4870376811dd3c5eabe924c793079629d13a7813bf1a3014b5333b132be50365

max time kernel
12s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

888Rat.exe
Size

93.6MB
MD5

553951bbbde6c6001ade88f3a06a9b9a
SHA1

28cd84b4533433cc925123f106e4efbbddd3c2ca
SHA256

4870376811dd3c5eabe924c793079629d13a7813bf1a3014b5333b132be50365
SHA512

e9cf57ca2cd87fa2b3c05c0003ae11fc51d4139072d028ba52d665de57fffcb9c279cbe19ede001cc56ac464212ab8f6cbb8e7023c7ca567835a7b540a58521d
SSDEEP

1572864:ST0EdFgdUIGfkS0H4HHDXLYrXatfLllR3Rbop0+xXlMSyCXsRuG0CPb0V+8VM5km:ST0I1IGfr0H4HbLYrXajRPcl0issnM4s

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	888Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	888RAT.EXE

Executes dropped EXE 5 IoCs

pid	Process
3780	SERVERS.EXE
1824	svchost.exe
64	msedge.exe
3444	SERVERS.EXE
4472	SERVERS.EXE

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com
128	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2196	schtasks.exe
5696	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3872	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	taskmgr.exe
Token: SeSystemProfilePrivilege	456	taskmgr.exe
Token: SeCreateGlobalPrivilege	456	taskmgr.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2832	3940	888Rat.exe	90
PID 3940 wrote to memory of 2832	3940	888Rat.exe	90
PID 3940 wrote to memory of 2832	3940	888Rat.exe	90
PID 3940 wrote to memory of 3780	3940	888Rat.exe	91
PID 3940 wrote to memory of 3780	3940	888Rat.exe	91
PID 2832 wrote to memory of 1624	2832	888RAT.EXE	92
PID 2832 wrote to memory of 1624	2832	888RAT.EXE	92
PID 2832 wrote to memory of 1624	2832	888RAT.EXE	92
PID 2832 wrote to memory of 1824	2832	888RAT.EXE	125
PID 2832 wrote to memory of 1824	2832	888RAT.EXE	125
PID 1624 wrote to memory of 2304	1624	888RAT.EXE	94
PID 1624 wrote to memory of 2304	1624	888RAT.EXE	94
PID 1624 wrote to memory of 2304	1624	888RAT.EXE	94
PID 1624 wrote to memory of 64	1624	888RAT.EXE	135
PID 1624 wrote to memory of 64	1624	888RAT.EXE	135
PID 2304 wrote to memory of 2580	2304	888RAT.EXE	169
PID 2304 wrote to memory of 2580	2304	888RAT.EXE	169
PID 2304 wrote to memory of 2580	2304	888RAT.EXE	169
PID 2304 wrote to memory of 3444	2304	888RAT.EXE	97
PID 2304 wrote to memory of 3444	2304	888RAT.EXE	97
PID 2580 wrote to memory of 3176	2580	identity_helper.exe	98
PID 2580 wrote to memory of 3176	2580	identity_helper.exe	98
PID 2580 wrote to memory of 3176	2580	identity_helper.exe	98
PID 2580 wrote to memory of 4472	2580	identity_helper.exe	99
PID 2580 wrote to memory of 4472	2580	identity_helper.exe	99

C:\Users\Admin\AppData\Local\Temp\888Rat.exe
"C:\Users\Admin\AppData\Local\Temp\888Rat.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
  "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
    "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
      "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        5⤵
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        6⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        7⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        8⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        9⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        10⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        11⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        12⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        13⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        14⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        15⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        16⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        16⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        17⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        18⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        19⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        20⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        21⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        22⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        23⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        24⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        25⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        26⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        27⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        27⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        28⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        29⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        30⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        31⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        32⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        33⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        34⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        35⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        36⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        36⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        37⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        38⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        39⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        40⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        41⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        42⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        43⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        44⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        45⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        46⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        47⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        48⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        49⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        50⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        51⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        52⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        53⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        54⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        55⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        56⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        56⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        57⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        58⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        59⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        60⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        60⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        61⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        61⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        62⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        63⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        64⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        65⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        66⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        67⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        68⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        69⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        70⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        71⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        71⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        72⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        73⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        74⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        74⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        75⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        76⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        76⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        77⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        77⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        78⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        78⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        79⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        80⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        80⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        81⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        82⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        82⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        83⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        84⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        85⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        86⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        87⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        88⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        88⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        87⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        86⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        85⤵
        
        PID:4580
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE" /sc MINUTE /MO 1
        86⤵
        Creates scheduled task(s)
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        84⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        83⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        81⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        79⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        75⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        73⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        72⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        70⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        69⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        68⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        67⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        66⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        65⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        64⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        63⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        62⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        59⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        58⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        57⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        55⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        54⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        53⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        52⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        51⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        50⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        49⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        48⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        47⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        46⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        45⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        44⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        43⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        42⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        41⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        40⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        39⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        38⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        37⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        35⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        34⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        33⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        32⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        31⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        30⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        29⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        28⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        26⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        25⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        24⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        23⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        22⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        21⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        20⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        19⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        18⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        17⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        15⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        14⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        13⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        12⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        11⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        10⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        9⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        8⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        7⤵
        
        PID:3148
      - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        6⤵
        Executes dropped EXE
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        5⤵
        Executes dropped EXE
        
        PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
      "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
      4⤵
      PID:64
- - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
    "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
    3⤵
    PID:1824
- C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
  2⤵
  - Executes dropped EXE
  PID:3780
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE" /sc MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:2196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1292
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3872
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /s /t 0
    3⤵
    PID:2056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
1⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb0af346f8,0x7ffb0af34708,0x7ffb0af34718
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 /prefetch:2
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,2346321482385108945,7740542177968594345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:5192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5180

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cc855 /state1:0x41c64e6d
1⤵
PID:5812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:5548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SERVERS.EXE.log

Filesize
1KB

MD5
2362dcc9d262d0969898b143fb7fc91a

SHA1
2240860a675c86425f5702b501eac121bfb744eb

SHA256
4f7cff601d97caf1e0040bc2d63ccadd27294b2e551ff4167e0b080c69a915b0

SHA512
59cb7e53dc9cc02f25216cc87115403ed67fb5d24947ef2e803cd54e9f118d5d65a71817b05642c238ca48eb7bfd228d008d92e42023f2c15755c64c88f5b0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6b115fe493504e7dea7738ed7a40a639

SHA1
aba3f353f6d98b62f0b2ca2d6d6b0e7f469733e1

SHA256
b881c6639b28dada535a50525a4c6f4651fdd12880141939b093db8ab7d8014a

SHA512
db820854b9de286d646fed8f362a7f762ef7e754e501f75a433c3ad6bdd8a9d4e79276342b54c51fcea1264477ffe1b89518b846588d513ed117c76b9625c8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e374652b085e78546c2e605f1c5c1f4

SHA1
0e4cf94ee14234305ff51fdcafa23112c963b536

SHA256
946f009484780210f354189fcc327a11839fc65879802bbcc57a278d753ddec7

SHA512
d60c5ad5c2f6dc744c315bebb26c84ea31b2c0e5f72852634942bb94f3162f42e497ff22878a505632d37919aa565598910a84d6e1dec76ec25cd1bf224b31ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0bf863572dd9f870a6effb46c45d806

SHA1
771884e801f23f78be5a76134408494719108506

SHA256
847e4032ca7917ef58b823f277fd0b29b8c1fc2ae7c34b5eaada7ca031e55ded

SHA512
a9a57bd9789f3b55b1a3cad5bd962804cb02412e281769c7b9700e8db3f6da1934cc4726a4d4679cd780122bc9a803b3b2cea9273a21b61f0be0cd44cbd59add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
810f3ce806916bedf1e1401172ca0125

SHA1
d1ef937268f82001d9bbb7a11c89e25d66614941

SHA256
5bd512c782fe458e863d9631dffc38c06d6085b056ebf998f1a3f1c50704ac6c

SHA512
c444c186912f29e3a3644e34bc50ef6eeee71950d9e40d645f058c63826eae2b3f9852089d1373303e6ced40165a203a03b8d669d9ba9570b6371b3471020d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c182c31441e015b0c36fe0ddf2cef926

SHA1
848ba32bc13345675b4ac139e441167323c25eb3

SHA256
442a8933a8d851461285a7a38933c8f1fc49321f8e7b5526601ea3976306958e

SHA512
84a2149b0f4e7ff14e58216938ff3d9fce94bef4e2f1592d32c5d70f5ae47d93a16df0dc03bff95deada2ac599d7e8f59ff872a148908cc81047d4ce0a894ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3d207886341abd9a5456b2d2acce297

SHA1
a204478efa980e17993a184970f9aa22b499d325

SHA256
e07a960f43ba76016b4cb31a7a93c44d17eb0ad7fef61e0c2e65ae467567df15

SHA512
71ba6818f197325c996744253f9444637c605738b668b11467954b776f6a3459b3cc76cb21b1f123dd25e7899e56899c05dc89a8b612ffc731c2a3e29bc8ac51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d980c48b2667fcefeb9094d3f84e88b

SHA1
62f509fac809d9965c1490e96000f52a130cbb66

SHA256
fcc758975b6f6321776dc9a56b17e3a176ab0cd0b9da7c028c76e9104df3672d

SHA512
23ad11b245ac301e71c5c02e90f83bb416dd19c75a94c18257c8e143521f6e34013138b2d53f946065fb0b233c764464db2ebe31226a274cecd9c1dd5484d34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bed007127f07e39b55354c6ac3ae12b4

SHA1
3f7f40b14827ff6ee312490b157ecbb8fd2db43b

SHA256
dda57a57174f8c4c2d7bc47429a470481f081765f18635f610023db7cc9e4005

SHA512
c316ed726784b347e0e5ece0d39fd83c8e34dc4e5d164a3e638317c37000d00cf10dc90ccee766024138b9d3852a49d2c947b29274b0a3add3e1f5089442c37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a8dca.TMP

Filesize
48B

MD5
514477e36225ee1e5d1928ef13875ca3

SHA1
b86d4d739673dc7883c4a9d9e1cbe180cf6b6d8f

SHA256
c61a34ce9e6e4bb8345ae2a4af8466f361b973c8fb2c6ceb5f5dd277a32391a7

SHA512
53bb5da86f816a7c774cd6ca0e438ea6ad3163fd83275cf34c351c7f1a4426d08eba4aa0a52e3ffd5777cab618cfa599f642a53b8cd8a4c67c97adb5638f963a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
348a5f53b188a303c53c199400c3fe09

SHA1
d752f3bbe1f86a6f2c4db7d30fd778e224ae82b9

SHA256
600cf5ebd410ab90018dfe10e7f330a57f353c4f0297d0e4255740f665b84063

SHA512
bcb0440781f5b173f3663a9a56f1050c152117c5bb457026ccb818b9d148be5181569d74f142b7f5775db32bdb6967a419ad02611e3fab94437512ef9899db59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
228e95ff3f04c510bd5e8ad6b0d64732

SHA1
53a27636cb0c6d4bc55288a6abd738b03196b333

SHA256
aecde77608d66a6806b5893e7a8588f2a648c4f7eae3d2dc5a3c13df17b4e447

SHA512
b99eeaac54d199d8d0d8b92b94bda837f18421e6164b556d898fe285f56a7844aa7aeb186e1c67f8ef4d7683043f294f3f8a2a882510e29d4bde617dc8aeaba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a137a.TMP

Filesize
370B

MD5
c2b95a6646c7678cfae77394d5c681b6

SHA1
a2730355c9b94993b457d372c20ec9aab6e9c21b

SHA256
eabb2523090fdfcc5c44169fc2eb6e548def44ae06edd4df99bf768ded3aa13f

SHA512
62afbf5aa265845a3629613fec394213b8fa7101e0b2c9bddc080bbd1d11aaeb96d0c724a4a4ba09886ba51f83c52f1095eeac1def488114904a7ae7c35c9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c4408a64011fb24ed5811bf7922208f

SHA1
00d970389c01007f10cee30dc70517f517edae60

SHA256
dd19f556f9526533c634c55d52ca7ea53886f0fa72e95699aa246f077c61dac8

SHA512
25e4682c0c2d3901b49c5ae4e8d5ad7a10268255a3deaba62c4e93c57b302f953e9dbefc2f03b16cc8d2f16fb785be85b8365a3c55f73a8ac6581ffc1bb96ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
909d8004f40d7dcfc2dc7b03dc3c0396

SHA1
23d12913008e4b5f098b2029540a60135ad6efa7

SHA256
49feddf2bdda18d5edb0895c85c0015944856761797e27e765851ba004bbdd1e

SHA512
d3ad9504b781a8d8dcd96f2db2f1d1e7e2d384ecb3fd59f6d5fb9e3ce7649ea27c045189edc77c2f14aba0014ff30a9b1ac9dbb5f1155c6fbdf3a1ffd938c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
83faad26dac218982a4b1de1abb76a7d

SHA1
9334c04e074300e04b1e5956ec1f8c1fdea2660b

SHA256
6bcd09ad125c8c68a00fa1198b2eafa700bc34cf65476126303cd55d18b14a0b

SHA512
871342436e78df4d9e8711d79056281465c0baf12c69cd2d8ca6ca296298da554eefd5dd3d1569fea542cac1f171a2075235fc8f1b99b42f60dedc7cb4916d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3237db622784d932c70926b0f9569d0e

SHA1
28b50f628f68acfdefadc796f476e35e8a4c4d09

SHA256
647a07f7c9149faca28e3c34083df8c0b3b66ae684e036a02b985edf6b3ff9a8

SHA512
71d7a14c2ecb5023c09db7cab42127fd280179c2c2eb5c2721d50fd013a84beeae8b2de9895e6c3121c97ab951844d9ae216ea09d0ea0f27da56dbd5fa7897d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4441aaa9d72387465ce629f932f7f879

SHA1
4c89244c77db9572d1a70e4f41a48555dccd3eb6

SHA256
0a5be1902a62c3b4ac6ffbf3bd537a07f0eca7e91e3b041b6dc38130c1387b5d

SHA512
294aff2ffe4702e8c9fb6ca15c39966e20a073fd5a62d414dc9abbef14e4d4350c03ef24d4c1db1bcb3d89d364541ad2029c6cfacc9f4ba10a2a29f41cd70196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
372f133505e23a85ffd0939ec9306caa

SHA1
17fcd059919a3a725019fe8f1cf4ced51a9ccdc5

SHA256
0f09cdf1c90bcac194ee129c6bfbf98be453f737cb3fda33f95d3d2c1a8368db

SHA512
07628517be0ca0fb01e4063960ef8c6488df417d7299f213b311f38d017b39fcbf79478fa5901a5710db44e35f26fdd4f7e128848922af958d443c67285d0111

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE

Filesize
342KB

MD5
1f48c93f9d616ecee5bf74753831b9a2

SHA1
54fdaa4c5e40db13b6983fa7abdd37a8b5451a74

SHA256
f5e7fa13587f98346f53fd730f621811dcd5685bdd401a6115f49a4dbfadf89e

SHA512
fc0602d96beab064c23b6e5a9b9ac0bfbdc35e27b661f2cdd2552b0e71bdb7b680a48cdc1f60ac439b1fefddd10c08cb9e7a4b9b02068e5c66ccc4ec7a73cdf4

Download Submit
memory/64-33-0x0000000002C40000-0x0000000002C50000-memory.dmp

Filesize
64KB

Download
memory/64-32-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/64-50-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/456-22-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-18-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-13-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-12-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-9-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-19-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-21-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-27-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-24-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/456-26-0x00000128D2A40000-0x00000128D2A41000-memory.dmp

Filesize
4KB

Download
memory/1352-78-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1352-103-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1804-77-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1804-56-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1824-48-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/1824-29-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1824-30-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/1824-55-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/1824-44-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/2336-105-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/2336-112-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/2452-75-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/2452-101-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/2452-74-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3024-102-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3104-79-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3104-83-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3104-82-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/3104-62-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/3104-60-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3148-42-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3148-65-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3148-67-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3444-59-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3444-35-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3444-36-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/3716-71-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/3716-69-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3716-89-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3716-88-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3780-47-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/3780-54-0x0000000002690000-0x00000000026CC000-memory.dmp

Filesize
240KB

Download
memory/3780-14-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/3780-20-0x0000000000C80000-0x0000000000D1E000-memory.dmp

Filesize
632KB

Download
memory/3780-23-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3780-25-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3780-39-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3780-43-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3964-46-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3964-51-0x000000001AE50000-0x000000001AE60000-memory.dmp

Filesize
64KB

Download
memory/3964-72-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/3964-70-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4052-136-0x000000001B630000-0x000000001B640000-memory.dmp

Filesize
64KB

Download
memory/4052-135-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4176-87-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4176-86-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4176-134-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4400-92-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4400-137-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4400-93-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4472-40-0x000000001B240000-0x000000001B250000-memory.dmp

Filesize
64KB

Download
memory/4472-61-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4472-38-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4480-64-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4480-66-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/4480-84-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4676-147-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4852-106-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/4852-81-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download
memory/5168-148-0x000000001B730000-0x000000001B740000-memory.dmp

Filesize
64KB

Download
memory/5168-141-0x00007FFB0FFA0000-0x00007FFB10A61000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads