amadey | 1dcf9873d37f28b49fd4040c69f05eeddceb8306c2e201bdfbb70e1846227880

Analysis

max time kernel
118s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe
Size

1.5MB
MD5

1eabf74795c100a8d955a528de87db38
SHA1

2c6b0824efca02e6b22fcd2432bb90a23d7f5f8b
SHA256

966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d
SHA512

30e9abe9a5cca7416c2b42f747adbd76a77fd3a36fdfb889db342772fff8210dabe15d703324e91102135b19f7f9496424fa5db2fd9bc7c2fb5bb1f6439d6f98
SSDEEP

24576:nytSMdvcVsvlAWwch5DeP1WuiwerDE04H/rKda+Y2fE7BXf3MDDNzfc1vl1Y4:ytBjv+WLgW8ePB4CazKElctovl

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

http://yvzgz.cyou/index.php

https://yvzgz.cyou/index.php

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

raccoon

Botnet

6a6a005b9aa778f606280c5fa24ae595

http://195.123.218.98:80

http://31.192.23

Attributes

user_agent
SunShineMoonLight

xor.plain

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exe966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exeschtasks.exe

pid	process
6032	schtasks.exe
640	schtasks.exe
560	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe
7304	schtasks.exe

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6856-1130-0x0000000000BD0000-0x0000000000FB0000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7544-1182-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba
behavioral1/memory/7544-1190-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/7544-1650-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/8004-1781-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe15D9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	15D9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	15D9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	15D9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	15D9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	15D9.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6964-1325-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/6964-1490-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/6964-1479-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3184-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/6572-727-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/7068-754-0x0000000000480000-0x00000000004DA000-memory.dmp	family_redline
behavioral1/memory/7068-1086-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline
behavioral1/memory/5736-1151-0x00000000004E0000-0x00000000004FE000-memory.dmp	family_redline
behavioral1/memory/5776-1760-0x0000000001340000-0x000000000137E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5736-1151-0x00000000004E0000-0x00000000004FE000-memory.dmp	family_sectoprat
behavioral1/memory/5736-1154-0x0000000004D30000-0x0000000004D40000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

latestX.exeupdater.exe

description	pid	process	target process
PID 6992 created 3316	6992	latestX.exe	Explorer.EXE
PID 6992 created 3316	6992	latestX.exe	Explorer.EXE
PID 6992 created 3316	6992	latestX.exe	Explorer.EXE
PID 6992 created 3316	6992	latestX.exe	Explorer.EXE
PID 6992 created 3316	6992	latestX.exe	Explorer.EXE
PID 5548 created 3316	5548	updater.exe	Explorer.EXE

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5548-1971-0x00007FF67F940000-0x00007FF67FEE1000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

283 6288 rundll32.exe
285 6360 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3788 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
283	6288	rundll32.exe
285	6360	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
3788	netsh.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1A6F.exe4FA9.exe5E81.exekos4.exeC04B.exeUtsysc.exe5se2bl3.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	1A6F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	4FA9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	5E81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	kos4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	C04B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	5se2bl3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 52 IoCs

Processes:

dw4jw75.exeIm7NN21.exevt4mL80.exehI5Mn77.execm2Ag48.exe1hb53GW5.exe2zL6424.exe3Jk14eH.exe4XR873CT.exe5se2bl3.exeexplothe.exemsedge.exe7nu1QK10.exeexplothe.exe124B.exeIN8gZ5gn.exe12F7.exexU8mT4YJ.exeFb6jM0Il.exenk2Rg5kr.exe1dI10GX0.exe1490.exe15D9.exe1780.exe2iI657iQ.exe1A6F.exe4FA9.exe516F.exeInstallSetup5.exetoolspub2.exe595F.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroom.exekos4.exelatestX.exe5E81.exe622B.exeLzmwAqmV.exeis-IAPI0.tmptoolspub2.exeIsoBuster.exeIsoBuster.exeBCFE.exeC04B.exeC712.exeUtsysc.exe31839b57a4f11171d6abc8bbc4451ee4.exeupdater.exeexplothe.exesc.execsrss.exeinjector.exe

pid	process
2220	dw4jw75.exe
4664	Im7NN21.exe
856	vt4mL80.exe
2576	hI5Mn77.exe
4988	cm2Ag48.exe
4540	1hb53GW5.exe
2192	2zL6424.exe
4868	3Jk14eH.exe
1964	4XR873CT.exe
1136	5se2bl3.exe
2572	explothe.exe
892	msedge.exe
3360	7nu1QK10.exe
2032	explothe.exe
5304	124B.exe
5288	IN8gZ5gn.exe
4348	12F7.exe
4572	xU8mT4YJ.exe
3068	Fb6jM0Il.exe
5336	nk2Rg5kr.exe
4484	1dI10GX0.exe
784	1490.exe
3076	15D9.exe
3520	1780.exe
6572	2iI657iQ.exe
7068	1A6F.exe
7900	4FA9.exe
7524	516F.exe
6088	InstallSetup5.exe
6396	toolspub2.exe
6856	595F.exe
7544	31839b57a4f11171d6abc8bbc4451ee4.exe
6336	Broom.exe
5168	kos4.exe
6992	latestX.exe
7060	5E81.exe
5736	622B.exe
3396	LzmwAqmV.exe
2948	is-IAPI0.tmp
4512	toolspub2.exe
6484	IsoBuster.exe
7152	IsoBuster.exe
2400	BCFE.exe
6912	C04B.exe
6540	C712.exe
1056	Utsysc.exe
8004	31839b57a4f11171d6abc8bbc4451ee4.exe
5548	updater.exe
7268	explothe.exe
8128	sc.exe
4208	csrss.exe
1648	injector.exe

Loads dropped DLL 6 IoCs

Processes:

is-IAPI0.tmp595F.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

2948 is-IAPI0.tmp
6856 595F.exe
5608 rundll32.exe
7080 rundll32.exe
6360 rundll32.exe
6288 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2948	is-IAPI0.tmp
6856	595F.exe
5608	rundll32.exe
7080	rundll32.exe
6360	rundll32.exe
6288	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/8144-1939-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

15D9.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 15D9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	15D9.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

5E81.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nk2Rg5kr.exe31839b57a4f11171d6abc8bbc4451ee4.exedw4jw75.exexU8mT4YJ.exehI5Mn77.execm2Ag48.exeFb6jM0Il.exe516F.exe966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exeIm7NN21.exevt4mL80.exe124B.exeIN8gZ5gn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	nk2Rg5kr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dw4jw75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xU8mT4YJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	hI5Mn77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	cm2Ag48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fb6jM0Il.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\516F.exe'\""	516F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Im7NN21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vt4mL80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	124B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	IN8gZ5gn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

236 api.ipify.org
237 api.ipify.org
Detected potential entity reuse from brand paypal.
phishing paypal

flow	ioc
236	api.ipify.org
237	api.ipify.org

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

1hb53GW5.exe2zL6424.exe4XR873CT.exe1dI10GX0.exetoolspub2.exe595F.exeBCFE.exe

description	pid	process	target process
PID 4540 set thread context of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 2192 set thread context of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 1964 set thread context of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 4484 set thread context of 7064	4484	1dI10GX0.exe	AppLaunch.exe
PID 6396 set thread context of 4512	6396	toolspub2.exe	toolspub2.exe
PID 6856 set thread context of 6964	6856	595F.exe	RegAsm.exe
PID 2400 set thread context of 5776	2400	BCFE.exe	jsc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 35 IoCs

Processes:

is-IAPI0.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-K5G3O.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-O48A9.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-FEAHP.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-NJMON.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-5JKJO.tmp	is-IAPI0.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-IAPI0.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Help\is-8U7KI.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-2996G.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-HLSS4.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-FK49F.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-FBPRA.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-URRGM.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-TSJRH.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-MM9L0.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-HH4TG.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-4TJBS.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-B2V5Q.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-1ANQR.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-OH6MP.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-4AGOA.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-41P4S.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-8HPHH.tmp	is-IAPI0.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-SBHSL.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-EACCA.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-D8U2C.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-LG0V1.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-NRUU8.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-FUNQV.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-V6MVI.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-8IO52.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-DFN7S.tmp	is-IAPI0.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-TS63K.tmp	is-IAPI0.tmp

Drops file in Windows directory 2 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

7652 sc.exe
8128 sc.exe
6732 sc.exe
1324 sc.exe
6692 sc.exe
6024 sc.exe
5268 sc.exe
8160 sc.exe
7088 sc.exe
6952 sc.exe
3848 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
7652	sc.exe
8128	sc.exe
6732	sc.exe
1324	sc.exe
6692	sc.exe
6024	sc.exe
5268	sc.exe
8160	sc.exe
7088	sc.exe
6952	sc.exe
3848	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1056	3536	WerFault.exe	AppLaunch.exe
5468	7064	WerFault.exe	AppLaunch.exe
4480	6964	WerFault.exe	RegAsm.exe
7220	7544	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exeC712.exe3Jk14eH.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C712.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Jk14eH.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Jk14eH.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C712.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Jk14eH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

560 schtasks.exe
7304 schtasks.exe
6032 schtasks.exe
640 schtasks.exe

pid	process
560	schtasks.exe
7304	schtasks.exe
6032	schtasks.exe
640	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Jk14eH.exeAppLaunch.exeExplorer.EXE

pid	process
4868	3Jk14eH.exe
4868	3Jk14eH.exe
5080	AppLaunch.exe
5080	AppLaunch.exe
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3316 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

3Jk14eH.exetoolspub2.exeC712.exe

pid process

4868 3Jk14eH.exe
4512 toolspub2.exe
6540 C712.exe

pid	process
3316	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXE15D9.exe1A6F.exe

description	pid	process
Token: SeDebugPrivilege	5080	AppLaunch.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeDebugPrivilege	3076	15D9.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeDebugPrivilege	7068	1A6F.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exemsedge.exeC04B.exe

pid	process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
6912	C04B.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe
7788	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

6336 Broom.exe

pid	process
6336	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exedw4jw75.exeIm7NN21.exevt4mL80.exehI5Mn77.execm2Ag48.exe1hb53GW5.exe2zL6424.exe4XR873CT.exe5se2bl3.exeexplothe.exe

description	pid	process	target process
PID 396 wrote to memory of 2220	396	966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe	dw4jw75.exe
PID 396 wrote to memory of 2220	396	966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe	dw4jw75.exe
PID 396 wrote to memory of 2220	396	966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe	dw4jw75.exe
PID 2220 wrote to memory of 4664	2220	dw4jw75.exe	Im7NN21.exe
PID 2220 wrote to memory of 4664	2220	dw4jw75.exe	Im7NN21.exe
PID 2220 wrote to memory of 4664	2220	dw4jw75.exe	Im7NN21.exe
PID 4664 wrote to memory of 856	4664	Im7NN21.exe	vt4mL80.exe
PID 4664 wrote to memory of 856	4664	Im7NN21.exe	vt4mL80.exe
PID 4664 wrote to memory of 856	4664	Im7NN21.exe	vt4mL80.exe
PID 856 wrote to memory of 2576	856	vt4mL80.exe	hI5Mn77.exe
PID 856 wrote to memory of 2576	856	vt4mL80.exe	hI5Mn77.exe
PID 856 wrote to memory of 2576	856	vt4mL80.exe	hI5Mn77.exe
PID 2576 wrote to memory of 4988	2576	hI5Mn77.exe	cm2Ag48.exe
PID 2576 wrote to memory of 4988	2576	hI5Mn77.exe	cm2Ag48.exe
PID 2576 wrote to memory of 4988	2576	hI5Mn77.exe	cm2Ag48.exe
PID 4988 wrote to memory of 4540	4988	cm2Ag48.exe	1hb53GW5.exe
PID 4988 wrote to memory of 4540	4988	cm2Ag48.exe	1hb53GW5.exe
PID 4988 wrote to memory of 4540	4988	cm2Ag48.exe	1hb53GW5.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4540 wrote to memory of 5080	4540	1hb53GW5.exe	AppLaunch.exe
PID 4988 wrote to memory of 2192	4988	cm2Ag48.exe	2zL6424.exe
PID 4988 wrote to memory of 2192	4988	cm2Ag48.exe	2zL6424.exe
PID 4988 wrote to memory of 2192	4988	cm2Ag48.exe	2zL6424.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2192 wrote to memory of 3536	2192	2zL6424.exe	AppLaunch.exe
PID 2576 wrote to memory of 4868	2576	hI5Mn77.exe	3Jk14eH.exe
PID 2576 wrote to memory of 4868	2576	hI5Mn77.exe	3Jk14eH.exe
PID 2576 wrote to memory of 4868	2576	hI5Mn77.exe	3Jk14eH.exe
PID 856 wrote to memory of 1964	856	vt4mL80.exe	4XR873CT.exe
PID 856 wrote to memory of 1964	856	vt4mL80.exe	4XR873CT.exe
PID 856 wrote to memory of 1964	856	vt4mL80.exe	4XR873CT.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 1964 wrote to memory of 3184	1964	4XR873CT.exe	AppLaunch.exe
PID 4664 wrote to memory of 1136	4664	Im7NN21.exe	5se2bl3.exe
PID 4664 wrote to memory of 1136	4664	Im7NN21.exe	5se2bl3.exe
PID 4664 wrote to memory of 1136	4664	Im7NN21.exe	5se2bl3.exe
PID 1136 wrote to memory of 2572	1136	5se2bl3.exe	explothe.exe
PID 1136 wrote to memory of 2572	1136	5se2bl3.exe	explothe.exe
PID 1136 wrote to memory of 2572	1136	5se2bl3.exe	explothe.exe
PID 2220 wrote to memory of 892	2220	dw4jw75.exe	msedge.exe
PID 2220 wrote to memory of 892	2220	dw4jw75.exe	msedge.exe
PID 2220 wrote to memory of 892	2220	dw4jw75.exe	msedge.exe
PID 2572 wrote to memory of 560	2572	explothe.exe	schtasks.exe
PID 2572 wrote to memory of 560	2572	explothe.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

5E81.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe

outlook_win_path 1 IoCs

Processes:

5E81.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5E81.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\AppData\Local\Temp\966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe
"C:\Users\Admin\AppData\Local\Temp\966af3c74b2555109ffc9b223e74153afb2eef3785574ad2ff29d1b3fc18a54d.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw4jw75.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw4jw75.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im7NN21.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im7NN21.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vt4mL80.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vt4mL80.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI5Mn77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI5Mn77.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cm2Ag48.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cm2Ag48.exe
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hb53GW5.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hb53GW5.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zL6424.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zL6424.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 540
10⤵
- Program crash
PID:1056

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Jk14eH.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Jk14eH.exe
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4XR873CT.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4XR873CT.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5se2bl3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5se2bl3.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
7⤵
- DcRat
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:3828

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
8⤵
PID:3068

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
8⤵
PID:2116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2600

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
PID:1820

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:5608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6XU3pT8.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6XU3pT8.exe
4⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nu1QK10.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nu1QK10.exe
3⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CC87.tmp\CC88.tmp\CC89.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nu1QK10.exe"
4⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
6⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
6⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
6⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
6⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
6⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
6⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
6⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
6⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
6⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
6⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
6⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
6⤵
PID:6328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
6⤵
PID:6748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
6⤵
PID:6764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
6⤵
PID:6920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
6⤵
PID:6928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
6⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
6⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7508 /prefetch:8
6⤵
PID:6456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7508 /prefetch:8
6⤵
PID:6476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
6⤵
PID:7156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
6⤵
PID:7164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
6⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
6⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
6⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
6⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
6⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:1
6⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
6⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8368 /prefetch:1
6⤵
PID:7188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
6⤵
PID:7636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
6⤵
PID:7964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9892 /prefetch:1
6⤵
PID:7308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13021422763887484094,12398322264618283183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:1
6⤵
PID:7416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6103544978541429947,16551613093422987445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
6⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6103544978541429947,16551613093422987445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
6⤵
- Executes dropped EXE
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10852720395965062049,926196583871137533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
6⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10852720395965062049,926196583871137533,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
6⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
5⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,12944979081779929463,8149721355831468511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
6⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10904118341547760860,4233871910182153475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
6⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
5⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:6576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:6608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:6616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:6680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:6776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
6⤵
PID:6796

C:\Users\Admin\AppData\Local\Temp\124B.exe
C:\Users\Admin\AppData\Local\Temp\124B.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IN8gZ5gn.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xU8mT4YJ.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fb6jM0Il.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fb6jM0Il.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nk2Rg5kr.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5336

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1dI10GX0.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:7064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 540
9⤵
- Program crash
PID:5468

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2iI657iQ.exe
7⤵
- Executes dropped EXE
PID:6572

C:\Users\Admin\AppData\Local\Temp\12F7.exe
C:\Users\Admin\AppData\Local\Temp\12F7.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13E3.bat" "
2⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
3⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
3⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
3⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
3⤵
PID:7492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:7568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
3⤵
PID:7884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xbc,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:7904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:8116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
4⤵
PID:8152

C:\Users\Admin\AppData\Local\Temp\1490.exe
C:\Users\Admin\AppData\Local\Temp\1490.exe
2⤵
- Executes dropped EXE
PID:784

C:\Users\Admin\AppData\Local\Temp\15D9.exe
C:\Users\Admin\AppData\Local\Temp\15D9.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\AppData\Local\Temp\1780.exe
C:\Users\Admin\AppData\Local\Temp\1780.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Users\Admin\AppData\Local\Temp\1A6F.exe
C:\Users\Admin\AppData\Local\Temp\1A6F.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
4⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
4⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
4⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
4⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
4⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
4⤵
PID:6620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
4⤵
PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
4⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
4⤵
PID:7844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10085894589748552321,12221215038683895748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
4⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\4FA9.exe
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:7900

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:6088

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6336

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6396

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4512

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:7544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:8004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6792

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5864

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7336

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:6032

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:6348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:8028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4432

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:1648

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:640

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:8144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:6912

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:7088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 892
4⤵
- Program crash
PID:7220

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5168

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
PID:3396

C:\Users\Admin\AppData\Local\Temp\is-BU2S2.tmp\is-IAPI0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BU2S2.tmp\is-IAPI0.tmp" /SL4 $402D8 "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5448218 154112
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2948

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe" -i
6⤵
- Executes dropped EXE
PID:6484

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
6⤵
PID:3360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
7⤵
PID:7176

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster.exe" -s
6⤵
- Executes dropped EXE
PID:7152

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:6992

C:\Users\Admin\AppData\Local\Temp\516F.exe
C:\Users\Admin\AppData\Local\Temp\516F.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:7524

C:\Users\Admin\AppData\Local\Temp\595F.exe
C:\Users\Admin\AppData\Local\Temp\595F.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 572
4⤵
- Program crash
PID:4480

C:\Users\Admin\AppData\Local\Temp\5E81.exe
C:\Users\Admin\AppData\Local\Temp\5E81.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:7060

C:\Users\Admin\AppData\Local\Temp\622B.exe
C:\Users\Admin\AppData\Local\Temp\622B.exe
2⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Local\Temp\BCFE.exe
C:\Users\Admin\AppData\Local\Temp\BCFE.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\C04B.exe
C:\Users\Admin\AppData\Local\Temp\C04B.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:6912

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:7304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
4⤵
PID:7212

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
5⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:7448

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
5⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:N"
5⤵
PID:5892

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:R" /E
5⤵
PID:5872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:7080

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6360

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:7744

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
6⤵
PID:2212

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6288

C:\Users\Admin\AppData\Local\Temp\C712.exe
C:\Users\Admin\AppData\Local\Temp\C712.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:5232

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:4432

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6952

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6024

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5268

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3848

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:7652

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:7668

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:7984

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4088

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4192

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:7692

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:6120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Modifies data under HKEY_USERS
PID:1484

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:5828

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:8128

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6732

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1324

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6692

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:8160

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6496

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:7304

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:6828

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:6480

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:7448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:1452

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:5560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3536 -ip 3536
1⤵
PID:2744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7064 -ip 7064
1⤵
PID:7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff78ce46f8,0x7fff78ce4708,0x7fff78ce4718
1⤵
PID:7812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6964 -ip 6964
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7544 -ip 7544
1⤵
PID:8028

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:5548

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:7268

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
1⤵
PID:8128

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
1⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:7548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
03bb99fa5aa995be0ecef71e9ba45da5

SHA1
a8a427d417bbf4d81c680fb99778b944fcaa7c64

SHA256
2f6b02df4ee6c72702f6d894b00de0eba5961cb71317afa1114801503f489101

SHA512
b62c8be1026527175c1f49c9015c12d3c7749b0525ebdeb72b3044bc8531e455be9bcc00cbb06a742b528716b60cfe616a7817f5962664b51fef61115f951a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
37283b22aa2ab3e572b288a4d3e9b59e

SHA1
76ed04e5c29334a0aad5c0029660634318229758

SHA256
02fe1287d0bcda1f1e7aee7c12d6f9fa8bc5653389cd9e2b2737ae12103c34e4

SHA512
ad1da00685e8c2819de8ad53552c0c729df75bd675c56d7d6ce8055586fa388cda682a4b6231505255425f83a57b6f977c852849538f610b6efd37fcac879d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
72KB

MD5
a5c3c60ee66c5eee4d68fdcd1e70a0f8

SHA1
679c2d0f388fcf61ecc2a0d735ef304b21e428d2

SHA256
a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234

SHA512
5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
33KB

MD5
a6056708f2b40fe06e76df601fdc666a

SHA1
542f2a7be8288e26f08f55216e0c32108486c04c

SHA256
fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152

SHA512
e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
223KB

MD5
b24045e033655badfcc5b3292df544fb

SHA1
7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b

SHA256
ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c

SHA512
0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
36KB

MD5
11cd1afe32a0fff1427ef3a539e31afd

SHA1
fb345df38113ef7bf7eefb340bccf34e0ab61872

SHA256
d3df3a24e6ea014c685469043783eabb91986d4c6fcd335a187bfdeaa9d5308f

SHA512
f250420a675c6f9908c23a908f7904d448a3453dacd1815283345f0d56a9b5a345507d5c4fcc8aaee276f9127fc6ab14d17ef94c21c1c809f5112cead4c24bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d
Filesize
119KB

MD5
57613e143ff3dae10f282e84a066de28

SHA1
88756cc8c6db645b5f20aa17b14feefb4411c25f

SHA256
19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14

SHA512
94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e
Filesize
117KB

MD5
4f7c668ae0988bf759b831769bfd0335

SHA1
280a11e29d10bb78d6a5b4a1f512bf3c05836e34

SHA256
32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1

SHA512
af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f
Filesize
115KB

MD5
ce6bda6643b662a41b9fb570bdf72f83

SHA1
87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8

SHA256
0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6

SHA512
8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040
Filesize
121KB

MD5
2d64caa5ecbf5e42cbb766ca4d85e90e

SHA1
147420abceb4a7fd7e486dddcfe68cda7ebb3a18

SHA256
045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f

SHA512
c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041
Filesize
121KB

MD5
48b805d8fa321668db4ce8dfd96db5b9

SHA1
e0ded2606559c8100ef544c1f1c704e878a29b92

SHA256
9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954

SHA512
95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1915b7776c3801f604e5bd86887bf576

SHA1
57020b30364085c6501626a4566b7d584326b405

SHA256
d0adb01402a6aae386f3c12b9cf566d5736045d45a0ae0dab5e05934845c71ff

SHA512
c8f63b3aadd018b4a1305832ceaa7aada0ecf76ae3c2fd9d6a7fa416ea3d7ad889b4cc8c6ad22756ba4b120c80d8688e6cd75bac069709cb1beab489bd2674f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
5a2cdd5f4446a0e4823e819a79ddbbf3

SHA1
ea8b87e198c02c6dc50d5eabbad30df0aebd0d31

SHA256
7f812c88419ee0ac19b3c42e9787b10b1a1c1223800f220d2a9da362cfb592da

SHA512
4cb63e79e968200811f41fa0dedb64fa2f579fee06907fa7c8906b2164cd7de2bf0ea1a0476e4d2f7a3e41176c5f25f595f993d02f6924e891de160f663c3761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
8818afd7df3b654591bb6b535148272c

SHA1
82f6b75c45f46bec7d518b650eed429496022c54

SHA256
04a7f925c944dbf4fd5119f07d5a69ae8dae94f423ec8196e6017221c9bdf80b

SHA512
5153062ecc86281bcfab58710b01dd978b39d39ad5454216ea973c1352aaa3d3ddfc03d996f822f81d3eb80147f07cea676c429561b9884ddff22df2bea32a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
be7f4c879e81e2f78d9c3b2401a3df5c

SHA1
e66270b0c4b8463b518fe68b50b1953695a3f05f

SHA256
dd690da96f3b595a8f049fb608dc18af49b460f77da25418a8216dcc2198f82d

SHA512
ccefa313789811bdcb150d46b169700ae6886524ce1fe4b36aa20e669a81d490716a4d69d03db0bddfbe38f88fc6b8bceda4ea5c2784c439ed591b93699a207c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
d1db7269b6c082e31d54e62606e4b19a

SHA1
f34815ecbde27d1d3da7036492853ad4ced3ae83

SHA256
87f9489a7cbce3ace161a7c385dcf9af43fbc472860c09de467d581a0ceb541d

SHA512
c724f810045a3fb8b70d08b32bb86f81e9e9fc6ec6e9ed49c37c734822f299c9790e6c9114d48b1adcea0b642cb85ef8603645a86b867ed97e1a50dcb710c843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
3bb1b262a414833dcf1f3c8b253b118e

SHA1
98a1f8f4f7f2d1703e8b2bdcbc2832464b772b45

SHA256
928eac2d3d44c6823e971e4ada4e367f62907e406aebc397cf8c34530a9f23c5

SHA512
b526ea8662fadecdc29072b4ecd0dda882f2570fad1eb84791068023146beefd1e78dafbc9fbf02e0c91dc0da345c717791252ab164102d4f7d3eb4dedbf2015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5831aa.TMP
Filesize
2KB

MD5
db9df44f5d6109fceac4aa778dc2f934

SHA1
8c196cdb41cb2de9a3254bcd3bbd2cb22c00249c

SHA256
7a362c12252339fbc192e5b50b7a0e1baa68910c3f61d5aa1c0f964e1304b9df

SHA512
35b61bb3c0e38e43cd58e60f0ed3aade1dc713c9393f151916b1c2fc970d2b3940d343a87d69221358ad6ee3dca845535ea11788079dd9db0f60a7521aebd73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
15b1bb7e79e7ff76f6b177d3246d7af6

SHA1
1c28f5c7b32de41eea16a09a2782ed298c142590

SHA256
e364a80857a25aeb003c530b633b4fc525867eb0391a35158e0f72c06a6ec698

SHA512
42abe450c1abd09222f33b227fe438612ed14b5b5b78dfbdaaab3e2e96b670b0f30c117d1d2084c815e8d673cecaa4875169186b6150df1179d8e3f40974af79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
15b1bb7e79e7ff76f6b177d3246d7af6

SHA1
1c28f5c7b32de41eea16a09a2782ed298c142590

SHA256
e364a80857a25aeb003c530b633b4fc525867eb0391a35158e0f72c06a6ec698

SHA512
42abe450c1abd09222f33b227fe438612ed14b5b5b78dfbdaaab3e2e96b670b0f30c117d1d2084c815e8d673cecaa4875169186b6150df1179d8e3f40974af79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d4334482aa27e83ac0134777d074daf4

SHA1
040bd2d210ee134ff517f04c50f7aaf965eb2b56

SHA256
3522a464d3467b77e33c881a9dcdf3f52d4d12a05498747b732598759c802281

SHA512
dca8ff91f66e1b7dc0974f1882159841a5901020cf4e57999c6bcfb4a73cb27786dcdb0162cc9c317773b0a58d03cfbb08645296ad80c57587f6506a65b0be86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d4334482aa27e83ac0134777d074daf4

SHA1
040bd2d210ee134ff517f04c50f7aaf965eb2b56

SHA256
3522a464d3467b77e33c881a9dcdf3f52d4d12a05498747b732598759c802281

SHA512
dca8ff91f66e1b7dc0974f1882159841a5901020cf4e57999c6bcfb4a73cb27786dcdb0162cc9c317773b0a58d03cfbb08645296ad80c57587f6506a65b0be86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d66235d1499dfa2b6a58f44064538ec1

SHA1
014e9bdc6e884b381b84f56802a28565f23d2885

SHA256
97971a9a059ca1f46d6e8610275d57177b5552b1bc05a13f77efd2d6a724bd45

SHA512
1c0536963fe41e457a2f6b1719261171162d6171fdc83b730beaa3d612059365924e8503b18327e70ef9a9a1c6c4bf02c12bcce0bb44168088dd5c28c7a7920b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d66235d1499dfa2b6a58f44064538ec1

SHA1
014e9bdc6e884b381b84f56802a28565f23d2885

SHA256
97971a9a059ca1f46d6e8610275d57177b5552b1bc05a13f77efd2d6a724bd45

SHA512
1c0536963fe41e457a2f6b1719261171162d6171fdc83b730beaa3d612059365924e8503b18327e70ef9a9a1c6c4bf02c12bcce0bb44168088dd5c28c7a7920b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
15b1bb7e79e7ff76f6b177d3246d7af6

SHA1
1c28f5c7b32de41eea16a09a2782ed298c142590

SHA256
e364a80857a25aeb003c530b633b4fc525867eb0391a35158e0f72c06a6ec698

SHA512
42abe450c1abd09222f33b227fe438612ed14b5b5b78dfbdaaab3e2e96b670b0f30c117d1d2084c815e8d673cecaa4875169186b6150df1179d8e3f40974af79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7a246f602b0b1ce1f7c12271be0f08e6

SHA1
3b1670f61acef714921c70327b8003299da7965f

SHA256
f4f28915b4a4a125735f8fc49f00dcd662834109da5bbdfe6ebe976da18ca5a5

SHA512
c2556120bc1db9dc00393dade028df806396b6babba84d4e1a37b3ba1c1b8ceb511f3837c217908e5d0c4535bda4656706e251c27bd2e164aab2442fec5b8b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7a246f602b0b1ce1f7c12271be0f08e6

SHA1
3b1670f61acef714921c70327b8003299da7965f

SHA256
f4f28915b4a4a125735f8fc49f00dcd662834109da5bbdfe6ebe976da18ca5a5

SHA512
c2556120bc1db9dc00393dade028df806396b6babba84d4e1a37b3ba1c1b8ceb511f3837c217908e5d0c4535bda4656706e251c27bd2e164aab2442fec5b8b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7a246f602b0b1ce1f7c12271be0f08e6

SHA1
3b1670f61acef714921c70327b8003299da7965f

SHA256
f4f28915b4a4a125735f8fc49f00dcd662834109da5bbdfe6ebe976da18ca5a5

SHA512
c2556120bc1db9dc00393dade028df806396b6babba84d4e1a37b3ba1c1b8ceb511f3837c217908e5d0c4535bda4656706e251c27bd2e164aab2442fec5b8b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d66235d1499dfa2b6a58f44064538ec1

SHA1
014e9bdc6e884b381b84f56802a28565f23d2885

SHA256
97971a9a059ca1f46d6e8610275d57177b5552b1bc05a13f77efd2d6a724bd45

SHA512
1c0536963fe41e457a2f6b1719261171162d6171fdc83b730beaa3d612059365924e8503b18327e70ef9a9a1c6c4bf02c12bcce0bb44168088dd5c28c7a7920b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
392dc62eff68998fef0b4f99ee6fbe78

SHA1
57b0f21ffbe7beba62a68129d1dd020e97391cf4

SHA256
904794ca34056451f6929103d7585b94bf8ffbd4d8c02bd0fe0ab2eacbe12bb8

SHA512
c8c006e259d6688c5424bf63f1298cf224f20145cd47c2da28ce557302a729d4c3633eb2b981280bd051c763023f938dbb552d1ba53eeb29625e70e7cf962577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b8c5e3f3-3c84-45fe-b45c-ee269f03f61e.tmp
Filesize
10KB

MD5
661aa03a6afea59af58df6a56d3ef3d4

SHA1
78f41049a9a08179409fcf7c10e471c62a0f3c05

SHA256
fc8f50261ea1140fcfc67aea35adfa91745f9735c8395afdf17eaad994e06f6f

SHA512
938fc58b5afce4d9b896a1bf3dcbebd6275046c4f6025863fd88d9824953582095d4ee7f1292771e3d85a9fe13d9db18c350c93c6426c321dd22faff5e05ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12F7.exe
Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
9879861f3899a47f923cb13ca048dcc1

SHA1
2c24fd7dec7e0c69b35a9c75d59c7c3db51f7980

SHA256
9f7ffdf942954fc527e1b68b996f3ed6ebbb4bd5a8e0ab9387167cd5fae47513

SHA512
6f51d51eaa653c7ec92de89baaeb402fb33ced558df060e3075498047a75e32396aa00d3bcc89f3cd4d4378ece96d75a54b7d9f4f6aaf459356325434698caa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093
Filesize
85KB

MD5
bb6dbf4a56b031f6840534645ed50972

SHA1
1ba21970dc18feb4a2214bd09c0c0547effd5939

SHA256
b513643980392adda36f11b985165d84dc3572ff1daa24344d7d48a5e7b8b3ff

SHA512
27559c4c018dd4b656d7dffb042e2ce9d5d6a4b72f349a78acabe5523031951ef3c04a24ef8c69cc36726f44b46ff76a176b3bc31829240b4a48a0e9722473e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC87.tmp\CC88.tmp\CC89.bat
Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Rp21QF.exe
Filesize
89KB

MD5
acb18add42a89d27d9d033d416a4ad5c

SHA1
6bf33679f3beba6b105c0514dc3d98cf4f96d6d1

SHA256
50b81fdbcb8287571d5cbe3f706ddb88b182e3e65ab7ba4aa7318b46ddc17bab

SHA512
dcbb9dc70cab90558f7c6a19c18aa2946f97a052e8ab8319e0a6fa47bead4ebf053035943c5a0515c4ebfb70e29d9cce936746b241b4895c3d89e71ec02b144d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nu1QK10.exe
Filesize
89KB

MD5
4782f8e46d295b6d398cb8c4c6149b7b

SHA1
72af1f6e0d507339ee83d4c3f2868eb16a9be54e

SHA256
3c7a9544be2a5d338730206d6abc12f95be4879d6c219b7faae0fa0d7756c77a

SHA512
7d320f68d8d9e84ae3a829dd678282b5472a4b8561a19b83c730424b84976b13c03d6db593d726b4dc7865301003ce24e5401687e1924400b0e2c98b6fbc3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nu1QK10.exe
Filesize
89KB

MD5
4782f8e46d295b6d398cb8c4c6149b7b

SHA1
72af1f6e0d507339ee83d4c3f2868eb16a9be54e

SHA256
3c7a9544be2a5d338730206d6abc12f95be4879d6c219b7faae0fa0d7756c77a

SHA512
7d320f68d8d9e84ae3a829dd678282b5472a4b8561a19b83c730424b84976b13c03d6db593d726b4dc7865301003ce24e5401687e1924400b0e2c98b6fbc3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw4jw75.exe
Filesize
1.4MB

MD5
d696f81d1cfccf24be6fdec5a96292b1

SHA1
a42b04d2f14986a5df0ffb0b4a95835a329d2eb3

SHA256
4851a983eb1010e232110084b7b8f96c4491ccda33c15566d547e75a5d77cc3f

SHA512
4a407d92a4d660eb77f37f38f6480810afada1067de3077b94228686244e7ab396944267fa93840dd1a8596eab843e268de071f5c545af4788195229231a0033

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw4jw75.exe
Filesize
1.4MB

MD5
d696f81d1cfccf24be6fdec5a96292b1

SHA1
a42b04d2f14986a5df0ffb0b4a95835a329d2eb3

SHA256
4851a983eb1010e232110084b7b8f96c4491ccda33c15566d547e75a5d77cc3f

SHA512
4a407d92a4d660eb77f37f38f6480810afada1067de3077b94228686244e7ab396944267fa93840dd1a8596eab843e268de071f5c545af4788195229231a0033

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6XU3pT8.exe
Filesize
184KB

MD5
a21efeed973c4a7951cd3dc04712c1b6

SHA1
c2baf6c92d2107ad84dfc2aa1dc1bdc7e2fa9c9f

SHA256
a9eeddd9c5346a13e6e8277a63adcddfe5a1a2c6a1cdaf4bdfb31db4573b77d0

SHA512
8fd2ada7002d882e9601720864af84458366469bcd6a1eea224fa336d3d39058f00044797393314c1593034a7a22a4b89637895cc6fce567eac721cf70ee065d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6XU3pT8.exe
Filesize
184KB

MD5
a21efeed973c4a7951cd3dc04712c1b6

SHA1
c2baf6c92d2107ad84dfc2aa1dc1bdc7e2fa9c9f

SHA256
a9eeddd9c5346a13e6e8277a63adcddfe5a1a2c6a1cdaf4bdfb31db4573b77d0

SHA512
8fd2ada7002d882e9601720864af84458366469bcd6a1eea224fa336d3d39058f00044797393314c1593034a7a22a4b89637895cc6fce567eac721cf70ee065d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im7NN21.exe
Filesize
1.2MB

MD5
5a79ac67f71a48b15792aac6bbc673b0

SHA1
dc546345a2f6ce73eff48dd66c54891d07cdab36

SHA256
e7e4d73e36c042b000a1db9f8e01b5558754ca5fee20bc98066f7e849d2908cd

SHA512
78d9f6444cf181dcf3b955eb4826ef8b47c7dd1413c54a19ae6c86a457c046f4cf197ebbd515b16cb2aa729b248aba925b198ebc623628910351b2072a989117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Im7NN21.exe
Filesize
1.2MB

MD5
5a79ac67f71a48b15792aac6bbc673b0

SHA1
dc546345a2f6ce73eff48dd66c54891d07cdab36

SHA256
e7e4d73e36c042b000a1db9f8e01b5558754ca5fee20bc98066f7e849d2908cd

SHA512
78d9f6444cf181dcf3b955eb4826ef8b47c7dd1413c54a19ae6c86a457c046f4cf197ebbd515b16cb2aa729b248aba925b198ebc623628910351b2072a989117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5se2bl3.exe
Filesize
221KB

MD5
3d336d6ad9a14b28443c8f2bd2f60b14

SHA1
a07f32cb3797644a6fee99c307666d81ebd60ba1

SHA256
52c76d606826feaff4120419f39ce482b842e41ab295e45431a458aa57c77ae5

SHA512
222a04c13e4f3363a82a46d1e6c839e34d88717b9fc94dd2c07984fede63cdf9a42657f7ccdc703efbf6a812f99a99bbff7b756e22ab18f00844868ed386a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5se2bl3.exe
Filesize
221KB

MD5
3d336d6ad9a14b28443c8f2bd2f60b14

SHA1
a07f32cb3797644a6fee99c307666d81ebd60ba1

SHA256
52c76d606826feaff4120419f39ce482b842e41ab295e45431a458aa57c77ae5

SHA512
222a04c13e4f3363a82a46d1e6c839e34d88717b9fc94dd2c07984fede63cdf9a42657f7ccdc703efbf6a812f99a99bbff7b756e22ab18f00844868ed386a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vt4mL80.exe
Filesize
1.0MB

MD5
2e86bf0a95a4d6d7e0bdac906967d5bf

SHA1
023e0617d4f712410eda7172f2358c3e14aca34b

SHA256
16415c15b0afb2d01f58c4b1113e81094003b329203f0abf209fee82453727eb

SHA512
2554a1d4baf5900550ffbe8e9cd2d9b34d688870568050e75e4476ccd55a11f742691e214e3d637be221810ca9a74c8a2e60133dd2b4023a85714b8995abe6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vt4mL80.exe
Filesize
1.0MB

MD5
2e86bf0a95a4d6d7e0bdac906967d5bf

SHA1
023e0617d4f712410eda7172f2358c3e14aca34b

SHA256
16415c15b0afb2d01f58c4b1113e81094003b329203f0abf209fee82453727eb

SHA512
2554a1d4baf5900550ffbe8e9cd2d9b34d688870568050e75e4476ccd55a11f742691e214e3d637be221810ca9a74c8a2e60133dd2b4023a85714b8995abe6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4XR873CT.exe
Filesize
1.1MB

MD5
5dc410ff0aa4f0128dfd703c62d05cd1

SHA1
6cbc36329cbc3137916ba4cca2dbf0d148117c39

SHA256
e88d69e7da8dec6a15da753b03d5bc947211e54cbb71aedefc2355fd5b59154f

SHA512
3977dfa68fdf9d9cceefb111d227758409274a9e9231d788e6658923affbeab3a656889bf9b1133819000afa1c72b6023798417b1b3d0234e3140cb3dea1554e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4XR873CT.exe
Filesize
1.1MB

MD5
5dc410ff0aa4f0128dfd703c62d05cd1

SHA1
6cbc36329cbc3137916ba4cca2dbf0d148117c39

SHA256
e88d69e7da8dec6a15da753b03d5bc947211e54cbb71aedefc2355fd5b59154f

SHA512
3977dfa68fdf9d9cceefb111d227758409274a9e9231d788e6658923affbeab3a656889bf9b1133819000afa1c72b6023798417b1b3d0234e3140cb3dea1554e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI5Mn77.exe
Filesize
652KB

MD5
a7e990ddf672abfacdb78bd929ae70a0

SHA1
ee3fb27a1e38cd92e36e9a692709751b02b477e1

SHA256
53921115f283c8fce8d8be170e49ad0b75c78be3508a7200cb747f0b480cef1d

SHA512
d521d79c793e8f7832f7b543e1fac2408e9d480593b1bebf4bc92651056203306e5a2b31350bf46cff6a8251e0b80e09c3a82d3e7fcbe12f860cae0a4ce10818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI5Mn77.exe
Filesize
652KB

MD5
a7e990ddf672abfacdb78bd929ae70a0

SHA1
ee3fb27a1e38cd92e36e9a692709751b02b477e1

SHA256
53921115f283c8fce8d8be170e49ad0b75c78be3508a7200cb747f0b480cef1d

SHA512
d521d79c793e8f7832f7b543e1fac2408e9d480593b1bebf4bc92651056203306e5a2b31350bf46cff6a8251e0b80e09c3a82d3e7fcbe12f860cae0a4ce10818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Jk14eH.exe
Filesize
31KB

MD5
94020fb209b2dbf8911d478ca92035f8

SHA1
c7e3330b0cd260d42af88dab7c9daf4044efe917

SHA256
e75b0f556c3916bc0f61f93ec957c6e5e5b7f4de50c74a26cfd3a25c87a269df

SHA512
1d1e8ae701e9777eb29de5422084f456e6d4e1dcaa5d0e19b880f0841d323a790a84cad214c69f8c1d4017476b99fe2f1fea60e48f5bcdcf71aadec6315b80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Jk14eH.exe
Filesize
31KB

MD5
94020fb209b2dbf8911d478ca92035f8

SHA1
c7e3330b0cd260d42af88dab7c9daf4044efe917

SHA256
e75b0f556c3916bc0f61f93ec957c6e5e5b7f4de50c74a26cfd3a25c87a269df

SHA512
1d1e8ae701e9777eb29de5422084f456e6d4e1dcaa5d0e19b880f0841d323a790a84cad214c69f8c1d4017476b99fe2f1fea60e48f5bcdcf71aadec6315b80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cm2Ag48.exe
Filesize
528KB

MD5
a1d9c4982ec612f352e3339ca560e06c

SHA1
9248ead3d0c194f2425b76eda0e90ec788a9ae3f

SHA256
17a7dd065ec8299723621ce19c2cfab8485ace6eb95b3bcba842495162666ab7

SHA512
8401f54199d8792b9ba49ddd6f1b6abc174fe72929ddaa859ef0470b122dd801554545cb95fff4db7c68165a5b7233b98d3e8ee27fae691ab5d972c7cd11e236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cm2Ag48.exe
Filesize
528KB

MD5
a1d9c4982ec612f352e3339ca560e06c

SHA1
9248ead3d0c194f2425b76eda0e90ec788a9ae3f

SHA256
17a7dd065ec8299723621ce19c2cfab8485ace6eb95b3bcba842495162666ab7

SHA512
8401f54199d8792b9ba49ddd6f1b6abc174fe72929ddaa859ef0470b122dd801554545cb95fff4db7c68165a5b7233b98d3e8ee27fae691ab5d972c7cd11e236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hb53GW5.exe
Filesize
869KB

MD5
d7b161a538afe15c0ac6809189548f1b

SHA1
78ac36bf26c510831d3b449e81d754097cfd3461

SHA256
42ac91034b7dd765d141e36697f1d833511cdbc78b4d1e8ad300aed8ee839690

SHA512
c4b3bdb79004be6080c10ce606caa2c75284e5aaf5de94a165c6444c79d3d7f3f61a615d914be072452dba9f61ef0d0971ea6bbeaf4070ca661e4211fe719a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1hb53GW5.exe
Filesize
869KB

MD5
d7b161a538afe15c0ac6809189548f1b

SHA1
78ac36bf26c510831d3b449e81d754097cfd3461

SHA256
42ac91034b7dd765d141e36697f1d833511cdbc78b4d1e8ad300aed8ee839690

SHA512
c4b3bdb79004be6080c10ce606caa2c75284e5aaf5de94a165c6444c79d3d7f3f61a615d914be072452dba9f61ef0d0971ea6bbeaf4070ca661e4211fe719a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zL6424.exe
Filesize
1.0MB

MD5
cf11e094985e70b209ec79aa0cf3a65e

SHA1
8a16fe6618e9657b432211e22dc4b115bfc84a50

SHA256
92ffa02e6f4e34942e331275373cbd4de578fba015e8576027f9a954f29d3de5

SHA512
59f6571c1e4c2a5ff7b655c89d20cdd4c58564a835145b8c372af0f61e2879664bd9748232d109074c9fb976663e902236284213b78e270bbbb1499881eeee00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zL6424.exe
Filesize
1.0MB

MD5
cf11e094985e70b209ec79aa0cf3a65e

SHA1
8a16fe6618e9657b432211e22dc4b115bfc84a50

SHA256
92ffa02e6f4e34942e331275373cbd4de578fba015e8576027f9a954f29d3de5

SHA512
59f6571c1e4c2a5ff7b655c89d20cdd4c58564a835145b8c372af0f61e2879664bd9748232d109074c9fb976663e902236284213b78e270bbbb1499881eeee00

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
d04b3ad7f47bdbd80c23a91436096fc6

SHA1
dfe98b3bbcac34e4f55d8e1f30503f1caba7f099

SHA256
994a1ebecf6350718dc003473441d89bb493c8a79bbce8622b562fc2c0ca2757

SHA512
0777d9bb0448615e7f694b1c1e3f0a5aa2f84d8638e77f349167c2d6eb7ee27709d68b581b09c122182e85b1ccbbfd89767308457219c5c67fe613212ff47d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.5MB

MD5
7df479e4b7663b47007a83d4e69d2678

SHA1
9dbfbef349c752441f0be03bbfda16dd2238254f

SHA256
d0a19e3d19358be8706f4e80a3621fa3db4bd2fd7cbebc88feac95de7223665e

SHA512
d55ca362f5af28d1cbee8de94106f5a035c2a552158c6e466b18452a0dbccad60963125dc3b96d39a293dbb1718331d9df6a88424160b9a39583c503605ac247

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zaywhje4.1cy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
3d336d6ad9a14b28443c8f2bd2f60b14

SHA1
a07f32cb3797644a6fee99c307666d81ebd60ba1

SHA256
52c76d606826feaff4120419f39ce482b842e41ab295e45431a458aa57c77ae5

SHA512
222a04c13e4f3363a82a46d1e6c839e34d88717b9fc94dd2c07984fede63cdf9a42657f7ccdc703efbf6a812f99a99bbff7b756e22ab18f00844868ed386a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
3d336d6ad9a14b28443c8f2bd2f60b14

SHA1
a07f32cb3797644a6fee99c307666d81ebd60ba1

SHA256
52c76d606826feaff4120419f39ce482b842e41ab295e45431a458aa57c77ae5

SHA512
222a04c13e4f3363a82a46d1e6c839e34d88717b9fc94dd2c07984fede63cdf9a42657f7ccdc703efbf6a812f99a99bbff7b756e22ab18f00844868ed386a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
3d336d6ad9a14b28443c8f2bd2f60b14

SHA1
a07f32cb3797644a6fee99c307666d81ebd60ba1

SHA256
52c76d606826feaff4120419f39ce482b842e41ab295e45431a458aa57c77ae5

SHA512
222a04c13e4f3363a82a46d1e6c839e34d88717b9fc94dd2c07984fede63cdf9a42657f7ccdc703efbf6a812f99a99bbff7b756e22ab18f00844868ed386a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE6C.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC0.tmp
Filesize
92KB

MD5
2ea428873b09b0b3d94fd89ad2883b02

SHA1
a767ea985e9a1ff148b90a66297589198b2ed2a0

SHA256
0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba

SHA512
3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF49.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF4F.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF64.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF81.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
207KB

MD5
5ff398981d2edc3bca2e1ed053090c9a

SHA1
7c0b3b52bbeec3b6370c38f47eb85a75ee92be3b

SHA256
13c420fc4656cb4eff23d8901c1777434ee40157122f3941a92eef5b7aceefaf

SHA512
4609cf82ea7dbacff3fce41da8dc29467dc348f336998f1f79c85e82261947c686ba39a77c3a4a9321596d55fb73a7c5e6aab026748fb9b3be01d45099075de4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll
Filesize
102KB

MD5
ceffd8c6661b875b67ca5e4540950d8b

SHA1
91b53b79c98f22d0b8e204e11671d78efca48682

SHA256
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

SHA512
6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll
Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
C:\Users\Admin\AppData\Roaming\cduscgv
Filesize
33KB

MD5
65bfa08856a98a69a16a520b03e8d6a0

SHA1
a50eb214ff01b9a7dcadeb0c7ba6d4bca94fc1ad

SHA256
2fe372b10b4da5eeaf09d22197be5ca8c9115e7a9a031abd60f3615e789fc72c

SHA512
8c2a49b70ec615d9959a646286e4396dc76141b2ee12cb8f77c372b45c8ad0f29ca2c1a81128389c9ac78e3fbb05e215e9eb7150fdc49ed36a1135e1af0876c8

Download Submit
\??\pipe\LOCAL\crashpad_3248_OKACBGQIXAEWWQDQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4536_JFPLBTWUYHMMKGHX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4872_JKJELNQKZUZBRZMZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/784-701-0x0000000007830000-0x0000000007840000-memory.dmp

Filesize
64KB

Download
memory/784-885-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/784-698-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/784-982-0x0000000007830000-0x0000000007840000-memory.dmp

Filesize
64KB

Download
memory/2032-1972-0x00000000013C0000-0x00000000013E0000-memory.dmp

Filesize
128KB

Download
memory/2400-1761-0x00007FF6735D0000-0x00007FF673C7A000-memory.dmp

Filesize
6.7MB

Download
memory/2948-1200-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3076-703-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3076-1032-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3076-702-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/3076-1057-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3184-357-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3184-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3184-80-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/3184-84-0x0000000008AD0000-0x00000000090E8000-memory.dmp

Filesize
6.1MB

Download
memory/3184-85-0x0000000007D00000-0x0000000007E0A000-memory.dmp

Filesize
1.0MB

Download
memory/3184-89-0x0000000007C30000-0x0000000007C42000-memory.dmp

Filesize
72KB

Download
memory/3184-76-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3184-90-0x0000000007C90000-0x0000000007CCC000-memory.dmp

Filesize
240KB

Download
memory/3184-396-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3184-91-0x0000000007E10000-0x0000000007E5C000-memory.dmp

Filesize
304KB

Download
memory/3184-71-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/3184-70-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/3184-67-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3316-1293-0x0000000007300000-0x0000000007316000-memory.dmp

Filesize
88KB

Download
memory/3316-56-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

Filesize
88KB

Download
memory/3316-1624-0x00000000086F0000-0x0000000008706000-memory.dmp

Filesize
88KB

Download
memory/3396-1166-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-1294-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4512-1271-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4868-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4868-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5080-96-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5080-86-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5080-46-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5080-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5168-1143-0x000000001AE60000-0x000000001AE70000-memory.dmp

Filesize
64KB

Download
memory/5168-1171-0x00007FFF761B0000-0x00007FFF76C71000-memory.dmp

Filesize
10.8MB

Download
memory/5168-1141-0x00007FFF761B0000-0x00007FFF76C71000-memory.dmp

Filesize
10.8MB

Download
memory/5168-1133-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/5548-1971-0x00007FF67F940000-0x00007FF67FEE1000-memory.dmp

Filesize
5.6MB

Download
memory/5736-1151-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/5736-1152-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5736-1154-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/5776-1760-0x0000000001340000-0x000000000137E000-memory.dmp

Filesize
248KB

Download
memory/6336-1135-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/6336-1267-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/6396-1272-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/6484-1279-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6484-1276-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6540-1626-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/6572-1060-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/6572-1061-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/6572-728-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/6572-749-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/6572-727-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6856-1129-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/6856-1251-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/6856-1130-0x0000000000BD0000-0x0000000000FB0000-memory.dmp

Filesize
3.9MB

Download
memory/6856-1132-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/6964-1325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6964-1490-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6964-1479-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6992-1657-0x00007FF75C9A0000-0x00007FF75CF41000-memory.dmp

Filesize
5.6MB

Download
memory/7064-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7064-711-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7064-718-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7068-1086-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/7068-845-0x0000000008110000-0x0000000008176000-memory.dmp

Filesize
408KB

Download
memory/7068-987-0x0000000009380000-0x00000000093D0000-memory.dmp

Filesize
320KB

Download
memory/7068-1088-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/7068-969-0x0000000008CC0000-0x00000000091EC000-memory.dmp

Filesize
5.2MB

Download
memory/7068-955-0x0000000008AF0000-0x0000000008CB2000-memory.dmp

Filesize
1.8MB

Download
memory/7068-951-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/7068-979-0x00000000092F0000-0x000000000930E000-memory.dmp

Filesize
120KB

Download
memory/7068-787-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/7068-774-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/7068-754-0x0000000000480000-0x00000000004DA000-memory.dmp

Filesize
360KB

Download
memory/7068-1090-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/7068-1148-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/7068-753-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/7152-1926-0x0000000000A80000-0x0000000000B2D000-memory.dmp

Filesize
692KB

Download
memory/7544-1650-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/7544-1190-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/7544-1182-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download
memory/7544-1178-0x0000000002920000-0x0000000002D26000-memory.dmp

Filesize
4.0MB

Download
memory/7900-1091-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/7900-1092-0x0000000000260000-0x0000000000EE0000-memory.dmp

Filesize
12.5MB

Download
memory/7900-1144-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/8004-1781-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/8144-1939-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download