amadey | 82266683c9268da9f2d08238a0202c65136fd5c17c9ca3da358c55c32af834ae

Analysis

max time kernel
183s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c1673ad6ab457a24455b700542e17300.exe
Size

1.0MB
MD5

c1673ad6ab457a24455b700542e17300
SHA1

c81bce8418b0a98d6cf40943f82ed1d1ffa4344b
SHA256

82266683c9268da9f2d08238a0202c65136fd5c17c9ca3da358c55c32af834ae
SHA512

74932bf980fb973f6de19ff278f401b34bb1e8eec05b75d0c1a1d78de75f46773cb7b41aaba14198171d73a471dd1195188d1b00bbe04068c915402a9ec593bc
SSDEEP

24576:Kygaj1EWi9hw34iVHpzV70LjbunFXCL2RloM:R11EWi3iVHpeLj6n4glo

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 2 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

NEAS.c1673ad6ab457a24455b700542e17300.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.c1673ad6ab457a24455b700542e17300.exe
5660	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2552-632-0x0000000002E10000-0x00000000036FB000-memory.dmp	family_glupteba
behavioral1/memory/2552-636-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1684-42-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\CA24.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\CA24.exe	family_redline
behavioral1/memory/3332-81-0x0000000000CD0000-0x0000000000D0C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe	family_redline
behavioral1/memory/1032-121-0x0000000000340000-0x000000000037C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1CDC.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1CDC.exe	family_redline
behavioral1/memory/568-187-0x0000000002080000-0x00000000020DA000-memory.dmp	family_redline
behavioral1/memory/2372-188-0x00000000004F0000-0x000000000052E000-memory.dmp	family_redline
behavioral1/memory/1028-200-0x00000000008B0000-0x00000000008CE000-memory.dmp	family_redline
behavioral1/memory/568-401-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline
behavioral1/memory/2372-404-0x0000000000400000-0x0000000000461000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1CDC.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\1CDC.exe	family_sectoprat
behavioral1/memory/1028-200-0x00000000008B0000-0x00000000008CE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F52D.exe2808.exekos4.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	F52D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	2808.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	kos4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 30 IoCs

Processes:

YR0NE35.exeWF2Ax71.exe1iC52Iz4.exe2kE4010.exe3NL76Tz.exe4YI851GT.exeB4C4.exeC6F7.exeCA24.exeBz0vw0Jn.exesJ7fb8gT.exevN0Hf3xi.exeIZ1ez7Tn.exe1kX12Oh8.exe2Rp741yF.exeF52D.exeFD7B.exe152A.exe1CDC.exe2808.exeInstallSetup5.exetoolspub2.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroom.exekos4.exelatestX.exeUtsysc.exeLzmwAqmV.exeis-1TUNJ.tmp

pid	process
532	YR0NE35.exe
2992	WF2Ax71.exe
2516	1iC52Iz4.exe
2324	2kE4010.exe
2032	3NL76Tz.exe
2684	4YI851GT.exe
3032	B4C4.exe
4756	C6F7.exe
3332	CA24.exe
3324	Bz0vw0Jn.exe
2300	sJ7fb8gT.exe
3636	vN0Hf3xi.exe
2204	IZ1ez7Tn.exe
2256	1kX12Oh8.exe
1032	2Rp741yF.exe
5020	F52D.exe
568	FD7B.exe
2372	152A.exe
1028	1CDC.exe
4176	2808.exe
4892	InstallSetup5.exe
6908	toolspub2.exe
5724	toolspub2.exe
2552	31839b57a4f11171d6abc8bbc4451ee4.exe
184	Broom.exe
2408	kos4.exe
4812	latestX.exe
5576	Utsysc.exe
1908	LzmwAqmV.exe
1844	is-1TUNJ.tmp

Loads dropped DLL 8 IoCs

Processes:

FD7B.exe152A.exeis-1TUNJ.tmprundll32.exerundll32.exerundll32.exe

pid process

568 FD7B.exe
568 FD7B.exe
2372 152A.exe
2372 152A.exe
1844 is-1TUNJ.tmp
2788 rundll32.exe
4352 rundll32.exe
6744 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
568	FD7B.exe
568	FD7B.exe
2372	152A.exe
2372	152A.exe
1844	is-1TUNJ.tmp
2788	rundll32.exe
4352	rundll32.exe
6744	rundll32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

IZ1ez7Tn.exeNEAS.c1673ad6ab457a24455b700542e17300.exeYR0NE35.exeWF2Ax71.exeB4C4.exeBz0vw0Jn.exesJ7fb8gT.exevN0Hf3xi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	IZ1ez7Tn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.c1673ad6ab457a24455b700542e17300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YR0NE35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WF2Ax71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	B4C4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Bz0vw0Jn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sJ7fb8gT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vN0Hf3xi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

1iC52Iz4.exe2kE4010.exe4YI851GT.exe1kX12Oh8.exetoolspub2.exe

description	pid	process	target process
PID 2516 set thread context of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2324 set thread context of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2684 set thread context of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2256 set thread context of 4176	2256	1kX12Oh8.exe	AppLaunch.exe
PID 6908 set thread context of 5724	6908	toolspub2.exe	toolspub2.exe

Drops file in Program Files directory 33 IoCs

Processes:

is-1TUNJ.tmp

description	ioc	process
File created	C:\Program Files (x86)\IBuster\Lang\is-RM2EQ.tmp	is-1TUNJ.tmp
File opened for modification	C:\Program Files (x86)\IBuster\unins000.dat	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-B4IPV.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-BS3B7.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-MTVI4.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-5JCQ8.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-77LSS.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Help\is-86D2H.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-Q9AB6.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\is-PPR0T.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-IC6BB.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-4UUHB.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-68IH9.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-0R0ID.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\unins000.dat	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-JV9EL.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-J59JG.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-L18U9.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\is-TH5CA.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-DGO01.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-EFV2R.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-7N5P2.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-DKHNM.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-67DDR.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-26SH9.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-2HF96.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-T8UN6.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-K17KQ.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-236GF.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-HNU5T.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-K574M.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-571UE.tmp	is-1TUNJ.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-T0L0C.tmp	is-1TUNJ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
860	1740	WerFault.exe	AppLaunch.exe
2548	4176	WerFault.exe	AppLaunch.exe
5908	2372	WerFault.exe	152A.exe
6104	568	WerFault.exe	FD7B.exe
116	2372	WerFault.exe	152A.exe
5652	568	WerFault.exe	FD7B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3NL76Tz.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3NL76Tz.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3NL76Tz.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3NL76Tz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5660 schtasks.exe

pid	process
5660	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe3NL76Tz.exe

pid	process
2868	AppLaunch.exe
2868	AppLaunch.exe
2032	3NL76Tz.exe
2032	3NL76Tz.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3384
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3NL76Tz.exetoolspub2.exe

pid process

2032 3NL76Tz.exe
5724 toolspub2.exe

pid	process
3384

pid	process
2032	3NL76Tz.exe
5724	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2868	AppLaunch.exe
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe2808.exe

pid	process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
3384
3384
4176	2808.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

184 Broom.exe

pid	process
184	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.c1673ad6ab457a24455b700542e17300.exeYR0NE35.exeWF2Ax71.exe1iC52Iz4.exe2kE4010.exe4YI851GT.exeB4C4.exeBz0vw0Jn.exe

description	pid	process	target process
PID 4200 wrote to memory of 532	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	YR0NE35.exe
PID 4200 wrote to memory of 532	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	YR0NE35.exe
PID 4200 wrote to memory of 532	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	YR0NE35.exe
PID 532 wrote to memory of 2992	532	YR0NE35.exe	WF2Ax71.exe
PID 532 wrote to memory of 2992	532	YR0NE35.exe	WF2Ax71.exe
PID 532 wrote to memory of 2992	532	YR0NE35.exe	WF2Ax71.exe
PID 2992 wrote to memory of 2516	2992	WF2Ax71.exe	1iC52Iz4.exe
PID 2992 wrote to memory of 2516	2992	WF2Ax71.exe	1iC52Iz4.exe
PID 2992 wrote to memory of 2516	2992	WF2Ax71.exe	1iC52Iz4.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2516 wrote to memory of 2868	2516	1iC52Iz4.exe	AppLaunch.exe
PID 2992 wrote to memory of 2324	2992	WF2Ax71.exe	2kE4010.exe
PID 2992 wrote to memory of 2324	2992	WF2Ax71.exe	2kE4010.exe
PID 2992 wrote to memory of 2324	2992	WF2Ax71.exe	2kE4010.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 2324 wrote to memory of 1740	2324	2kE4010.exe	AppLaunch.exe
PID 532 wrote to memory of 2032	532	YR0NE35.exe	3NL76Tz.exe
PID 532 wrote to memory of 2032	532	YR0NE35.exe	3NL76Tz.exe
PID 532 wrote to memory of 2032	532	YR0NE35.exe	3NL76Tz.exe
PID 4200 wrote to memory of 2684	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	4YI851GT.exe
PID 4200 wrote to memory of 2684	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	4YI851GT.exe
PID 4200 wrote to memory of 2684	4200	NEAS.c1673ad6ab457a24455b700542e17300.exe	4YI851GT.exe
PID 2684 wrote to memory of 388	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 388	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 388	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 2684 wrote to memory of 1684	2684	4YI851GT.exe	AppLaunch.exe
PID 3384 wrote to memory of 3032	3384		B4C4.exe
PID 3384 wrote to memory of 3032	3384		B4C4.exe
PID 3384 wrote to memory of 3032	3384		B4C4.exe
PID 3384 wrote to memory of 3968	3384		cmd.exe
PID 3384 wrote to memory of 3968	3384		cmd.exe
PID 3384 wrote to memory of 4756	3384		C6F7.exe
PID 3384 wrote to memory of 4756	3384		C6F7.exe
PID 3384 wrote to memory of 4756	3384		C6F7.exe
PID 3384 wrote to memory of 3332	3384		CA24.exe
PID 3384 wrote to memory of 3332	3384		CA24.exe
PID 3384 wrote to memory of 3332	3384		CA24.exe
PID 3032 wrote to memory of 3324	3032	B4C4.exe	Bz0vw0Jn.exe
PID 3032 wrote to memory of 3324	3032	B4C4.exe	Bz0vw0Jn.exe
PID 3032 wrote to memory of 3324	3032	B4C4.exe	Bz0vw0Jn.exe
PID 3324 wrote to memory of 2300	3324	Bz0vw0Jn.exe	sJ7fb8gT.exe
PID 3324 wrote to memory of 2300	3324	Bz0vw0Jn.exe	sJ7fb8gT.exe
PID 3324 wrote to memory of 2300	3324	Bz0vw0Jn.exe	sJ7fb8gT.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.c1673ad6ab457a24455b700542e17300.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c1673ad6ab457a24455b700542e17300.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR0NE35.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR0NE35.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WF2Ax71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WF2Ax71.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1iC52Iz4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1iC52Iz4.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kE4010.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kE4010.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 540
6⤵
- Program crash
PID:860

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3NL76Tz.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3NL76Tz.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4YI851GT.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4YI851GT.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1740 -ip 1740
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\B4C4.exe
C:\Users\Admin\AppData\Local\Temp\B4C4.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bz0vw0Jn.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bz0vw0Jn.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sJ7fb8gT.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sJ7fb8gT.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2300

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vN0Hf3xi.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vN0Hf3xi.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3636

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IZ1ez7Tn.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IZ1ez7Tn.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2204

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kX12Oh8.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kX12Oh8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe
6⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C56F.bat" "
1⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,1977942784130782899,97895188147811500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
3⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,1977942784130782899,97895188147811500,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
3⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,16250290865294970276,5274779243478469971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,16250290865294970276,5274779243478469971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1612403262308652060,1488524457550043936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
3⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1612403262308652060,1488524457550043936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
3⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
3⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
3⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 /prefetch:3
3⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2904 /prefetch:2
3⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
3⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
3⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
3⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
3⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
3⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
3⤵
PID:6240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
3⤵
PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
3⤵
PID:6528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
3⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
3⤵
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
3⤵
PID:6956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
3⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
3⤵
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
3⤵
PID:6864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
3⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2868 /prefetch:8
3⤵
PID:7116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1044 /prefetch:1
3⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,11642756066839498228,11172994466696363834,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8132 /prefetch:8
3⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9105389647867184192,17784567227287542147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
3⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9105389647867184192,17784567227287542147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
3⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
3⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5301909756407147232,13384917366207788323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\C6F7.exe
C:\Users\Admin\AppData\Local\Temp\C6F7.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Local\Temp\CA24.exe
C:\Users\Admin\AppData\Local\Temp\CA24.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 540
2⤵
- Program crash
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4176 -ip 4176
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\F52D.exe
C:\Users\Admin\AppData\Local\Temp\F52D.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
2⤵
- Executes dropped EXE
PID:4892

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:184

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6908

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5724

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2408

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\is-OAT6E.tmp\is-1TUNJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OAT6E.tmp\is-1TUNJ.tmp" /SL4 $302BE "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5295202 114176
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1844

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
2⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bbcd46f8,0x7ff9bbcd4708,0x7ff9bbcd4718
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\FD7B.exe
C:\Users\Admin\AppData\Local\Temp\FD7B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 840
2⤵
- Program crash
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 840
2⤵
- Program crash
PID:5652

C:\Users\Admin\AppData\Local\Temp\152A.exe
C:\Users\Admin\AppData\Local\Temp\152A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 840
2⤵
- Program crash
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 840
2⤵
- Program crash
PID:116

C:\Users\Admin\AppData\Local\Temp\1CDC.exe
C:\Users\Admin\AppData\Local\Temp\1CDC.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\2808.exe
C:\Users\Admin\AppData\Local\Temp\2808.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4176

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:5660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:7112

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
4⤵
PID:5652

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
4⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
4⤵
PID:1676

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:2788

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4352

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:3904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 568 -ip 568
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2372 -ip 2372
1⤵
PID:5760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x334
1⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
24600024bdc62447ca09839f3417b895

SHA1
0e929875963d531585364c0ee27d913f796c06f6

SHA256
a5f3cee14967b05674c46c19ebb4fe220fe93e04d747a30ba5d7e2ef16266b3a

SHA512
3e66815fea9a1ef0d8485a65bb54206bbcc99c63ace6f82179747386fee8707132a8901ed92502f0fd4043db0e364c3286ee9a61b86b1284f3d986fe5c1088ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3de9f580fbcdfa762dcc5d74b0c24e72

SHA1
55c02bf88cf89560eff084a1154bd65a51932034

SHA256
038fe55d54d80d8c7c2386d269f1a574ec9278308f22628441b9375530e518f2

SHA512
ade77564d09c12a1dc74d53b3d9398dab412f6bfd1c873fd4267b799dfc2b7895a7d97f863b6f4b54178bd90f00ef2321e334690e56a8073b492c9532fcd3f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
153B

MD5
b7a2ff1ef6b923fd9d3375e0e16d07aa

SHA1
2d1562a21200aa30afef7f4935b24b33a2ebe3b9

SHA256
536e49b15a25d4890158a24dc1659b39f8bfd8f4ffcc69bd3b97427ea49ecf1b

SHA512
0c62f81eadcf5d7bc0c0e7b33be823dce0ecab4f386a010b527f2241bf61ae4abbbe8302ee7bd7def2b6fb900614a875a9b5a84dcaf7b8ec9d2c55af7e2357e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a8147.TMP
Filesize
89B

MD5
5bee98f729e846362ff658d771fd4ffb

SHA1
64ba9d8bff0fbe95451f34e6b42bc69ba178ea93

SHA256
195b77f0a117e6b50bac398498705f86479216b6d6777f6fa138e34458dd46e4

SHA512
a36ba9de01084d8cbac25088ac2fbf12e3516c543eb762183a40805b5cf69daadc2b8cf555e508109889c77b86405312b54d23dee8084956374eaf69c5e49caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f60c8b5cf8d73e445c93c1c4978af278

SHA1
2c1908686301a9e4df13aec005f577665b59c662

SHA256
5102ca5a3f212674990249029865fe0092f45dcb4752c9b0e764f34070966cc1

SHA512
6b557379593f13cf0e5ed33cd8c497dd5b362577abe3a39659865d8d5d2d2992f34403604ceba96d648f553f463306dd2fb22e9763ff58ad14be3773233480aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
891d9f81ed3a4e17b5c7c9d6edbcc9d0

SHA1
48b3334d43bcad25f8f527c1e2ec0ac4413883a6

SHA256
bd70ba10b36a29e71820269018ec981a8f98684aa90c7814ea51fafd645b088f

SHA512
a7a8ee16cd0d8afd7057e3a2f8a3d8c6ac0476b620f48421cd74b88c5e6ea7327304f3cd2a92cebd9981010398467106d54c1347bcd3ed2b9bf8a9a075f16838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fae1.TMP
Filesize
1KB

MD5
9c85076e0ee3a4e8ad76fec94ebe2783

SHA1
6c8ca81c0d79418983a701f725579c6a28ba2261

SHA256
30035ba43d304fec84bdc775d6538a87a70ad8841792b7faf1bcbe48ddd37f31

SHA512
a13c165ea36f294b96d4f4b4f8b9e39b2963f2d1b3593c80395df5318d245669bcde78bb0a5c395bd4684bdb9a4ab28924e9d17f22d9928a44b27b5ccd17e61d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
be7754ec0fbeb337dd000cabdc942cf8

SHA1
5203a73690c3724ae047c955ad53d137f89211ce

SHA256
86097628c1494f7d11e1d372e86c57eaf1850625bbf544da42a543bf76dd1341

SHA512
ea01c22bf989edb43e9220023c2a0a03475a3398894d3affc88f87ea96c2a3e03a1647fa86bdcb8a1c03a612b05df2092d2b6610c7a7f467be12cae21a304242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c7b0dffd6695a4d60a316b51cd65390b

SHA1
2fb2dfc9926583b5cfea8aa04152b4e1f41ea60c

SHA256
8ce6f0739eca870551949fcf45bec9180bca950bb1d5acd96b51c1e748b139e5

SHA512
9bfd566b69ad2d400e0634976275161bca3ceb65a8580933e840c0981f5379f4764729357a9391705e5622431a4b819dd580a0871decb92f8e9b99c0b70c1292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
04ac97220d4fded2f10617c3c3257759

SHA1
85df56dae70e49cc92aeadc5d5a1ae2ed64aa48f

SHA256
30b76270f5ca74d193d5beb94051b9bb079fd97e9917a0845b407b5054b76a89

SHA512
dce9d101da98a4c24715cee39ae88ece58e031e232e12a12c69f1d93d27d1563e009a8cdba369c8cf9f3e1b316b5c3a703ca568aab774fb9a357de8237800b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
4bb6b910d8b9db722803f31d87855e7d

SHA1
cac8035d456a363c28d4306d404f3cbf5ba603cd

SHA256
73e68ba65e067d4005d4135642e57717768e29dbb33729ee11cee5ef19595acf

SHA512
d6d7c61c0e3008c345bd02afa2fbf45311849e182361ce73b6dc20a4462ed2b8cbce6f9cfc4c1dec0d70ab7f879d5da4b9f136a0b772b5bacfe6a8330c4970f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
1a68875f243aa01eb234e68038be479e

SHA1
27f2a57ea95ca15a2bec7f3215de9a8da71c1958

SHA256
572c3749dc69f42e04a8c24fdf77d9add974dbd4fb7b8c939a99f54bdcded918

SHA512
462cec9106ad9e3f1334f474521b6646ff71d33d31b6b40d85c93f25cadfd6ce2608749cc88df25d92d7171da299718706523c7a2963071ec8a265284811b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e7b9a4c9-ca07-4846-8974-96f3fe7bb266.tmp
Filesize
2KB

MD5
7831b44967fd39f5fd34e30f244dd907

SHA1
01970794f354320d4cd865cb01215075d9249314

SHA256
62a9bf605776fa51f0f93e2f77ec35773f8e786ffee61eba9236d7701d5f608f

SHA512
6f3f13840bff9f5a7b5143a2c3927e67147d7692a126f98ddbcc3f7683ffc042a13a0e06760921dde16b00d27c24a05266901c1f3e42cf6d58b97945c37141dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e7f3e4ae-0923-4a11-b544-8ed7ea562735.tmp
Filesize
2KB

MD5
d53ae55391b1e636fc2d65f122e1ae82

SHA1
276693387d51199df05b54647fe51ccfca69dbdb

SHA256
f8ca6e8f09968fbd2f981e98bdf7cf07957ac1737de492b70792969a58995af4

SHA512
caf6630909b6d7a59569ed673ab7290f8345c7d113f192ed592e8f17bd4e9f44efc10fa821059bdef8468ef1377c3b1b99545f5aaf1d8c63cd6711985bf90923

Download Submit
C:\Users\Admin\AppData\Local\Temp\114462139309
Filesize
71KB

MD5
ab266fbf267a0b98eabd243080e7ab59

SHA1
c6592c098e9a115fcde501dbd5cd664f6b58d723

SHA256
fde33b5caf7762cfb98cb9fc1aa7794bd1fac3248e9649d3de33dc34274881a2

SHA512
ce2a85f8cddfe126f710d4c8a85809acf722cfc703826875f4617693bc99578c3ea0bebb4a27fdb78c4ae6f249feda40e5d0a163689dbd1541df7a119d1eaff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\152A.exe
Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\152A.exe
Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\152A.exe
Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\152A.exe
Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CDC.exe
Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CDC.exe
Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2808.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2808.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C4.exe
Filesize
1.5MB

MD5
a122a18fe2c127f8ae829919addefdb4

SHA1
043696ca4dd9a11cda2c1602726b12d87de8814a

SHA256
b1477c5882bd54353c47c9671c72b71fad0e74b8521321571e3b418c6beda4e8

SHA512
98adde49d78293e1e87e034f0456b7f7ec056fbe966255ca93b22e68bbcd1f717c5cf4ba97c31f4e811bb20ff7520230c129ed78fbbddc2852c9359573d6701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C4.exe
Filesize
1.5MB

MD5
a122a18fe2c127f8ae829919addefdb4

SHA1
043696ca4dd9a11cda2c1602726b12d87de8814a

SHA256
b1477c5882bd54353c47c9671c72b71fad0e74b8521321571e3b418c6beda4e8

SHA512
98adde49d78293e1e87e034f0456b7f7ec056fbe966255ca93b22e68bbcd1f717c5cf4ba97c31f4e811bb20ff7520230c129ed78fbbddc2852c9359573d6701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C56F.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F7.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F7.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA24.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA24.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\F52D.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\F52D.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD7B.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD7B.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD7B.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD7B.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4YI851GT.exe
Filesize
1.1MB

MD5
5e0dcf9555a439844b49f4bb57deff70

SHA1
2e6ee99f8f9b8b0491a5bf4463a70d664b734dce

SHA256
b5c7f0f01d530f84fa650c96cbb520d0f33a58385e3e2435d4d0494a99a69615

SHA512
8a59d2246d459ad17ee1e8c57a9629ac57bb5f4fe39aa466b041e7fcaa05f16a49af6c4e1c8015d6fa53216266d826c8f20fd41de25aeee3377627fdd125570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4YI851GT.exe
Filesize
1.1MB

MD5
5e0dcf9555a439844b49f4bb57deff70

SHA1
2e6ee99f8f9b8b0491a5bf4463a70d664b734dce

SHA256
b5c7f0f01d530f84fa650c96cbb520d0f33a58385e3e2435d4d0494a99a69615

SHA512
8a59d2246d459ad17ee1e8c57a9629ac57bb5f4fe39aa466b041e7fcaa05f16a49af6c4e1c8015d6fa53216266d826c8f20fd41de25aeee3377627fdd125570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR0NE35.exe
Filesize
647KB

MD5
aeaa46906a51a3bbe58170c67eeb17de

SHA1
cb38bc74dad8327bce8b68bf6f5002ebbeacf207

SHA256
5bf4fa4dc363e7e2d8403ea5ce24c20036124c9dcd071c216861714192866f54

SHA512
bf2e208d445ae1ff8696156d4e74f9c765dabbb5e86aa206646db116a70f52fc05df11548e424db34cf21a3e668277234669783a348b3a384736b287cfd17427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR0NE35.exe
Filesize
647KB

MD5
aeaa46906a51a3bbe58170c67eeb17de

SHA1
cb38bc74dad8327bce8b68bf6f5002ebbeacf207

SHA256
5bf4fa4dc363e7e2d8403ea5ce24c20036124c9dcd071c216861714192866f54

SHA512
bf2e208d445ae1ff8696156d4e74f9c765dabbb5e86aa206646db116a70f52fc05df11548e424db34cf21a3e668277234669783a348b3a384736b287cfd17427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3NL76Tz.exe
Filesize
30KB

MD5
e43d96266d83fa05392def67ea4d75af

SHA1
b82025f145b8d9bf92fe3eb5cbeafa3b4dfa627e

SHA256
1cf8c1b5bcfe525f7b5efce5cabb30d916340e711a2240f7b6df33bf11206ba3

SHA512
b34a2bb96f88dda04bc6bf49a30922da12eb78e272204a26c30fcea4228c26ec212d3d7aabf9c0308f31fba6fe7615cb37d4af45dbef1e1a4a97d97085b337dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3NL76Tz.exe
Filesize
30KB

MD5
e43d96266d83fa05392def67ea4d75af

SHA1
b82025f145b8d9bf92fe3eb5cbeafa3b4dfa627e

SHA256
1cf8c1b5bcfe525f7b5efce5cabb30d916340e711a2240f7b6df33bf11206ba3

SHA512
b34a2bb96f88dda04bc6bf49a30922da12eb78e272204a26c30fcea4228c26ec212d3d7aabf9c0308f31fba6fe7615cb37d4af45dbef1e1a4a97d97085b337dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bz0vw0Jn.exe
Filesize
1.3MB

MD5
93fad2b96030a20b08d4ec9a1d837c93

SHA1
7482016807fd8cf2eed4cf48a61cda00d46c8b44

SHA256
145120385dc2c196b8796b412c81658181752281dfcb48592710e9e5ca0491db

SHA512
892a390186619278c277521a34d885b98213021db2e16109833c473ff5d64b723d6c8625f2a8bdf89754f95f3fb9fd35c903b4ac80faf16aafc0db2aac4d551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bz0vw0Jn.exe
Filesize
1.3MB

MD5
93fad2b96030a20b08d4ec9a1d837c93

SHA1
7482016807fd8cf2eed4cf48a61cda00d46c8b44

SHA256
145120385dc2c196b8796b412c81658181752281dfcb48592710e9e5ca0491db

SHA512
892a390186619278c277521a34d885b98213021db2e16109833c473ff5d64b723d6c8625f2a8bdf89754f95f3fb9fd35c903b4ac80faf16aafc0db2aac4d551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WF2Ax71.exe
Filesize
523KB

MD5
0e38e27bb4407a3862c73ce3a5fdeb91

SHA1
8d217e7104dae135cc3a11ab910aa47e344f1d35

SHA256
e3678fd175c19c61a1bb846ff258787dfb0f1efd3aa12b0744facb0eb0e1ce7f

SHA512
2235aa7475e5c7dd8f5e1c6582f96760506050a21c645faabca57d4d357fe5b5e327e0e5f3bb1e6efc8a3aceb55d5623564f5c22b6446610a08019e8b1df8486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WF2Ax71.exe
Filesize
523KB

MD5
0e38e27bb4407a3862c73ce3a5fdeb91

SHA1
8d217e7104dae135cc3a11ab910aa47e344f1d35

SHA256
e3678fd175c19c61a1bb846ff258787dfb0f1efd3aa12b0744facb0eb0e1ce7f

SHA512
2235aa7475e5c7dd8f5e1c6582f96760506050a21c645faabca57d4d357fe5b5e327e0e5f3bb1e6efc8a3aceb55d5623564f5c22b6446610a08019e8b1df8486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1iC52Iz4.exe
Filesize
878KB

MD5
56da0b8179664ddd888c629f174383d8

SHA1
1197f5412138935529c1806dec2ce92ca910b9a3

SHA256
889d85889c238687c78eb81fe56026db66c20aabf8b03e7ea4ab7524a5b5e74b

SHA512
61bac45ab17a550457217e34aaee04f99667f06ae37edc1a2b6c3dc0c4e983d5e519b7773b789b71e39c8bbab288416ed5cfa9d3c0546d8c12ad3c75469998e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1iC52Iz4.exe
Filesize
878KB

MD5
56da0b8179664ddd888c629f174383d8

SHA1
1197f5412138935529c1806dec2ce92ca910b9a3

SHA256
889d85889c238687c78eb81fe56026db66c20aabf8b03e7ea4ab7524a5b5e74b

SHA512
61bac45ab17a550457217e34aaee04f99667f06ae37edc1a2b6c3dc0c4e983d5e519b7773b789b71e39c8bbab288416ed5cfa9d3c0546d8c12ad3c75469998e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kE4010.exe
Filesize
1.1MB

MD5
d9699d26ba73cac60d5889773c6ca1a1

SHA1
dd4593c5550ab387912a6e116c853d1f0f3a79df

SHA256
206d3c70fc12ee66d49a23b377f85e50cbe73c912b9ab79520b360ee1e1d970a

SHA512
ba3b25b38f2cfd33cb6cc38fcb04a13125bf625e097cc877fb3159c1d463fac59c035261c67f7cbbd5c5affdfcd6c51ac04d0b843fba26efb78e6b2c28e6ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kE4010.exe
Filesize
1.1MB

MD5
d9699d26ba73cac60d5889773c6ca1a1

SHA1
dd4593c5550ab387912a6e116c853d1f0f3a79df

SHA256
206d3c70fc12ee66d49a23b377f85e50cbe73c912b9ab79520b360ee1e1d970a

SHA512
ba3b25b38f2cfd33cb6cc38fcb04a13125bf625e097cc877fb3159c1d463fac59c035261c67f7cbbd5c5affdfcd6c51ac04d0b843fba26efb78e6b2c28e6ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vN0Hf3xi.exe
Filesize
753KB

MD5
999164c0f9ef0726cda77e4d0eaa2191

SHA1
9b8321e25010026a6e8e963fa82dd56a924081a5

SHA256
f089dffb42473a6d263df4d37cc2a3822c1b0d2a4cc0df72dee50b9d9b675ab9

SHA512
978648825894befaca76cd30a8ae81829147c9ed94bdef96393ffb8bded27e6f825e980d55d47258fc6347ab8da4ec3e9fe6682951a5d2c99fcc67fb0d17be75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vN0Hf3xi.exe
Filesize
753KB

MD5
999164c0f9ef0726cda77e4d0eaa2191

SHA1
9b8321e25010026a6e8e963fa82dd56a924081a5

SHA256
f089dffb42473a6d263df4d37cc2a3822c1b0d2a4cc0df72dee50b9d9b675ab9

SHA512
978648825894befaca76cd30a8ae81829147c9ed94bdef96393ffb8bded27e6f825e980d55d47258fc6347ab8da4ec3e9fe6682951a5d2c99fcc67fb0d17be75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sJ7fb8gT.exe
Filesize
1.1MB

MD5
7d3c5cd7bb68b8ebea331978d28abd0c

SHA1
066fbfaf1fd033036f59b7116e3c514680df3202

SHA256
c5c179f1483494ebcce3acac5c21dd670d8d0fe3ea2b31c9931c1b776ca86c12

SHA512
c32085aaf2a2773dd8b14bcae910587a640d4210a1aa93dce63e95573fb519798a9df8231bffdd217abeab85132986a78c4daef858ba6b13cb74f4036292f5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sJ7fb8gT.exe
Filesize
1.1MB

MD5
7d3c5cd7bb68b8ebea331978d28abd0c

SHA1
066fbfaf1fd033036f59b7116e3c514680df3202

SHA256
c5c179f1483494ebcce3acac5c21dd670d8d0fe3ea2b31c9931c1b776ca86c12

SHA512
c32085aaf2a2773dd8b14bcae910587a640d4210a1aa93dce63e95573fb519798a9df8231bffdd217abeab85132986a78c4daef858ba6b13cb74f4036292f5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IZ1ez7Tn.exe
Filesize
558KB

MD5
9443ed0941c2d9e4faf63936dc7db0dd

SHA1
19bd3a7017ed51fa67f0f5e091591ad07caec639

SHA256
4bbeb24558d8bd506a44fcfe1d5d3943d3e7b5fbb799b8243c4cc4de70167585

SHA512
bfff0f3df7aaa65078854be516db5d02e4ee83b73e2f280ebff7502b8166f73edfde0e461c25e5bb9cd12b1c30541cecbfa7e61fc412694d78831fe3fd68ce7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IZ1ez7Tn.exe
Filesize
558KB

MD5
9443ed0941c2d9e4faf63936dc7db0dd

SHA1
19bd3a7017ed51fa67f0f5e091591ad07caec639

SHA256
4bbeb24558d8bd506a44fcfe1d5d3943d3e7b5fbb799b8243c4cc4de70167585

SHA512
bfff0f3df7aaa65078854be516db5d02e4ee83b73e2f280ebff7502b8166f73edfde0e461c25e5bb9cd12b1c30541cecbfa7e61fc412694d78831fe3fd68ce7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kX12Oh8.exe
Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kX12Oh8.exe
Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe
Filesize
219KB

MD5
1fcac0bb51f337ff731e1fd7abb44d22

SHA1
33b96cdf6a57235d7092d628b412ed7da58a9bef

SHA256
5db44fb05fbeaec652547e555567132f9dab11bffcc76ba21183a3649d5cd5ec

SHA512
d564013593347910a26b40f955b8d8476b5ef36db5e013d08ebff076a5472545ac2db1f7c8da5ad079deddf82267ca291965ee00f2335b0c1dc27465660466ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rp741yF.exe
Filesize
219KB

MD5
1fcac0bb51f337ff731e1fd7abb44d22

SHA1
33b96cdf6a57235d7092d628b412ed7da58a9bef

SHA256
5db44fb05fbeaec652547e555567132f9dab11bffcc76ba21183a3649d5cd5ec

SHA512
d564013593347910a26b40f955b8d8476b5ef36db5e013d08ebff076a5472545ac2db1f7c8da5ad079deddf82267ca291965ee00f2335b0c1dc27465660466ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.3MB

MD5
b73a0feea748bb002945b5c9361862d0

SHA1
ed351ac1738fafbf3a641cdef311106dbe0a9bdb

SHA256
6f44d581150e401934cd4fbfb51c3f40a6f89d9ad4592b163a073c31a338349f

SHA512
24bcce25eb42d569bb9fa89c3ed60e07e9b10b01fec66b476dfda144df81b0492b6cb9bad719f9a3f5da1188b9112d542436428cbfc61a522ef306a4e84b8b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvg2honh.4pt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AA6.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B19.tmp
Filesize
92KB

MD5
bc741c35d494c3fef538368b3cd7e208

SHA1
71deaa958eaf18155e7cdc5494e11c27e48de248

SHA256
97658ad66f5cb0e36960d9b2860616359e050aad8251262b49572969c4d71096

SHA512
be8931de8578802ff899ef8f77339fe4d61df320e91dd473db1dc69293ed43cd69198bbbeb3e5b39011922b26b4e5a683e082af68e9d014d4e20d43f1d5bcc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\??\pipe\LOCAL\crashpad_2076_VDRZPQSMNGSHBZFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/184-684-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/184-574-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/568-187-0x0000000002080000-0x00000000020DA000-memory.dmp

Filesize
360KB

Download
memory/568-219-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/568-401-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-406-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/568-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-405-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1028-197-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1028-525-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1028-650-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/1028-328-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1028-575-0x0000000006720000-0x00000000068E2000-memory.dmp

Filesize
1.8MB

Download
memory/1028-576-0x0000000006E20000-0x000000000734C000-memory.dmp

Filesize
5.2MB

Download
memory/1028-638-0x0000000006BB0000-0x0000000006C26000-memory.dmp

Filesize
472KB

Download
memory/1028-596-0x00000000066B0000-0x0000000006716000-memory.dmp

Filesize
408KB

Download
memory/1028-200-0x00000000008B0000-0x00000000008CE000-memory.dmp

Filesize
120KB

Download
memory/1032-122-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1032-121-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/1032-134-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1032-135-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1032-120-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1684-46-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/1684-48-0x0000000007400000-0x0000000007492000-memory.dmp

Filesize
584KB

Download
memory/1684-50-0x0000000007590000-0x000000000759A000-memory.dmp

Filesize
40KB

Download
memory/1684-100-0x0000000007660000-0x0000000007672000-memory.dmp

Filesize
72KB

Download
memory/1684-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-49-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1684-51-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1684-98-0x0000000007730000-0x000000000783A000-memory.dmp

Filesize
1.0MB

Download
memory/1684-53-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1684-89-0x00000000084E0000-0x0000000008AF8000-memory.dmp

Filesize
6.1MB

Download
memory/1684-44-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1740-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-641-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1908-630-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1908-634-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2032-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2032-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-428-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2372-404-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2372-237-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2372-313-0x00000000024F0000-0x0000000002551000-memory.dmp

Filesize
388KB

Download
memory/2372-188-0x00000000004F0000-0x000000000052E000-memory.dmp

Filesize
248KB

Download
memory/2372-186-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2408-573-0x0000000001750000-0x0000000001760000-memory.dmp

Filesize
64KB

Download
memory/2408-552-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/2408-633-0x00007FF9ACE70000-0x00007FF9AD931000-memory.dmp

Filesize
10.8MB

Download
memory/2408-571-0x00007FF9ACE70000-0x00007FF9AD931000-memory.dmp

Filesize
10.8MB

Download
memory/2552-629-0x0000000002A00000-0x0000000002E06000-memory.dmp

Filesize
4.0MB

Download
memory/2552-632-0x0000000002E10000-0x00000000036FB000-memory.dmp

Filesize
8.9MB

Download
memory/2552-636-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2552-693-0x0000000002A00000-0x0000000002E06000-memory.dmp

Filesize
4.0MB

Download
memory/2868-25-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2868-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-47-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2868-43-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3332-81-0x0000000000CD0000-0x0000000000D0C000-memory.dmp

Filesize
240KB

Download
memory/3332-80-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3332-90-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

Filesize
64KB

Download
memory/3332-110-0x0000000007D40000-0x0000000007D7C000-memory.dmp

Filesize
240KB

Download
memory/3332-111-0x0000000007EC0000-0x0000000007F0C000-memory.dmp

Filesize
304KB

Download
memory/3332-127-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3332-133-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

Filesize
64KB

Download
memory/3384-564-0x00000000028F0000-0x0000000002906000-memory.dmp

Filesize
88KB

Download
memory/3384-35-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/4176-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-195-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/5020-129-0x0000000000690000-0x0000000001320000-memory.dmp

Filesize
12.6MB

Download
memory/5020-130-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/5020-615-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/5724-536-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5724-537-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5724-565-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6908-534-0x0000000000A60000-0x0000000000B60000-memory.dmp

Filesize
1024KB

Download
memory/6908-535-0x0000000000860000-0x0000000000869000-memory.dmp

Filesize
36KB

Download