e727c76dbaa419875a6f34923d08c5c2a74e4ef7b52806478bf8f54282519ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
9879861f3899a47f923cb13ca048dcc1

SHA1
2c24fd7dec7e0c69b35a9c75d59c7c3db51f7980

SHA256
9f7ffdf942954fc527e1b68b996f3ed6ebbb4bd5a8e0ab9387167cd5fae47513

SHA512
6f51d51eaa653c7ec92de89baaeb402fb33ced558df060e3075498047a75e32396aa00d3bcc89f3cd4d4378ece96d75a54b7d9f4f6aaf459356325434698caa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093
Filesize
69KB

MD5
63c5761486100773b1973b06059a7624

SHA1
53e23c51bbcc510a7b5ddc7cd578d512bc40dffa

SHA256
d12f8835563799a33608354bbbe62cd7e36d59580706ce6762d541b0910dd144

SHA512
4278c2ba6963c8d6a1df35263beb002ec4c2fefd9378ebaa550c76f0d23c0453b5b843a43ea448ba6ccbb6672d0d01cb8b174930ec1619bfcbb8da4a14aaac20

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093
Filesize
72KB

MD5
9db49c44939d1cdfcce08310cb30211c

SHA1
e9a6827f60d753fe491709d85728b83b3f3e0d48

SHA256
ece358a8ced170e0169763ea2fd98f569f1fa1802cb95fc4d9d937f8e34a2dd0

SHA512
d85e8257ba279f0ca36fd8ce02c5e9721588433d2b25f1b75d208ccf1b7f553bf9d69d911114054763b524070add162e416debbdaeb4bc6ecb02260b0a2981fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCE3.exe
Filesize
1.4MB

MD5
39f3058fb49612f68b87d17eabb77047

SHA1
797c61719127b2963a944f260c383c8db0b2fd98

SHA256
da3909df314616742246a7504698232b9842273aa085b7c1eea1b54b17b9ca4f

SHA512
2f3c742dbf27a2a520b9c389f60b6e8dd8cee79bb649045a7d6b5e25c1411303904a73ff32667a8bd1508c9dcfd4af7120ce0162aeb95647e1221508436c61c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCE3.exe
Filesize
1.4MB

MD5
39f3058fb49612f68b87d17eabb77047

SHA1
797c61719127b2963a944f260c383c8db0b2fd98

SHA256
da3909df314616742246a7504698232b9842273aa085b7c1eea1b54b17b9ca4f

SHA512
2f3c742dbf27a2a520b9c389f60b6e8dd8cee79bb649045a7d6b5e25c1411303904a73ff32667a8bd1508c9dcfd4af7120ce0162aeb95647e1221508436c61c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDBE.exe
Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDBE.exe
Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDBE.exe
Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEC9.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF76.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF76.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E023.exe
Filesize
11KB

MD5
d2ed05fd71460e6d4c505ce87495b859

SHA1
a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

SHA256
3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

SHA512
a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E023.exe
Filesize
11KB

MD5
d2ed05fd71460e6d4c505ce87495b859

SHA1
a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

SHA256
3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

SHA512
a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E14D.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\E14D.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\E371.exe
Filesize
500KB

MD5
99267c8824d4b28161a2ecec030ec588

SHA1
e478b1ab1733c6116edd204a3cf2c2ee7db49b4a

SHA256
6f12232e159de661dadd56f6f17a36a0d4e6ae24eba5c06f54fd2f7a8763feb0

SHA512
7be5fa7fdc2ffc9c753ce7a75fddf1ae54dd6eca79c6140eb0ce3cdcf663af7f4846d6ae051283a36ab4e47a96d9b7905e1b55a2d236c5234ecf850caed09df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E371.exe
Filesize
500KB

MD5
99267c8824d4b28161a2ecec030ec588

SHA1
e478b1ab1733c6116edd204a3cf2c2ee7db49b4a

SHA256
6f12232e159de661dadd56f6f17a36a0d4e6ae24eba5c06f54fd2f7a8763feb0

SHA512
7be5fa7fdc2ffc9c753ce7a75fddf1ae54dd6eca79c6140eb0ce3cdcf663af7f4846d6ae051283a36ab4e47a96d9b7905e1b55a2d236c5234ecf850caed09df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E371.exe
Filesize
500KB

MD5
99267c8824d4b28161a2ecec030ec588

SHA1
e478b1ab1733c6116edd204a3cf2c2ee7db49b4a

SHA256
6f12232e159de661dadd56f6f17a36a0d4e6ae24eba5c06f54fd2f7a8763feb0

SHA512
7be5fa7fdc2ffc9c753ce7a75fddf1ae54dd6eca79c6140eb0ce3cdcf663af7f4846d6ae051283a36ab4e47a96d9b7905e1b55a2d236c5234ecf850caed09df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E371.exe
Filesize
500KB

MD5
99267c8824d4b28161a2ecec030ec588

SHA1
e478b1ab1733c6116edd204a3cf2c2ee7db49b4a

SHA256
6f12232e159de661dadd56f6f17a36a0d4e6ae24eba5c06f54fd2f7a8763feb0

SHA512
7be5fa7fdc2ffc9c753ce7a75fddf1ae54dd6eca79c6140eb0ce3cdcf663af7f4846d6ae051283a36ab4e47a96d9b7905e1b55a2d236c5234ecf850caed09df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nx6GN1.exe
Filesize
182KB

MD5
1cc3c11cfe6753e149dc85210719699a

SHA1
81a99192db3fe354084794acd3cc6e402cfada1e

SHA256
49c03af923b002d9c45e8b9b1c2b3e097cf3948ff3a53e0e80969f9c7e9231ca

SHA512
c242674df3e1f97a61f315bd8dae55998e4c37cbd0103164cfdb678fca187aa68e2d79a15089acc1e1f8a2f53f3ef19c57696a1fbd8247a20a13c41ca3b86988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nx6GN1.exe
Filesize
182KB

MD5
1cc3c11cfe6753e149dc85210719699a

SHA1
81a99192db3fe354084794acd3cc6e402cfada1e

SHA256
49c03af923b002d9c45e8b9b1c2b3e097cf3948ff3a53e0e80969f9c7e9231ca

SHA512
c242674df3e1f97a61f315bd8dae55998e4c37cbd0103164cfdb678fca187aa68e2d79a15089acc1e1f8a2f53f3ef19c57696a1fbd8247a20a13c41ca3b86988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
Filesize
1.3MB

MD5
373b2e27b51ff6282238ef9761f67ff7

SHA1
135f31f3498e1a9565dce1b494dfd02d228f2020

SHA256
f0b66a21b94b5e228b7fb8f10896c5bac2301daa2609bd85da784697410921e0

SHA512
4e0989bab1264683c0796a0759bd32c9e42c31f8fd7bcf2db0e09cec5d0483f9701214c518d3b13effb61e8e61c049cb339d83c655664743f0d8668cb4f726fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
Filesize
1.3MB

MD5
373b2e27b51ff6282238ef9761f67ff7

SHA1
135f31f3498e1a9565dce1b494dfd02d228f2020

SHA256
f0b66a21b94b5e228b7fb8f10896c5bac2301daa2609bd85da784697410921e0

SHA512
4e0989bab1264683c0796a0759bd32c9e42c31f8fd7bcf2db0e09cec5d0483f9701214c518d3b13effb61e8e61c049cb339d83c655664743f0d8668cb4f726fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XA7aC20.exe
Filesize
1.2MB

MD5
259b5579ceebdb8422370da0e8f3052e

SHA1
567ab4d0267fa69bbfa83c23e6974239f673abf0

SHA256
94745adff85b603b62a3979a3c431599a75a5074f9b2c2d271472c3e1bc6a256

SHA512
5a3a48e12d0258bebc6430249a5d747592abf596878eb23495842f61c73122efedcfa5b1b5fca193b29661748278584071014049841a29ae7a1be1fdadbb78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XA7aC20.exe
Filesize
1.2MB

MD5
259b5579ceebdb8422370da0e8f3052e

SHA1
567ab4d0267fa69bbfa83c23e6974239f673abf0

SHA256
94745adff85b603b62a3979a3c431599a75a5074f9b2c2d271472c3e1bc6a256

SHA512
5a3a48e12d0258bebc6430249a5d747592abf596878eb23495842f61c73122efedcfa5b1b5fca193b29661748278584071014049841a29ae7a1be1fdadbb78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5wc3zL2.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5wc3zL2.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qL7eT39.exe
Filesize
1.0MB

MD5
e12b092d59f633491168ea72e9e53054

SHA1
3fdeb3434a528cc0333509f2bd69c6d565a756c9

SHA256
b602c75e2ab73e1fc067c43499ae73b5a80b39d5251c3ed9d4b96a06096268d2

SHA512
f3870d17b63a01a5782a3f4903954a15c6cb7d39fadf82a676a209e8bdef0951f888e5cdaa8271bea4bdb97c566f3226d6919941440259d7ade572ecfc5a7fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qL7eT39.exe
Filesize
1.0MB

MD5
e12b092d59f633491168ea72e9e53054

SHA1
3fdeb3434a528cc0333509f2bd69c6d565a756c9

SHA256
b602c75e2ab73e1fc067c43499ae73b5a80b39d5251c3ed9d4b96a06096268d2

SHA512
f3870d17b63a01a5782a3f4903954a15c6cb7d39fadf82a676a209e8bdef0951f888e5cdaa8271bea4bdb97c566f3226d6919941440259d7ade572ecfc5a7fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
Filesize
1.1MB

MD5
e2fac46557c196eaa454c436b2212532

SHA1
f07c2b07f75059801095b97236665b677e1ea4f6

SHA256
0d4ab871a8879a6d4412000f2fe45a889e213c60da5073006fa6b1cbd199dcd2

SHA512
cf0bc76d8b4c1929c22b6f0dd30456b338a7c50c29c28e7c12f21b7289a99559eaaa2a0c3d524196862eb99205cd4fc2263f611bc19d7ba30d3d240230ab5e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
Filesize
1.1MB

MD5
e2fac46557c196eaa454c436b2212532

SHA1
f07c2b07f75059801095b97236665b677e1ea4f6

SHA256
0d4ab871a8879a6d4412000f2fe45a889e213c60da5073006fa6b1cbd199dcd2

SHA512
cf0bc76d8b4c1929c22b6f0dd30456b338a7c50c29c28e7c12f21b7289a99559eaaa2a0c3d524196862eb99205cd4fc2263f611bc19d7ba30d3d240230ab5e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Li223Uq.exe
Filesize
1.1MB

MD5
cbd6882da7b4b8c3bca17d006c783983

SHA1
2572f05747dd11e26c0299f94265d386c3ae99b8

SHA256
b3f1c9913704a99058a691f6b66be27501b16f2ff6a807ca1d9fb24fe63b9c00

SHA512
98637cc860fca1bd3010b68160ca8f621d0d01637858cc8248b2a39ce82cf8939c12e4c5cce9eac126fb2426b491e51aaea588f0c02883ff4e3f722186d5bf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Li223Uq.exe
Filesize
1.1MB

MD5
cbd6882da7b4b8c3bca17d006c783983

SHA1
2572f05747dd11e26c0299f94265d386c3ae99b8

SHA256
b3f1c9913704a99058a691f6b66be27501b16f2ff6a807ca1d9fb24fe63b9c00

SHA512
98637cc860fca1bd3010b68160ca8f621d0d01637858cc8248b2a39ce82cf8939c12e4c5cce9eac126fb2426b491e51aaea588f0c02883ff4e3f722186d5bf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cn1lY30.exe
Filesize
647KB

MD5
21f402207b7d03b08896e1f36c2564ee

SHA1
98ab026bdedee777ab2b3e731f7e820da73d9798

SHA256
17b0c4d4ffda30be945a263ce86ccb55b0992e1bd954ef7694812fc2aeb8c155

SHA512
2103584728ac7789bd03e05d9a1fe988216247694c331cca87bfbd1467c3db44cb5b2793fde79e18ed75a823a59a764576cddb1a255845f29191d9185322cfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cn1lY30.exe
Filesize
647KB

MD5
21f402207b7d03b08896e1f36c2564ee

SHA1
98ab026bdedee777ab2b3e731f7e820da73d9798

SHA256
17b0c4d4ffda30be945a263ce86ccb55b0992e1bd954ef7694812fc2aeb8c155

SHA512
2103584728ac7789bd03e05d9a1fe988216247694c331cca87bfbd1467c3db44cb5b2793fde79e18ed75a823a59a764576cddb1a255845f29191d9185322cfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hj21Zc.exe
Filesize
30KB

MD5
3bba0a52a9698bfc294697bcd7c8e63a

SHA1
b26e1b334a4589dcc67f397dc9c393b924c5c6b3

SHA256
3042ba25b4c6f43380b9de722d659ebd9c845c5881296f107550ea35ef0fce54

SHA512
f0cd48b77dcf46f6967ca0ae545af997195896a12d1ec1168cf5f7b3ce628fab3abeb414879e0d7efccd4053f25b88b1255ae296d5ead84ec24d372d76a78164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hj21Zc.exe
Filesize
30KB

MD5
3bba0a52a9698bfc294697bcd7c8e63a

SHA1
b26e1b334a4589dcc67f397dc9c393b924c5c6b3

SHA256
3042ba25b4c6f43380b9de722d659ebd9c845c5881296f107550ea35ef0fce54

SHA512
f0cd48b77dcf46f6967ca0ae545af997195896a12d1ec1168cf5f7b3ce628fab3abeb414879e0d7efccd4053f25b88b1255ae296d5ead84ec24d372d76a78164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aw3Ev67.exe
Filesize
523KB

MD5
4391b077016e763c51e2544ed086aa12

SHA1
d1c8b5f4ac625c59057332ad046dcc44163434db

SHA256
3c94453bf2aa8d70e9589f708a329288417f04803817665c23083c05918db4ba

SHA512
c516c81ef1b98e2c23c25ea551695187b75d64ea2c13a9886abd1d6d5d846ee5aa9bf439ef0ef7d0539da63b205b2d8369817793981213e900e2c2052b219bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aw3Ev67.exe
Filesize
523KB

MD5
4391b077016e763c51e2544ed086aa12

SHA1
d1c8b5f4ac625c59057332ad046dcc44163434db

SHA256
3c94453bf2aa8d70e9589f708a329288417f04803817665c23083c05918db4ba

SHA512
c516c81ef1b98e2c23c25ea551695187b75d64ea2c13a9886abd1d6d5d846ee5aa9bf439ef0ef7d0539da63b205b2d8369817793981213e900e2c2052b219bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fb6jM0Il.exe
Filesize
756KB

MD5
a5da3f4f02b15dffdabe506377155371

SHA1
c8e6221d041422aa09f235323b4a5aa3db817176

SHA256
0e902c5c8391f35729cfee22111cd6a5d9974ec25d38bd0bdf4981ca14ebc28c

SHA512
f6ab21f36bb04f53d1e084f5afcc899b3e966ae7eebd7ff1a0038e6f2a839c5bc20cc8195b65bfb93d671ef2c8428847a005acd0de4d69b0ae89843358536389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fb6jM0Il.exe
Filesize
756KB

MD5
a5da3f4f02b15dffdabe506377155371

SHA1
c8e6221d041422aa09f235323b4a5aa3db817176

SHA256
0e902c5c8391f35729cfee22111cd6a5d9974ec25d38bd0bdf4981ca14ebc28c

SHA512
f6ab21f36bb04f53d1e084f5afcc899b3e966ae7eebd7ff1a0038e6f2a839c5bc20cc8195b65bfb93d671ef2c8428847a005acd0de4d69b0ae89843358536389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD08CJ5.exe
Filesize
893KB

MD5
eda56cc6e3552ccba3bd14c7169e1933

SHA1
509189d414d3659d66fb68e23ac0e76f4671d9ed

SHA256
da5c8f279dde37997d48337176a140da0232c61f721518be3687660d040c4486

SHA512
306a502cb2d64e586b53b8266daea69590971a97b90d498ede1b24c413f8a696da811776c129812f3f3d903cbad25c7b76f2a7bf489e265828b7821eb6b3abbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZD08CJ5.exe
Filesize
893KB

MD5
eda56cc6e3552ccba3bd14c7169e1933

SHA1
509189d414d3659d66fb68e23ac0e76f4671d9ed

SHA256
da5c8f279dde37997d48337176a140da0232c61f721518be3687660d040c4486

SHA512
306a502cb2d64e586b53b8266daea69590971a97b90d498ede1b24c413f8a696da811776c129812f3f3d903cbad25c7b76f2a7bf489e265828b7821eb6b3abbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XD2882.exe
Filesize
1.1MB

MD5
b5c01b5f4bf8aceb5d3595de5082bb1f

SHA1
be9da65eef594723108cfdd4995bc003acce729d

SHA256
eb5feac5b35b0cefeae7702b40fdbd682da3d84ee49a0cacc1f9fe973b1945de

SHA512
abb100d70cf17fe5396c25156ea364f59a024a98c2c5867c8037af929e07a98419c5a784005c13bdbca73f48c0f8bde457e2edc5ba12325f5da70e7711d2a985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XD2882.exe
Filesize
1.1MB

MD5
b5c01b5f4bf8aceb5d3595de5082bb1f

SHA1
be9da65eef594723108cfdd4995bc003acce729d

SHA256
eb5feac5b35b0cefeae7702b40fdbd682da3d84ee49a0cacc1f9fe973b1945de

SHA512
abb100d70cf17fe5396c25156ea364f59a024a98c2c5867c8037af929e07a98419c5a784005c13bdbca73f48c0f8bde457e2edc5ba12325f5da70e7711d2a985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
Filesize
560KB

MD5
e2c7d40ba3245029e62f638e16089723

SHA1
fe0b14fe28c4253e0bd09c584281cb2b53a62432

SHA256
d4dec21e5844e6252f1fcee1dcf1905bd483b87a8540acd9912d64c0b82961a1

SHA512
f821623ebf7dbb13c71e2fc388dea188bda09773ee8e9708a1a9082ff8384e50cf90b56752c4f0c557f8f266b55ec5339048f88d7616b632cd64c7446b4422b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
Filesize
560KB

MD5
e2c7d40ba3245029e62f638e16089723

SHA1
fe0b14fe28c4253e0bd09c584281cb2b53a62432

SHA256
d4dec21e5844e6252f1fcee1dcf1905bd483b87a8540acd9912d64c0b82961a1

SHA512
f821623ebf7dbb13c71e2fc388dea188bda09773ee8e9708a1a9082ff8384e50cf90b56752c4f0c557f8f266b55ec5339048f88d7616b632cd64c7446b4422b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
Filesize
1.0MB

MD5
0337f3deb946caf6178d99f587fc1e30

SHA1
da6fb18c6f37032f2e7605ea1a5fef11dcd81d91

SHA256
ef47b32b52b7842a8661cf03473b788a29dbc134618d88f6f749a7c991181945

SHA512
26ff7cbd9a31eeee496c5c5aacf0fd6ac662f40d29d87da66ad61a884c49a9018f578073e1f3e26cc01ab192e4a2971a035af5baf7e6323120fcc80f458720fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
Filesize
1.0MB

MD5
0337f3deb946caf6178d99f587fc1e30

SHA1
da6fb18c6f37032f2e7605ea1a5fef11dcd81d91

SHA256
ef47b32b52b7842a8661cf03473b788a29dbc134618d88f6f749a7c991181945

SHA512
26ff7cbd9a31eeee496c5c5aacf0fd6ac662f40d29d87da66ad61a884c49a9018f578073e1f3e26cc01ab192e4a2971a035af5baf7e6323120fcc80f458720fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
Filesize
222KB

MD5
8dc096f1eae6d5b26a44a1efc24b77dc

SHA1
8039c322376dbe065ea6f74fb9a8d0f555bed69b

SHA256
d142e604422aa906057b8b23456e31e97b438798f35db8c7025991484cb15706

SHA512
8646732475606c04d8c5f0e272660b257b67a895f42720a3e35d7a4687cb94c270f14a20f6b7ac8ec8b33e3c65c6a6d28f8f492ecf60adc01f36424758ff9cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
Filesize
222KB

MD5
8dc096f1eae6d5b26a44a1efc24b77dc

SHA1
8039c322376dbe065ea6f74fb9a8d0f555bed69b

SHA256
d142e604422aa906057b8b23456e31e97b438798f35db8c7025991484cb15706

SHA512
8646732475606c04d8c5f0e272660b257b67a895f42720a3e35d7a4687cb94c270f14a20f6b7ac8ec8b33e3c65c6a6d28f8f492ecf60adc01f36424758ff9cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
d04b3ad7f47bdbd80c23a91436096fc6

SHA1
dfe98b3bbcac34e4f55d8e1f30503f1caba7f099

SHA256
994a1ebecf6350718dc003473441d89bb493c8a79bbce8622b562fc2c0ca2757

SHA512
0777d9bb0448615e7f694b1c1e3f0a5aa2f84d8638e77f349167c2d6eb7ee27709d68b581b09c122182e85b1ccbbfd89767308457219c5c67fe613212ff47d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.5MB

MD5
c1fb6815a3aa9b10b9d00bdec2d1ab78

SHA1
f08969cc23b698c91b81c1512cbee355a5d7d46f

SHA256
6db25c1239da102b0598172ce26d0af444b182d41cbf9d2468e61242d0cfba08

SHA512
ef7d5acdd02c6811dfe8dde8d743bab0cf0af9880e5ba10d9ad15a0de2629c445de546fbc5af7397962d8a500ccf5de627ebb38b6e1150964884023f7114ffb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jh0mumx0.fzq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
dff517be582ec89ff9649fc7903915ff

SHA1
c29f2fbb53677077da09910243ac873e152e7b77

SHA256
5f5175172d8fef68c59473b9b472ad71a9b9447fb9782a0edf9ae99d55a006b7

SHA512
76e9a4615172ec96e0759181bf26c4b4836928150edc08ca4acd1d1d6ea5400a23e4350d848ecf07769600318e4db2ea73cf15705d0567122d10d5b993bc2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA424.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA459.tmp
Filesize
92KB

MD5
2ea428873b09b0b3d94fd89ad2883b02

SHA1
a767ea985e9a1ff148b90a66297589198b2ed2a0

SHA256
0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba

SHA512
3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4B3.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpABFC.tmp
Filesize
28KB

MD5
e4eb3d9bb62bf8e406e14efb16511268

SHA1
d07396125389d95e8a28971af64d317be0b9e399

SHA256
2ab603b3d0694d28c09cd0cefbdc025b3319c61bfd2c4b3b7b12be9b3affb7ce

SHA512
f8310dba35c8fdfd7c7404596c71149b6257505052ba863e85aec1598baa488f9871add944ff19c1de11d24d78485ff4291495cf684178732cc2b6f15a435326

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC6B.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD43.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
207KB

MD5
5ff398981d2edc3bca2e1ed053090c9a

SHA1
7c0b3b52bbeec3b6370c38f47eb85a75ee92be3b

SHA256
13c420fc4656cb4eff23d8901c1777434ee40157122f3941a92eef5b7aceefaf

SHA512
4609cf82ea7dbacff3fce41da8dc29467dc348f336998f1f79c85e82261947c686ba39a77c3a4a9321596d55fb73a7c5e6aab026748fb9b3be01d45099075de4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll
Filesize
102KB

MD5
ceffd8c6661b875b67ca5e4540950d8b

SHA1
91b53b79c98f22d0b8e204e11671d78efca48682

SHA256
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

SHA512
6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll
Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
memory/672-531-0x0000000008A10000-0x0000000008A26000-memory.dmp

Filesize
88KB

Download
memory/672-49-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/764-3735-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download
memory/1276-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1296-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2960-275-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2960-316-0x0000000007960000-0x0000000007970000-memory.dmp

Filesize
64KB

Download
memory/2960-168-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2960-169-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/2960-172-0x0000000007960000-0x0000000007970000-memory.dmp

Filesize
64KB

Download
memory/3052-195-0x0000000007750000-0x0000000007760000-memory.dmp

Filesize
64KB

Download
memory/3052-189-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3052-147-0x0000000007750000-0x0000000007760000-memory.dmp

Filesize
64KB

Download
memory/3052-136-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3736-2180-0x00007FF6E5E40000-0x00007FF6E63E1000-memory.dmp

Filesize
5.6MB

Download
memory/3816-3734-0x00007FF662230000-0x00007FF6627D1000-memory.dmp

Filesize
5.6MB

Download
memory/3852-232-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3852-190-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3852-143-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/3852-145-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4020-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-62-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4256-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4256-39-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4256-79-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4580-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-86-0x0000000007FB0000-0x0000000007FC0000-memory.dmp

Filesize
64KB

Download
memory/4580-85-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4580-84-0x00000000081E0000-0x000000000822C000-memory.dmp

Filesize
304KB

Download
memory/4580-83-0x0000000008060000-0x000000000809C000-memory.dmp

Filesize
240KB

Download
memory/4580-82-0x0000000008000000-0x0000000008012000-memory.dmp

Filesize
72KB

Download
memory/4580-81-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/4580-80-0x0000000008E80000-0x0000000009498000-memory.dmp

Filesize
6.1MB

Download
memory/4580-78-0x0000000007D90000-0x0000000007D9A000-memory.dmp

Filesize
40KB

Download
memory/4580-73-0x0000000007FB0000-0x0000000007FC0000-memory.dmp

Filesize
64KB

Download
memory/4580-65-0x0000000007DA0000-0x0000000007E32000-memory.dmp

Filesize
584KB

Download
memory/4580-64-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/4580-63-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5016-223-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5016-276-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5016-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5016-161-0x0000000000550000-0x00000000005AA000-memory.dmp

Filesize
360KB

Download
memory/5016-171-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5164-2593-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5368-530-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5368-278-0x0000000000CE0000-0x0000000001960000-memory.dmp

Filesize
12.5MB

Download
memory/5368-277-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5368-451-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5948-864-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5948-857-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5948-935-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5960-1111-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6508-543-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/6508-555-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download
memory/6508-570-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/6508-604-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/7048-539-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/7048-538-0x00000000006F0000-0x000000000070E000-memory.dmp

Filesize
120KB

Download
memory/7048-755-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/7048-574-0x00000000010F0000-0x0000000001100000-memory.dmp

Filesize
64KB

Download
memory/7240-477-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/7240-472-0x0000000000A30000-0x0000000000B30000-memory.dmp

Filesize
1024KB

Download
memory/7312-532-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7312-478-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7312-520-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7328-497-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/7328-622-0x00007FFEF9C10000-0x00007FFEFA6D1000-memory.dmp

Filesize
10.8MB

Download
memory/7328-523-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/7328-518-0x00007FFEF9C10000-0x00007FFEFA6D1000-memory.dmp

Filesize
10.8MB

Download
memory/7828-625-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/7924-559-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/7924-725-0x0000000004DA0000-0x0000000004DA8000-memory.dmp

Filesize
32KB

Download
memory/7924-447-0x0000000000220000-0x0000000000600000-memory.dmp

Filesize
3.9MB

Download
memory/7924-673-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/7924-446-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/7924-493-0x0000000004E40000-0x0000000004EDC000-memory.dmp

Filesize
624KB

Download
memory/7940-1732-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/7940-519-0x0000000002D80000-0x000000000366B000-memory.dmp

Filesize
8.9MB

Download
memory/7940-527-0x0000000002980000-0x0000000002D7E000-memory.dmp

Filesize
4.0MB

Download
memory/7940-525-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/7940-667-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/7940-671-0x0000000002980000-0x0000000002D7E000-memory.dmp

Filesize
4.0MB

Download
memory/8176-526-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download