amadey | 1282659e1446775d999cf6aaa7817a452ae164cdbc006c6a8ed95477aa94759e

Analysis

max time kernel
43s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe
Size

1.0MB
MD5

2aea2b7572d2ccd094c9244dbfd27650
SHA1

92c5153d2578db00159c02582f9d2218b7e414ad
SHA256

1282659e1446775d999cf6aaa7817a452ae164cdbc006c6a8ed95477aa94759e
SHA512

81317fdceafdc0d397b9d16a986f7ca1f1a5f070dd2ea56f6b53cfabcce150dea7c2de66fe4d5e5dbe010fa9cfaa997146cf1d29de2ed626ecb0e5ad8dc06fe6
SSDEEP

24576:0ycXqB2COowekhJfrhtjgl08yi6yYe5cG:D2qBeMkhJfrbglEyp5c

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeNEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exeschtasks.exe

pid	process
6920	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe
4396	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6680-786-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral1/memory/6680-787-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/6680-909-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/6680-1011-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/4540-1216-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1304-42-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/4864-100-0x00000000006C0000-0x00000000006FC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\8B08.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\8B08.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe	family_redline
behavioral1/memory/5032-120-0x0000000000260000-0x000000000029C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\BB04.exe	family_redline
behavioral1/memory/3456-248-0x0000000000600000-0x000000000061E000-memory.dmp	family_redline
behavioral1/memory/5484-291-0x00000000005D0000-0x000000000062A000-memory.dmp	family_redline
behavioral1/memory/5484-393-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BB04.exe	family_sectoprat
behavioral1/memory/3456-248-0x0000000000600000-0x000000000061E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5056-1400-0x00007FF789FF0000-0x00007FF78A591000-memory.dmp	xmrig

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5204 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
5204	netsh.exe

Executes dropped EXE 19 IoCs

Processes:

wO3Kx29.exeHv5yU67.exe1BZ50mA3.exe2HV8799.exe3zm34Ci.exe4gJ954pD.exe879A.exeCO5Ol0qH.exe8A4B.exeeX4cb8VW.exe8B08.exebd3hg4ci.exeLX1SJ8yu.exe1pq05MA0.exe2uB572HG.exemsedge.exeB98C.exeBB04.exeBCF9.exe

pid	process
3480	wO3Kx29.exe
3836	Hv5yU67.exe
1180	1BZ50mA3.exe
3692	2HV8799.exe
3604	3zm34Ci.exe
2260	4gJ954pD.exe
1164	879A.exe
3364	CO5Ol0qH.exe
1408	8A4B.exe
4008	eX4cb8VW.exe
4864	8B08.exe
1864	bd3hg4ci.exe
892	LX1SJ8yu.exe
2576	1pq05MA0.exe
5032	2uB572HG.exe
3732	msedge.exe
5484	B98C.exe
3456	BB04.exe
3052	BCF9.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bd3hg4ci.exeLX1SJ8yu.exeNEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exewO3Kx29.exeHv5yU67.exe879A.exeCO5Ol0qH.exeeX4cb8VW.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bd3hg4ci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	LX1SJ8yu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wO3Kx29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Hv5yU67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	879A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CO5Ol0qH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eX4cb8VW.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

1BZ50mA3.exe2HV8799.exe4gJ954pD.exe1pq05MA0.exe

description	pid	process	target process
PID 1180 set thread context of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 3692 set thread context of 400	3692	2HV8799.exe	AppLaunch.exe
PID 2260 set thread context of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2576 set thread context of 5008	2576	1pq05MA0.exe	AppLaunch.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6140 sc.exe
6276 sc.exe
7032 sc.exe
6196 sc.exe
2432 sc.exe
6816 sc.exe
4944 sc.exe
3568 sc.exe
6948 sc.exe
4716 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
6140	sc.exe
6276	sc.exe
7032	sc.exe
6196	sc.exe
2432	sc.exe
6816	sc.exe
4944	sc.exe
3568	sc.exe
6948	sc.exe
4716	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4792	400	WerFault.exe	AppLaunch.exe
5048	5008	WerFault.exe	AppLaunch.exe
5068	4540	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3zm34Ci.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3zm34Ci.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3zm34Ci.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3zm34Ci.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6920 schtasks.exe
4396 schtasks.exe

pid	process
6920	schtasks.exe
4396	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3zm34Ci.exeAppLaunch.exe

pid	process
3604	3zm34Ci.exe
3604	3zm34Ci.exe
1620	AppLaunch.exe
1620	AppLaunch.exe
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3zm34Ci.exe

pid process

3604 3zm34Ci.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1620	AppLaunch.exe
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exewO3Kx29.exeHv5yU67.exe1BZ50mA3.exe2HV8799.exe4gJ954pD.exe879A.exeCO5Ol0qH.exe

description	pid	process	target process
PID 4496 wrote to memory of 3480	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	wO3Kx29.exe
PID 4496 wrote to memory of 3480	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	wO3Kx29.exe
PID 4496 wrote to memory of 3480	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	wO3Kx29.exe
PID 3480 wrote to memory of 3836	3480	wO3Kx29.exe	Hv5yU67.exe
PID 3480 wrote to memory of 3836	3480	wO3Kx29.exe	Hv5yU67.exe
PID 3480 wrote to memory of 3836	3480	wO3Kx29.exe	Hv5yU67.exe
PID 3836 wrote to memory of 1180	3836	Hv5yU67.exe	1BZ50mA3.exe
PID 3836 wrote to memory of 1180	3836	Hv5yU67.exe	1BZ50mA3.exe
PID 3836 wrote to memory of 1180	3836	Hv5yU67.exe	1BZ50mA3.exe
PID 1180 wrote to memory of 2384	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 2384	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 2384	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 1180 wrote to memory of 1620	1180	1BZ50mA3.exe	AppLaunch.exe
PID 3836 wrote to memory of 3692	3836	Hv5yU67.exe	2HV8799.exe
PID 3836 wrote to memory of 3692	3836	Hv5yU67.exe	2HV8799.exe
PID 3836 wrote to memory of 3692	3836	Hv5yU67.exe	2HV8799.exe
PID 3692 wrote to memory of 2052	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 2052	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 2052	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3692 wrote to memory of 400	3692	2HV8799.exe	AppLaunch.exe
PID 3480 wrote to memory of 3604	3480	wO3Kx29.exe	3zm34Ci.exe
PID 3480 wrote to memory of 3604	3480	wO3Kx29.exe	3zm34Ci.exe
PID 3480 wrote to memory of 3604	3480	wO3Kx29.exe	3zm34Ci.exe
PID 4496 wrote to memory of 2260	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	4gJ954pD.exe
PID 4496 wrote to memory of 2260	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	4gJ954pD.exe
PID 4496 wrote to memory of 2260	4496	NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe	4gJ954pD.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 2260 wrote to memory of 1304	2260	4gJ954pD.exe	AppLaunch.exe
PID 3188 wrote to memory of 1164	3188		879A.exe
PID 3188 wrote to memory of 1164	3188		879A.exe
PID 3188 wrote to memory of 1164	3188		879A.exe
PID 3188 wrote to memory of 4296	3188		cmd.exe
PID 3188 wrote to memory of 4296	3188		cmd.exe
PID 1164 wrote to memory of 3364	1164	879A.exe	CO5Ol0qH.exe
PID 1164 wrote to memory of 3364	1164	879A.exe	CO5Ol0qH.exe
PID 1164 wrote to memory of 3364	1164	879A.exe	CO5Ol0qH.exe
PID 3188 wrote to memory of 1408	3188		8A4B.exe
PID 3188 wrote to memory of 1408	3188		8A4B.exe
PID 3188 wrote to memory of 1408	3188		8A4B.exe
PID 3364 wrote to memory of 4008	3364	CO5Ol0qH.exe	eX4cb8VW.exe
PID 3364 wrote to memory of 4008	3364	CO5Ol0qH.exe	eX4cb8VW.exe
PID 3364 wrote to memory of 4008	3364	CO5Ol0qH.exe	eX4cb8VW.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2aea2b7572d2ccd094c9244dbfd27650_JC.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO3Kx29.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO3Kx29.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hv5yU67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hv5yU67.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1BZ50mA3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1BZ50mA3.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2HV8799.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2HV8799.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 540
6⤵
- Program crash
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3zm34Ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3zm34Ci.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4gJ954pD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4gJ954pD.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 400 -ip 400
1⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\879A.exe
C:\Users\Admin\AppData\Local\Temp\879A.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO5Ol0qH.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO5Ol0qH.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eX4cb8VW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eX4cb8VW.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4008

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bd3hg4ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bd3hg4ci.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1864

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LX1SJ8yu.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LX1SJ8yu.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe
6⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88C4.bat" "
1⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1191138265492040910,8890222025078859543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1191138265492040910,8890222025078859543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
3⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
3⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
3⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
3⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
3⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
3⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
3⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
3⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
3⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
3⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
3⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
3⤵
PID:6500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
3⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
3⤵
- Executes dropped EXE
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
3⤵
PID:6276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
3⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1
3⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
3⤵
PID:6460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8300 /prefetch:8
3⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
3⤵
PID:6248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
3⤵
PID:6996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8028 /prefetch:8
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
3⤵
PID:5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12050728435825537233,18100216010189759044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
3⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3688992929015554972,17001963057768451566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
3⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\8A4B.exe
C:\Users\Admin\AppData\Local\Temp\8A4B.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Temp\8B08.exe
C:\Users\Admin\AppData\Local\Temp\8B08.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1pq05MA0.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1pq05MA0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 540
3⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5008 -ip 5008
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\B4E8.exe
C:\Users\Admin\AppData\Local\Temp\B4E8.exe
1⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
2⤵
PID:6384

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
3⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:6680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2928

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6256

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3516

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:4396

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:6408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 852
4⤵
- Program crash
PID:5068

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
2⤵
PID:6792

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\is-DO9DJ.tmp\is-E0JQ5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DO9DJ.tmp\is-E0JQ5.tmp" /SL4 $202D4 "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" 4755143 79360
4⤵
PID:3124

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 3
5⤵
PID:1108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 3
6⤵
PID:5308

C:\Program Files (x86)\BBuster\BBuster.exe
"C:\Program Files (x86)\BBuster\BBuster.exe" -i
5⤵
PID:5160

C:\Program Files (x86)\BBuster\BBuster.exe
"C:\Program Files (x86)\BBuster\BBuster.exe" -s
5⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
2⤵
PID:6880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\B98C.exe
C:\Users\Admin\AppData\Local\Temp\B98C.exe
1⤵
- Executes dropped EXE
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B98C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B98C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15a246f8,0x7ffc15a24708,0x7ffc15a24718
3⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\BB04.exe
C:\Users\Admin\AppData\Local\Temp\BB04.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Users\Admin\AppData\Local\Temp\BCF9.exe
C:\Users\Admin\AppData\Local\Temp\BCF9.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
2⤵
PID:6560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:6920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
3⤵
PID:7008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2096

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
4⤵
PID:6644

C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
4⤵
PID:6828

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:N"
4⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:6436

C:\Windows\SysWOW64\cacls.exe
CACLS "..\e8b5234212" /P "Admin:R" /E
4⤵
PID:1292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
3⤵
PID:3084

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
3⤵
PID:532

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:7156

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
1⤵
PID:6736

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\231940048779_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
2⤵
PID:3640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x4c8
1⤵
PID:6952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5848

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:1312

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:6196

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2432

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:3568

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:6816

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:6948

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7076

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:3760

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:6700

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:2636

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6276

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4952

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
1⤵
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4540 -ip 4540
1⤵
PID:6060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3956

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7040

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:4716

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6140

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:6276

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:4944

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:7032

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3700

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:4964

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:6424

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:3412

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:2012

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
1664d129801359984cd8d7b55c5a85bc

SHA1
c9d710ff9f08d763cd3802b51fff516d3a426262

SHA256
3b1bfa42568b382b838ef6be1ace1a8569e914fa1245e9b78dcf6d5c3aa6c2e5

SHA512
a42b50bed7a53ecd2cb91e04a08e1f5f08a6d7cee586022cea02ff4c6bedc99111768362d13dd9242a942a7e0d961b10dc61d8e8a11661ca9883577b855c1440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
002a3e699fc89b949391eae957a26992

SHA1
a91a086a6448f63c4ccc79afd514457925cb840f

SHA256
174c9077a5d2f52c5afed7eb06a74e3aa77dd57545f6dc1441ad8eb5d77c325f

SHA512
294f6cc51d750ff3bde4b53f885b734e8ebc2ecae5519c16af098037eef9b688108491b9414ee25b1518aa9f2e81784c4bb8ab011b7c60fd9b81f8c000ca6a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
c8c953c64088f17ee76ac92f130a37ea

SHA1
f5fd3f269e42070149952e4a437d364bb1562a78

SHA256
0180978fe7abd0574389a9ab1511721fc7d5d570899c68b6ec8b570a828aaf85

SHA512
650b09e4ca307c672c05855e21af5e2bf9244444471aba03c8a74e43b5415f4880be20ea50d9d97669862ccad86294caceb7ff1b65e08d26a7619e185b6937c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
91f1aecac91ac945a433641caf3b13d8

SHA1
81061bd2c86e97f83507ca97dc0735fd9862fd4e

SHA256
8561ab1993d44d3bc4acccf9885a20255ceb225fbe55accdffa82786667875af

SHA512
90e678a66c13876e29c134a29b105a9317f571bb3278e0354cfcf7f04b85bbea5295ec584c104df2e81aa270c483ab323ef2d151c7eb934fcb2d0d39aef293f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4784c4df472672bce3c0153d6fa6a88b

SHA1
1cf39b315c7587cfc40a43aa3bb947da8dae7439

SHA256
e07fe5868801b52d1d5b0144f1d8d443b32a3bfbf204e870dd946b8bfbb6687e

SHA512
cad1b5b63f2188b142934d9b0b3584a015e6720ef4405cfb36dcfee837a0d8ee9bdc928da0b79bcb5c6ed61f9145a565fccf52bc2c0453e6292ec476d06210e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
63229ffce235682ae629a39d223d0a70

SHA1
c1531423bb375bee136721c53181a4550f263120

SHA256
aa2073b49a038797ebb11ec44148983943aace4784bcd41be28f6da715b2b957

SHA512
091e024821b989f0c85f7cca4bdfe28b10308e53c3549c1cc71660b8af7fad56a979607747572dffb222da9f77e10c421e049b306882cc7f87003985f8b3ba18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
09e79065a0ff720441a2211404e2021c

SHA1
8dae7f6ff7a45002e93dd81f8892311e79222201

SHA256
dd27ace4106a8fbd4413101850cac26331e615e070c434a35657c671ed03b918

SHA512
22bec8a57cf01071bfd74e88b21856bd65427ee7ac6705256f3d3edc5c69a5a47501c7fa5334fd4b0bb6b96b96e23a5eaca372fb43391ccf9cb7318a1c34a955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
8ecefeb3b045f8136816de212e4740cb

SHA1
c1eaa2439c9ea9c46f9832693ab954f5870d22cb

SHA256
852cdc66700f2806f272a587de00f71cd1710b20ddfcbade1abd461da41361b3

SHA512
d7a99f666eea3fa106b2180bb38c6ea022115a4b40910c4957634b240eb8434629317c0a178ca1a2e2f028aea9c6b653e6a7fb329cd3f519a26e22d70e04738b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
4bc2113b15f12a9f4557bdfccdf9511c

SHA1
493c803d4d8fe4d257e81d189b653a1151a17b82

SHA256
3bb4172f93819972476fa5e7271709a37edca8b20f07cba4bb6b0bcd6ca96a14

SHA512
18bce881a743a32a8d7ebba0a10e1c89bd24b9aabfff4fe8ace91a95894f2c8a858d04dd501ea9029d362806ab028e587b57da47c29d99d370276953220f597b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
c8dc5714d26ca6e8a4664f118e6dfa6f

SHA1
c25ecb7a1de9959548bfa4c21c8daa457903817e

SHA256
d6b752f79e528ab334fef5b736657dddf8013ab51dec018dba88da70d12443cd

SHA512
167ba3d98ad5ee2c686de99c74f8edd10e4d3297ec612e4446a84e517d289bc5b9ad8f18aa42ed02f8f4b0f922f6974412a9d5a8656ef4f63075ffed268ab50e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
7f22ac2a8c1c82fed2aeac40c1e7dd85

SHA1
6c4e33df5ad958d9c2f68618225ece0a10f00956

SHA256
a6e0b177b1f759a758bf5713f90a9f4a3e59afdaa3f924c5a45c23056303d82d

SHA512
ffb67258903802e26a9cf04070d7bf33cd16889590e24f04563844d164c4a6346780c14c2f6b12ae62542b550dc28d0886c7ecad1b0dfcd82395f030bfba3598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
34378155b8ae7ce1e3d2e4bd2bc32c08

SHA1
e63ba26977477dcea5da8bc912aa2a076b4f4ba5

SHA256
203848f248fb55db1fbe691f3a329525bdec9ac0a7216a090dc965d935bcbd4c

SHA512
ddc1d345d393e9be6e57320daf799a392324f8a0981010b75d1773407b64f2a4119ae0d1a1c9b6d111efa2b419dab93faf5e5cf4b21913c4ca54df0bc0eb7029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
57aec0f20ebdde7c27715b7a29b172f7

SHA1
c14bc606f9b7ffcfe675ffb999cc79bd9f9a001a

SHA256
894f35f7aa1d9c26d58706d0747cdb598e70b55810da83e0e13773223f9c555e

SHA512
23622a8ce8cfafc064178b85f9acee73b31ead4d330ea3643741b58e80586efb5d84fa05ea2df16cb50b57bf95051e63125b949159bdf65d99f90992d18d833a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8e2ca2dd46fc23c5a0aa342f7c32bf9a

SHA1
510ab6785c63ffd09c7d63ac5edb2ed69a20e058

SHA256
14c2127339d0098dbff231e04ad5cf21a329a1f72a9db68174ea68b533a7bcb8

SHA512
59667bff56b63b759c2e1c4b6888c8fb6fd0abc33a9bb34392741f34d2d9bb2a52a595cbf784268f25952c80bcbca0d701ca3752e9292553ff8c82b8386013c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591ca6.TMP
Filesize
1KB

MD5
62570b26e7ac198f4e9d2dc700ecb9c6

SHA1
fb9503794538d4b3cfa69a65f71c0f6fa19f907e

SHA256
9ccd70a9a339c142fb20142aa9d027c4ca8f9ab46259f7eff098faa57ce6a42b

SHA512
167f9ecc36dd5b62b216e46e7660bbce8e0dc33ecd1391e2addb1ab9c1db3eed503750e16a51ec1faca43d671a2a4588229e74b371c878d577ff622352fe18a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f0ddb39e02381391ea7ce09aac268ea6

SHA1
1ba0d36352c378c9f4b9ca98cc6d59bcb1128248

SHA256
d254f262057bd3c7ee0c1e4f389b25f018cc50a2d33ea02adea6c0240adc860b

SHA512
0716ed7f9b45d2017631d8ce8111820a591ea10c0ac768e413d0f3553ab5413ab72170477f4bde12590d1be2d1e395427871f30843505894c3eea58dbae02179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f0ddb39e02381391ea7ce09aac268ea6

SHA1
1ba0d36352c378c9f4b9ca98cc6d59bcb1128248

SHA256
d254f262057bd3c7ee0c1e4f389b25f018cc50a2d33ea02adea6c0240adc860b

SHA512
0716ed7f9b45d2017631d8ce8111820a591ea10c0ac768e413d0f3553ab5413ab72170477f4bde12590d1be2d1e395427871f30843505894c3eea58dbae02179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
af3ca0da61917b80f8d4b756f8564f41

SHA1
5e3a99ce9eba90408ba24fa574e2bca18f0e4968

SHA256
c87a888f564c51050e9f8e3a39936fcf9694d61ec916ccf06891b2a57c0b0634

SHA512
ee6f162c2702f2b9eef6bcfc0bbd84c00ba62b6916c74add06b33629dad55d61e030a4f4ecb6dc5d8a9354bc97dcc1254425c7a0f9b9c034b4d1ff1817443c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
af3ca0da61917b80f8d4b756f8564f41

SHA1
5e3a99ce9eba90408ba24fa574e2bca18f0e4968

SHA256
c87a888f564c51050e9f8e3a39936fcf9694d61ec916ccf06891b2a57c0b0634

SHA512
ee6f162c2702f2b9eef6bcfc0bbd84c00ba62b6916c74add06b33629dad55d61e030a4f4ecb6dc5d8a9354bc97dcc1254425c7a0f9b9c034b4d1ff1817443c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
af3ca0da61917b80f8d4b756f8564f41

SHA1
5e3a99ce9eba90408ba24fa574e2bca18f0e4968

SHA256
c87a888f564c51050e9f8e3a39936fcf9694d61ec916ccf06891b2a57c0b0634

SHA512
ee6f162c2702f2b9eef6bcfc0bbd84c00ba62b6916c74add06b33629dad55d61e030a4f4ecb6dc5d8a9354bc97dcc1254425c7a0f9b9c034b4d1ff1817443c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
7ea8c70cf3a7c1b67d9b81f4aac2b31b

SHA1
6df6f0f81ee8531f87826e50f74a9387d86ef96e

SHA256
6880d48abf20edc42ddfc65a584e428cfbb52600e480b4a905c71b23a8b8a34a

SHA512
b14320a6e434cb07fac17ab22a237d5b1977cb672747abc2b0b034aefcd66ac2e3143b5fd9aa4280eedd0298d74cd6743ed45117d845e7ca56fb8834be928f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\231940048779
Filesize
45KB

MD5
f4983ec67f86601c871255203d3590c7

SHA1
d8a8839e12fa4b1255919a41d1e4e37a778c28f7

SHA256
46dfc71be0c567374521a274589cb7913941e308eb86f5e456a70e8539fd7fd7

SHA512
1f5403f3e1d63ad5ae1d464586735b75bec17b180992d7846884f14dab1153c5aadc6506e0abc33953fb5790c5a263ac5d3df8fd1dd49293197e3aa23a819079

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\879A.exe
Filesize
1.7MB

MD5
10e9b25912678645faa48741035b52b6

SHA1
f902fbdeb9edca786bdefec1fd3e0c71a6cd50fc

SHA256
6affb8cd285481a6f606fbc3aa17a482d750c4ecaccce6f9b2ea7c861eff2301

SHA512
8a5fa7a0ee8c3e27a05baa1cc31c2bfbaabba888e19d651f8766b8c4e69135276b291fd8245e633a509da570d2837c3674889055a62ff284ccf1816e0f193713

Download Submit
C:\Users\Admin\AppData\Local\Temp\879A.exe
Filesize
1.7MB

MD5
10e9b25912678645faa48741035b52b6

SHA1
f902fbdeb9edca786bdefec1fd3e0c71a6cd50fc

SHA256
6affb8cd285481a6f606fbc3aa17a482d750c4ecaccce6f9b2ea7c861eff2301

SHA512
8a5fa7a0ee8c3e27a05baa1cc31c2bfbaabba888e19d651f8766b8c4e69135276b291fd8245e633a509da570d2837c3674889055a62ff284ccf1816e0f193713

Download Submit
C:\Users\Admin\AppData\Local\Temp\88C4.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A4B.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A4B.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B08.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B08.exe
Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E8.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E8.exe
Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\B98C.exe
Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB04.exe
Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCF9.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4gJ954pD.exe
Filesize
1.1MB

MD5
dc140b3cd6d927f6aff1ea719dfb52c4

SHA1
a2da8d1405ecb788ab5c0c5a13f2718669902f71

SHA256
ac2d79da2d604a1ee6c1f832b59d818d0fe1ae6d35489e4afd46a14a5819362e

SHA512
127bcbb6249af69dc19d8cc741df8292ca28c5dbfdf50f46793589cf7497429a4281fea9909d8bd402e1cbd01cb24061531a8357da20f17bd7750451cdb6fbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4gJ954pD.exe
Filesize
1.1MB

MD5
dc140b3cd6d927f6aff1ea719dfb52c4

SHA1
a2da8d1405ecb788ab5c0c5a13f2718669902f71

SHA256
ac2d79da2d604a1ee6c1f832b59d818d0fe1ae6d35489e4afd46a14a5819362e

SHA512
127bcbb6249af69dc19d8cc741df8292ca28c5dbfdf50f46793589cf7497429a4281fea9909d8bd402e1cbd01cb24061531a8357da20f17bd7750451cdb6fbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO3Kx29.exe
Filesize
649KB

MD5
271867578fea1d36e9a646c4082ebed3

SHA1
75608ac040b1286806a6415be8b7aeb59a020ff6

SHA256
bf772f3546b35cfb91160a803191b9c5fd3d166bd43379d9c15fbcdbd1a05f7e

SHA512
6af6b000b4cded9b8ca987414fc74f53a7836433ef774430d9d2937f036a748a8cd5c967e3cfb0b7c78a51e8e44100adfc4c9fbb4e245e595473dc05b155cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO3Kx29.exe
Filesize
649KB

MD5
271867578fea1d36e9a646c4082ebed3

SHA1
75608ac040b1286806a6415be8b7aeb59a020ff6

SHA256
bf772f3546b35cfb91160a803191b9c5fd3d166bd43379d9c15fbcdbd1a05f7e

SHA512
6af6b000b4cded9b8ca987414fc74f53a7836433ef774430d9d2937f036a748a8cd5c967e3cfb0b7c78a51e8e44100adfc4c9fbb4e245e595473dc05b155cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3zm34Ci.exe
Filesize
31KB

MD5
d804288895cc4ec7770f1b7c33604f41

SHA1
a47d15824f3f5bfa1892dcca4b60c5fc7df9aad7

SHA256
923f99e46ddc0897da1e602268ebca61de2ce9fc0104265f304da12e72863ac4

SHA512
f8e7db04b9d7aa155903c75702609f666e77c4b5966d2f38d3e781e829d1bd3fbf8df3eace1ff065c3e01ab38cf88db8eea7e16d15c94e1a3d44c2637206fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3zm34Ci.exe
Filesize
31KB

MD5
d804288895cc4ec7770f1b7c33604f41

SHA1
a47d15824f3f5bfa1892dcca4b60c5fc7df9aad7

SHA256
923f99e46ddc0897da1e602268ebca61de2ce9fc0104265f304da12e72863ac4

SHA512
f8e7db04b9d7aa155903c75702609f666e77c4b5966d2f38d3e781e829d1bd3fbf8df3eace1ff065c3e01ab38cf88db8eea7e16d15c94e1a3d44c2637206fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO5Ol0qH.exe
Filesize
1.6MB

MD5
b202ef1243abaca7af25a0cfd4c430ee

SHA1
209e19dfafed42341f282989419e19d525bc56d0

SHA256
5bc0d25291c314a5388810f5bc2db656f8dae95ead5aa862fa209f6e88402e5e

SHA512
3d84ec76794c6d669b72ff8ad0b82293b57e022a7808bdc23526676c5bb1c1a98373953d4a4bcb53919796b33c99392ff74d56dff90b34f50233c8ee0f064802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CO5Ol0qH.exe
Filesize
1.6MB

MD5
b202ef1243abaca7af25a0cfd4c430ee

SHA1
209e19dfafed42341f282989419e19d525bc56d0

SHA256
5bc0d25291c314a5388810f5bc2db656f8dae95ead5aa862fa209f6e88402e5e

SHA512
3d84ec76794c6d669b72ff8ad0b82293b57e022a7808bdc23526676c5bb1c1a98373953d4a4bcb53919796b33c99392ff74d56dff90b34f50233c8ee0f064802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hv5yU67.exe
Filesize
525KB

MD5
88aea916dc922a766d019cf44617b117

SHA1
34608d73bec471047355c2e7914b302191d5e83f

SHA256
71caac38cf333d491efd28d02c8984093a9ab8546ec90596058a102ff890cfd7

SHA512
bcd049cb33598277d5b263becfc652eaa1b2c3c05347d4e070f4ddc791fa12f8bbe923c80bb5c2d65eca6de55fad1e365d1e3224b51e6505401af4d7f7fefd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hv5yU67.exe
Filesize
525KB

MD5
88aea916dc922a766d019cf44617b117

SHA1
34608d73bec471047355c2e7914b302191d5e83f

SHA256
71caac38cf333d491efd28d02c8984093a9ab8546ec90596058a102ff890cfd7

SHA512
bcd049cb33598277d5b263becfc652eaa1b2c3c05347d4e070f4ddc791fa12f8bbe923c80bb5c2d65eca6de55fad1e365d1e3224b51e6505401af4d7f7fefd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1BZ50mA3.exe
Filesize
869KB

MD5
c564f71b530890cc8d46ad158d1bc642

SHA1
77c57ebf17c17d69406a511bdd67b2048628defd

SHA256
e8fbc59d1ac5ef784bbdfd8b1b636d01f86394f4b42c84f3fae48c6c7f8e180c

SHA512
0b69cd2398ce30d9a6d9e33d0c4f572d8c8262af1c4aa6d03297cc810530759e8c395e68fad1735732b036d5b7f424c8db7a619af3206185e6d07e7d87357063

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1BZ50mA3.exe
Filesize
869KB

MD5
c564f71b530890cc8d46ad158d1bc642

SHA1
77c57ebf17c17d69406a511bdd67b2048628defd

SHA256
e8fbc59d1ac5ef784bbdfd8b1b636d01f86394f4b42c84f3fae48c6c7f8e180c

SHA512
0b69cd2398ce30d9a6d9e33d0c4f572d8c8262af1c4aa6d03297cc810530759e8c395e68fad1735732b036d5b7f424c8db7a619af3206185e6d07e7d87357063

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2HV8799.exe
Filesize
1.0MB

MD5
665c0122cfc732119cedcd3d824780ec

SHA1
4bf49e935e8eb756a99d4a4c852366f37adebd93

SHA256
9aee0e2e59cd23957fe07ab00dc7d0ab2d739ddb23023131a292221e5b407934

SHA512
ae94fdf80acf4e99ba221dc3450c0bafca48c0004ea54b76d70f5ce57fe5d9f206f30470bf05128cc1194d0a746e74c0d6c4ee560f6b3a364c770e5c8dcebad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2HV8799.exe
Filesize
1.0MB

MD5
665c0122cfc732119cedcd3d824780ec

SHA1
4bf49e935e8eb756a99d4a4c852366f37adebd93

SHA256
9aee0e2e59cd23957fe07ab00dc7d0ab2d739ddb23023131a292221e5b407934

SHA512
ae94fdf80acf4e99ba221dc3450c0bafca48c0004ea54b76d70f5ce57fe5d9f206f30470bf05128cc1194d0a746e74c0d6c4ee560f6b3a364c770e5c8dcebad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eX4cb8VW.exe
Filesize
1.4MB

MD5
63954563cb998a743ca1eb09021144d4

SHA1
e089186577f63c5690d9af756f41352f26c8df12

SHA256
c3ba4686c1623eacecc9116b070e69d4a45fbed1abb5a20707fc21c426278ae2

SHA512
fc9cd9f91ae8b526f341509afce07a2004f4229010ee92e6facd9afd4886d58eb37fa2ec9bb3e8c0cc3cf8a706cbe22ac6eef25d934093ac1fbd358126c4ccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eX4cb8VW.exe
Filesize
1.4MB

MD5
63954563cb998a743ca1eb09021144d4

SHA1
e089186577f63c5690d9af756f41352f26c8df12

SHA256
c3ba4686c1623eacecc9116b070e69d4a45fbed1abb5a20707fc21c426278ae2

SHA512
fc9cd9f91ae8b526f341509afce07a2004f4229010ee92e6facd9afd4886d58eb37fa2ec9bb3e8c0cc3cf8a706cbe22ac6eef25d934093ac1fbd358126c4ccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bd3hg4ci.exe
Filesize
882KB

MD5
a2232b96011310661d44b074f39ee3f2

SHA1
c40e5608608d5da5cd72de19d1a963b7ef9a0916

SHA256
ea50a04f73297c720c2e958bd79660e22200e745f1095e2297541eba54077c94

SHA512
2f9e3cb23f938d9e75fc97003b68b95795d350c2d8b5fc792ed9c81c777852583b216db6f623a41dd0700fb8c1262fd885c9f95fe5b3e2494d63fa745677260f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bd3hg4ci.exe
Filesize
882KB

MD5
a2232b96011310661d44b074f39ee3f2

SHA1
c40e5608608d5da5cd72de19d1a963b7ef9a0916

SHA256
ea50a04f73297c720c2e958bd79660e22200e745f1095e2297541eba54077c94

SHA512
2f9e3cb23f938d9e75fc97003b68b95795d350c2d8b5fc792ed9c81c777852583b216db6f623a41dd0700fb8c1262fd885c9f95fe5b3e2494d63fa745677260f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LX1SJ8yu.exe
Filesize
687KB

MD5
8765f7e95c2c0e4861c0aca2835e7900

SHA1
cc1f5fd4841c2fa62960287558167ae34706f99e

SHA256
bcafb2982986eda74a50eb6588b57eb6053fa256149bb75ce852b17b04ca5c31

SHA512
8fc238154daff57b18025abe53dfc5d17eac5c8525d025da80e838e43ce30c3921b6fdda9593b109352d0cdab0a94feeb6083daa8bd7653973e573f7c97e870b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LX1SJ8yu.exe
Filesize
687KB

MD5
8765f7e95c2c0e4861c0aca2835e7900

SHA1
cc1f5fd4841c2fa62960287558167ae34706f99e

SHA256
bcafb2982986eda74a50eb6588b57eb6053fa256149bb75ce852b17b04ca5c31

SHA512
8fc238154daff57b18025abe53dfc5d17eac5c8525d025da80e838e43ce30c3921b6fdda9593b109352d0cdab0a94feeb6083daa8bd7653973e573f7c97e870b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1pq05MA0.exe
Filesize
1.8MB

MD5
48f90051579d24a1a68db19a7430ab5f

SHA1
cab7d42b02776ddc6bc9a3a9e561341089eb4be8

SHA256
c180a94883d40382329a65b8d3e8b5f4d76a836431f864ade3840f1ea038897a

SHA512
109fd879d06fc73f3930570921c3218aa001774b80b7f8fb2fd201947bf5a70f3ec7c451bf9013380e9e95599a82d64aa6cf6ed7b606834e48434767bed298d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1pq05MA0.exe
Filesize
1.8MB

MD5
48f90051579d24a1a68db19a7430ab5f

SHA1
cab7d42b02776ddc6bc9a3a9e561341089eb4be8

SHA256
c180a94883d40382329a65b8d3e8b5f4d76a836431f864ade3840f1ea038897a

SHA512
109fd879d06fc73f3930570921c3218aa001774b80b7f8fb2fd201947bf5a70f3ec7c451bf9013380e9e95599a82d64aa6cf6ed7b606834e48434767bed298d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe
Filesize
219KB

MD5
ff32e77e92b4b99754a300a752000f3c

SHA1
631c7effe0b9613f7ea1bfc7562b8cd0e86d08ca

SHA256
3dea280bdc05b1a9acb098a8de440ad894b6f8b6083e21a65947adbb8081bbeb

SHA512
54bac22b9a9dbada808b2c9bbfc6bfc9925bcc8ffe3d835bdab4e5706a3cb2c99005ac5cc595862bb81117a4d762c8287f634560bd878ddf237f7e6c919840ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uB572HG.exe
Filesize
219KB

MD5
ff32e77e92b4b99754a300a752000f3c

SHA1
631c7effe0b9613f7ea1bfc7562b8cd0e86d08ca

SHA256
3dea280bdc05b1a9acb098a8de440ad894b6f8b6083e21a65947adbb8081bbeb

SHA512
54bac22b9a9dbada808b2c9bbfc6bfc9925bcc8ffe3d835bdab4e5706a3cb2c99005ac5cc595862bb81117a4d762c8287f634560bd878ddf237f7e6c919840ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
4.8MB

MD5
e10ed3f5f947b8e0504b871cb6841792

SHA1
29432c7703ed7c3cb154f160b46746bda9b56405

SHA256
3c2159d97670aabc4aeebb9600d35434efd2c749a7f5242500e4f306b70396fd

SHA512
4cb28ee202c1257a7e161349f69b8301a574912a6b5695b0202c7d06a2e7443a9ca82c12041fe7f7c47ea0909eeb7175acc94d231dac3da66291f0855e4c01ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bssloxu2.omk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A63.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B53.tmp
Filesize
92KB

MD5
2c49291f7cd253c173250751551fd2b5

SHA1
9d8a80c2a365675a63b5f50f63b72b76d625b1b1

SHA256
5766d76fbd9f797ab218de6c240dcae6f78066bc5812a99aeeed584fb0621f75

SHA512
de4a9ca73d663384264643be909726cb3393ea45779c888eb54bb3fbd2e36d8ad1c30260a16f1ced9fc5d8fe96dee761a655ff3764148b3e2678563417d6d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CD6.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D0B.tmp
Filesize
20KB

MD5
f7e311ebfae99a4e2045b870567a686e

SHA1
2c2911a5778dc3005f88f1a16c035dbe9e87e25f

SHA256
d7016abf3c8110d082049f788a9c03c775079c6b93c85a388161e221000c5953

SHA512
b010a61ea993809e6034d2cd92853cf791d9e521e8363f87d0e689021761aa82425deab779fcf61e9f166a6d6a5d227387bd66aadcd0477b99a798da77c5c191

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E94.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F5B.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll
Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll
Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\??\pipe\LOCAL\crashpad_3576_SYHAROMGQQQFLEQU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4156_GOEPATGEJTMMKRBI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-48-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/1304-49-0x00000000086A0000-0x0000000008CB8000-memory.dmp

Filesize
6.1MB

Download
memory/1304-44-0x0000000007AD0000-0x0000000008074000-memory.dmp

Filesize
5.6MB

Download
memory/1304-45-0x00000000075C0000-0x0000000007652000-memory.dmp

Filesize
584KB

Download
memory/1304-47-0x0000000007780000-0x0000000007790000-memory.dmp

Filesize
64KB

Download
memory/1304-43-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1304-57-0x0000000007780000-0x0000000007790000-memory.dmp

Filesize
64KB

Download
memory/1304-56-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1304-50-0x0000000007980000-0x0000000007A8A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-53-0x00000000078C0000-0x000000000790C000-memory.dmp

Filesize
304KB

Download
memory/1304-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-51-0x0000000007820000-0x0000000007832000-memory.dmp

Filesize
72KB

Download
memory/1304-52-0x0000000007880000-0x00000000078BC000-memory.dmp

Filesize
240KB

Download
memory/1620-55-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1620-25-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1620-46-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1620-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3056-841-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/3124-691-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3124-447-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3188-35-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3188-886-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/3456-377-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3456-448-0x0000000006B70000-0x000000000709C000-memory.dmp

Filesize
5.2MB

Download
memory/3456-745-0x0000000007120000-0x0000000007196000-memory.dmp

Filesize
472KB

Download
memory/3456-690-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/3456-455-0x0000000006400000-0x0000000006466000-memory.dmp

Filesize
408KB

Download
memory/3456-248-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/3456-442-0x0000000006470000-0x0000000006632000-memory.dmp

Filesize
1.8MB

Download
memory/3456-441-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3456-757-0x00000000073E0000-0x00000000073FE000-memory.dmp

Filesize
120KB

Download
memory/3456-266-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3456-313-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3488-799-0x0000000000400000-0x00000000007C5000-memory.dmp

Filesize
3.8MB

Download
memory/3488-744-0x0000000000400000-0x00000000007C5000-memory.dmp

Filesize
3.8MB

Download
memory/3604-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3604-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3732-350-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3732-236-0x0000000000DB0000-0x0000000001A40000-memory.dmp

Filesize
12.6MB

Download
memory/3732-235-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4540-1216-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4740-1395-0x0000000001900000-0x0000000001920000-memory.dmp

Filesize
128KB

Download
memory/4864-234-0x0000000007640000-0x0000000007650000-memory.dmp

Filesize
64KB

Download
memory/4864-229-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4864-100-0x00000000006C0000-0x00000000006FC000-memory.dmp

Filesize
240KB

Download
memory/4864-111-0x0000000007640000-0x0000000007650000-memory.dmp

Filesize
64KB

Download
memory/4864-102-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/5008-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-120-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/5032-249-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/5032-247-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/5032-121-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/5032-122-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/5056-1400-0x00007FF789FF0000-0x00007FF78A591000-memory.dmp

Filesize
5.6MB

Download
memory/5160-594-0x0000000000400000-0x00000000007C5000-memory.dmp

Filesize
3.8MB

Download
memory/5160-602-0x0000000000400000-0x00000000007C5000-memory.dmp

Filesize
3.8MB

Download
memory/5484-281-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5484-393-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5484-291-0x00000000005D0000-0x000000000062A000-memory.dmp

Filesize
360KB

Download
memory/6444-424-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6444-592-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6536-764-0x0000000000930000-0x0000000000939000-memory.dmp

Filesize
36KB

Download
memory/6536-763-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/6680-785-0x0000000002960000-0x0000000002D66000-memory.dmp

Filesize
4.0MB

Download
memory/6680-1011-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/6680-787-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/6680-786-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/6680-909-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/6692-338-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/6692-1014-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/6692-445-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/6792-341-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/6792-349-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/6792-347-0x00007FFC04130000-0x00007FFC04BF1000-memory.dmp

Filesize
10.8MB

Download
memory/6792-437-0x00007FFC04130000-0x00007FFC04BF1000-memory.dmp

Filesize
10.8MB

Download
memory/6880-1009-0x00007FF77EC00000-0x00007FF77F1A1000-memory.dmp

Filesize
5.6MB

Download
memory/6976-887-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6976-784-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6976-765-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download