glupteba | 4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6

Analysis

max time kernel
59s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe
Size

1.4MB
MD5

cff80093d52795e3b3dca69d7bb34da9
SHA1

41188a2f431d8ebe1eae1bcad4adda05b9bfa709
SHA256

4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6
SHA512

e1996b04087291414e38b25b0e9b1b82f6e848ba564db481639081e560a6b03104a9e7f4a2d785cdeedf4c35323e8ca781704673632f32d875c08e510370da18
SSDEEP

24576:SyrvPXQefuIiw1SdtfjREeZIsJqFGSivDPnpuqAbiue8EJbD0FpQLuUL36p8:5rvfDLJ1++eCSyGp1NH8EF5CUW

Score

10^/10

glupteba mystic redline smokeloader stealc zgrat taiga up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6660-221-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6660-226-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6660-224-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6660-229-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 23 IoCs

resource	yara_rule
behavioral1/memory/5536-651-0x000002A6E68E0000-0x000002A6E69C4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-669-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-661-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-672-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-664-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-675-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-683-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-685-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-687-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-689-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-693-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-704-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-706-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-708-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-710-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-712-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-714-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-716-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-718-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-720-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-722-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-724-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5536-728-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/5492-951-0x0000000002DB0000-0x000000000369B000-memory.dmp	family_glupteba
behavioral1/memory/5492-955-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2796-304-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/4276-555-0x0000000000470000-0x00000000004CA000-memory.dmp	family_redline
behavioral1/memory/4276-557-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2128	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	8ECE.exe

Executes dropped EXE 18 IoCs

pid	Process
4600	Sv8Bh13.exe
3448	sI9nT55.exe
4816	Ui0IB30.exe
2628	1VD25ZK2.exe
6400	2gA4122.exe
6776	7LJ67kZ.exe
6692	8su113Sp.exe
5372	9is6Ix1.exe
4276	8ECE.exe
3216	sc.exe
5968	C4A5.exe
7096	InstallSetup5.exe
4348	cmd.exe
5888	Broom.exe
5492	31839b57a4f11171d6abc8bbc4451ee4.exe
5536	C4A5.exe
1876	forc.exe
5776	latestX.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Sv8Bh13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sI9nT55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ui0IB30.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022d7f-26.dat	autoit_exe
behavioral1/files/0x0007000000022d7f-27.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 6400 set thread context of 6660	6400	2gA4122.exe	137
PID 6692 set thread context of 2796	6692	8su113Sp.exe	155
PID 5372 set thread context of 3416	5372	9is6Ix1.exe	160
PID 5968 set thread context of 5536	5968	C4A5.exe	184

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5880	sc.exe
5532	sc.exe
3216	sc.exe
3500	sc.exe
6472	sc.exe
2500	sc.exe
6392	sc.exe
6664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6888	6660	WerFault.exe	137
4816	4840	WerFault.exe	222

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LJ67kZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LJ67kZ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LJ67kZ.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
448	msedge.exe
448	msedge.exe
4204	msedge.exe
4204	msedge.exe
5196	msedge.exe
5196	msedge.exe
5464	msedge.exe
5464	msedge.exe
6776	7LJ67kZ.exe
6776	7LJ67kZ.exe
6540	identity_helper.exe
6540	identity_helper.exe
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found
3300	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6776	7LJ67kZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeDebugPrivilege	4276	8ECE.exe
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeShutdownPrivilege	3300	Process not Found
Token: SeCreatePagefilePrivilege	3300	Process not Found
Token: SeDebugPrivilege	5968	C4A5.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
2628	1VD25ZK2.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5888	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4600	3976	4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe	84
PID 3976 wrote to memory of 4600	3976	4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe	84
PID 3976 wrote to memory of 4600	3976	4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe	84
PID 4600 wrote to memory of 3448	4600	Sv8Bh13.exe	85
PID 4600 wrote to memory of 3448	4600	Sv8Bh13.exe	85
PID 4600 wrote to memory of 3448	4600	Sv8Bh13.exe	85
PID 3448 wrote to memory of 4816	3448	sI9nT55.exe	86
PID 3448 wrote to memory of 4816	3448	sI9nT55.exe	86
PID 3448 wrote to memory of 4816	3448	sI9nT55.exe	86
PID 4816 wrote to memory of 2628	4816	Ui0IB30.exe	87
PID 4816 wrote to memory of 2628	4816	Ui0IB30.exe	87
PID 4816 wrote to memory of 2628	4816	Ui0IB30.exe	87
PID 2628 wrote to memory of 1608	2628	1VD25ZK2.exe	89
PID 2628 wrote to memory of 1608	2628	1VD25ZK2.exe	89
PID 2628 wrote to memory of 4204	2628	1VD25ZK2.exe	91
PID 2628 wrote to memory of 4204	2628	1VD25ZK2.exe	91
PID 1608 wrote to memory of 5112	1608	msedge.exe	92
PID 1608 wrote to memory of 5112	1608	msedge.exe	92
PID 4204 wrote to memory of 1284	4204	msedge.exe	93
PID 4204 wrote to memory of 1284	4204	msedge.exe	93
PID 2628 wrote to memory of 3672	2628	1VD25ZK2.exe	94
PID 2628 wrote to memory of 3672	2628	1VD25ZK2.exe	94
PID 3672 wrote to memory of 2716	3672	msedge.exe	95
PID 3672 wrote to memory of 2716	3672	msedge.exe	95
PID 2628 wrote to memory of 1868	2628	1VD25ZK2.exe	96
PID 2628 wrote to memory of 1868	2628	1VD25ZK2.exe	96
PID 1868 wrote to memory of 4200	1868	msedge.exe	97
PID 1868 wrote to memory of 4200	1868	msedge.exe	97
PID 2628 wrote to memory of 408	2628	1VD25ZK2.exe	98
PID 2628 wrote to memory of 408	2628	1VD25ZK2.exe	98
PID 408 wrote to memory of 1456	408	msedge.exe	99
PID 408 wrote to memory of 1456	408	msedge.exe	99
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103
PID 4204 wrote to memory of 3436	4204	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe
"C:\Users\Admin\AppData\Local\Temp\4a2a4495e21686e313a365c216dd539059ce14479990b904ef8c622e485780c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sv8Bh13.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sv8Bh13.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sI9nT55.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sI9nT55.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ui0IB30.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ui0IB30.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1VD25ZK2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1VD25ZK2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2188763712470678950,594498994968518103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2188763712470678950,594498994968518103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        7⤵
        
        PID:4284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        7⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
        7⤵
        
        PID:4760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        7⤵
        
        PID:2364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        7⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
        7⤵
        
        PID:5188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
        7⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
        7⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
        7⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
        7⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        7⤵
        
        PID:5524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
        7⤵
        
        PID:4272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
        7⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
        7⤵
        
        PID:5352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
        7⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
        7⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
        7⤵
        
        PID:6328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        7⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 /prefetch:8
        7⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
        7⤵
        
        PID:6904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
        7⤵
        
        PID:7160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
        7⤵
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12900607906892228660,8014289247063467251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        7⤵
        
        PID:7148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:2716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,15213744554821476782,17005395787348850174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12955444981451234180,2695233837282957505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:1456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2500401709746511738,3343193149579574817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
        7⤵
        
        PID:5132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x70,0x78,0x80,0x74,0x84,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:5692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:5788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:3828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:5128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:6268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
        7⤵
        
        PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gA4122.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gA4122.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6400
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 200
        7⤵
        Program crash
        
        PID:6888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7LJ67kZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7LJ67kZ.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8su113Sp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8su113Sp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9is6Ix1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9is6Ix1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6660 -ip 6660
1⤵
PID:6864

C:\Users\Admin\AppData\Local\Temp\8ECE.exe
C:\Users\Admin\AppData\Local\Temp\8ECE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdb5546f8,0x7fffdb554708,0x7fffdb554718
    3⤵
    PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
    3⤵
    PID:1160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:7116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:6796
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
    3⤵
    PID:5556
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,3456200145313380122,15071691766933674128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
    3⤵
    PID:6716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\BFA3.exe
C:\Users\Admin\AppData\Local\Temp\BFA3.exe
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  PID:7096
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5888
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:6948
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5484
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:5768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:6940
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1496
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2204
- C:\Users\Admin\AppData\Local\Temp\forc.exe
  "C:\Users\Admin\AppData\Local\Temp\forc.exe"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  - Executes dropped EXE
  PID:5776

C:\Users\Admin\AppData\Local\Temp\C4A5.exe
C:\Users\Admin\AppData\Local\Temp\C4A5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5968
- C:\Users\Admin\AppData\Local\Temp\C4A5.exe
  C:\Users\Admin\AppData\Local\Temp\C4A5.exe
  2⤵
  - Executes dropped EXE
  PID:5536

C:\Users\Admin\AppData\Local\Temp\431D.exe
C:\Users\Admin\AppData\Local\Temp\431D.exe
1⤵
PID:5132
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5388

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
- Executes dropped EXE
PID:4348
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5880
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5532
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Executes dropped EXE
  - Launches sc.exe
  PID:3216
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:3500
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:6472

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6488
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6188
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:6680
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:992
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:1912

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1308

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\B89C.exe
C:\Users\Admin\AppData\Local\Temp\B89C.exe
1⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\BB4C.exe
C:\Users\Admin\AppData\Local\Temp\BB4C.exe
1⤵
PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 784
  2⤵
  - Program crash
  PID:4816

C:\Users\Admin\AppData\Local\Temp\BCF3.exe
C:\Users\Admin\AppData\Local\Temp\BCF3.exe
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4840 -ip 4840
1⤵
PID:6328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6628

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5804
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2500
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6392
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5f595566f83e288991a95ff3747e1d7

SHA1
f3f4069819da237eea7e05a9caefb51d2a2df896

SHA256
50cecc4be2308132639e09216843eacc34bcde5d2cc88716a4355e3b3af643fe

SHA512
57f7ebeb715fa7205b463efa7844b1c58b0ccc681655970bd88aa5296dcc4579bb1edc8ee93dcb049275756c9e99469eee42498f84ced4996dc575b8a74ea003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c356792d25953a353537ff99d8ff763

SHA1
795b5dca39e4408f832dfcd6142e2b8c3242686b

SHA256
aa4c2fc1c9e566ebec324eac5a10c22f8e186be43d34e78d18ddffd664647f02

SHA512
0b9529ed29de80d3e8f195370bc44ae691151fb8e25a821327809533523f09ca4c54a508eddd873430b64f688938287f70f3c8b9297038edaba9f2db94a7ecbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df68ca2326df401d8966ca869c5080b8

SHA1
c53020d3ee713f2f06339c162a9fb653cdaac5fc

SHA256
b3e4acd0a8b2f5704e19c87585c856547b1b3425d26adb8016c0f2f4a353e1a0

SHA512
d5f4ba8d381f190d41db83d1a6d2a2e291093aa607bbd5aace53732e4e16d456b4b079a506457fa5daee3e80b1c68a2f0a0959ea710c2304a6a3d16c47b789b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b177815d929f499d3af51029e80951cf

SHA1
86943f83cd8d63b65fe9a3ef7688247f2ad95b2b

SHA256
2255a2856a7f6b0c51b6b0204c46a38a1a5a3d5eca190be1717f3ece351bc785

SHA512
1c5c5761e6ee3bedc1ca8cc3e2a4f7b4e217643d7ecea09cd00852638801b6f0bce551a00f0f2b95485481157c113d3c2d231926780fc21953a1049d252faa14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5d0dad1fe5c996f8da2964b1be0a2e4f

SHA1
82e13d5a9d4f6b76e373549a0aea2fd2d90f0187

SHA256
ac235010048cf9e1c946f0d11114c4e7384784d4eb0f4f3875ec53b7e5323704

SHA512
c5d2c7c073cf701327a6c90d4e5015b74e043e140b210bd00950b8a47a6948317c3aab6b6477c182b5136c048edfcc191b2ba49482f2d234eb2f7a79dba694da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1bd7f8eb853d9819a18df26ffe17a7f6

SHA1
314b2093ab78d428b2e5c9e123e9cfe5aede589e

SHA256
416990854ffd65e9db82a723cf6a7bc1001789b49953abfb9d33c03d5c4bfedc

SHA512
764b47dde49cc2c8dbe7e183c8430ea4cde09d1a07b1f5a55c830cf882afc46259b032ce8671f81b2c0925e6accd7e5ae6948d709c20191422f6754b66f5cf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ff0f0315410433b5a1a89da6d9a7b71d

SHA1
c4af8742a93852b1c6bee12eebff3c312b14a8a5

SHA256
bc0f7a453c8399869276801ef3c40e9a1c090213279afaab28034dd851479615

SHA512
b00f5eeaafa83168fe78354a79233391aa311838cd9b9050cd9c8a914a57f2e0c20220d582ebfce9911bbd3d0ebc79336ec12f212fb87b59dbb3978770177b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4ae4700fa77f2dfd4a86be2140656cf3

SHA1
5784741f0c7ea4fcaf6c26b61670fb8e618dd9b5

SHA256
3096369b24128e87e532fba3a18f953dc085d95118bd298dcd5d2e5dcbdfc084

SHA512
e4245d7347e0449acb897ebb47b62bc8807b685b395bf097de53d6e6ddba85e8ad98cbb0cf09b74a3d56daf64b61d04c79dccbfd3b95b447d653172bbd37c040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586107.TMP

Filesize
1KB

MD5
72526d0e3adaa2599657f958997e0dda

SHA1
c6b33198c95212ce4b875f7c5abd98bb9474edb5

SHA256
6dda1840b72c2a8d3387988c2cf913cf4f02a4bb9dd47964cad3cf515bbc7ca1

SHA512
9b19b9d6b4483cacb7f0daa22553006017158b9a455646965518a8275bdbab607112327243b7e99ef9aac4edbfceeaa867d31c172b58ad0151959e137d59f44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
929a1f3b32c0f93a78f1b721f6a14ff1

SHA1
da74ed45ef0e868376cb11ee7d3336ff8d6fb814

SHA256
ebac6d7f594b398d24693bf52699615f9de3fa8bd10935fe801490e3b369eebe

SHA512
870520b68a479b4b709343d1bddcc58d7cc1059beec7f46fa2d9ef8464fa8eeea48e0fca05b81d16d0570e6c48a975935499389f3716d416445eb461940b95d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
929a1f3b32c0f93a78f1b721f6a14ff1

SHA1
da74ed45ef0e868376cb11ee7d3336ff8d6fb814

SHA256
ebac6d7f594b398d24693bf52699615f9de3fa8bd10935fe801490e3b369eebe

SHA512
870520b68a479b4b709343d1bddcc58d7cc1059beec7f46fa2d9ef8464fa8eeea48e0fca05b81d16d0570e6c48a975935499389f3716d416445eb461940b95d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8a3e47ce51f6d7be13e2a64bd9b0a3dc

SHA1
6bfdaeeea8e51c9224c32ffd2731714df4293e12

SHA256
4a4b373b9be654277896e76d813c57e8e402056a3e8994118410f3783537d8a6

SHA512
2ffc91332ef50d87ff7545b4d6a6856acbb3024ea839b91dfefafee083c4a32f3e53cccbbd1387cc12ad73faeb2c067305d77a3ebbd83dcc26d4257bebd7a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8a3e47ce51f6d7be13e2a64bd9b0a3dc

SHA1
6bfdaeeea8e51c9224c32ffd2731714df4293e12

SHA256
4a4b373b9be654277896e76d813c57e8e402056a3e8994118410f3783537d8a6

SHA512
2ffc91332ef50d87ff7545b4d6a6856acbb3024ea839b91dfefafee083c4a32f3e53cccbbd1387cc12ad73faeb2c067305d77a3ebbd83dcc26d4257bebd7a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8a3e47ce51f6d7be13e2a64bd9b0a3dc

SHA1
6bfdaeeea8e51c9224c32ffd2731714df4293e12

SHA256
4a4b373b9be654277896e76d813c57e8e402056a3e8994118410f3783537d8a6

SHA512
2ffc91332ef50d87ff7545b4d6a6856acbb3024ea839b91dfefafee083c4a32f3e53cccbbd1387cc12ad73faeb2c067305d77a3ebbd83dcc26d4257bebd7a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
471134c5b2323a9fd2e043c8f197305a

SHA1
caa5a5e1800c9473e0f34073b8e587d79e168f34

SHA256
b07493206847c1680eb7b84aa9e7fa5e5ef71138f064821040043de5ac6971c0

SHA512
625fbe7be812f729b3d781a44d9205d8c6f602306bbb3981be327a72be154103bcaa109759c2d7d77e738bf9e0f09b23ad2f6632d8081c781759193f08a563c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
471134c5b2323a9fd2e043c8f197305a

SHA1
caa5a5e1800c9473e0f34073b8e587d79e168f34

SHA256
b07493206847c1680eb7b84aa9e7fa5e5ef71138f064821040043de5ac6971c0

SHA512
625fbe7be812f729b3d781a44d9205d8c6f602306bbb3981be327a72be154103bcaa109759c2d7d77e738bf9e0f09b23ad2f6632d8081c781759193f08a563c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
57f01b630adc404d0bd2fcb44b408975

SHA1
7bd764213b6ddea1bfbe9d439562b9d4f60ff201

SHA256
f449a81b6bd27a6628ab7611164ff67832c9b18e1c21fe099bcb404992343850

SHA512
52f73252735d3fca1e34cccde284fe3ac57716d2a08118bc8445e09811a45c795f92b0d2b06aaccd101b50ad006b02a5ad535902f9823d74f4a97fc696b9efd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
57f01b630adc404d0bd2fcb44b408975

SHA1
7bd764213b6ddea1bfbe9d439562b9d4f60ff201

SHA256
f449a81b6bd27a6628ab7611164ff67832c9b18e1c21fe099bcb404992343850

SHA512
52f73252735d3fca1e34cccde284fe3ac57716d2a08118bc8445e09811a45c795f92b0d2b06aaccd101b50ad006b02a5ad535902f9823d74f4a97fc696b9efd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
929a1f3b32c0f93a78f1b721f6a14ff1

SHA1
da74ed45ef0e868376cb11ee7d3336ff8d6fb814

SHA256
ebac6d7f594b398d24693bf52699615f9de3fa8bd10935fe801490e3b369eebe

SHA512
870520b68a479b4b709343d1bddcc58d7cc1059beec7f46fa2d9ef8464fa8eeea48e0fca05b81d16d0570e6c48a975935499389f3716d416445eb461940b95d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a8f17f1e59706641495c48d0302c0647

SHA1
29347422e17c6e6b300902fd83caf2d43636a969

SHA256
3f54766914a67c5a2e33b2e60c70076ef2de3f34b0d9d827a39df9e580623213

SHA512
cf0884b4816aba77a5a8bd7fa9d347ffbc629bd4d5d56221dcfc99528d6992bdec514becee3fc09afbf2a0abaed83b3d832055f30bbb92173cc9897a2480b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
471134c5b2323a9fd2e043c8f197305a

SHA1
caa5a5e1800c9473e0f34073b8e587d79e168f34

SHA256
b07493206847c1680eb7b84aa9e7fa5e5ef71138f064821040043de5ac6971c0

SHA512
625fbe7be812f729b3d781a44d9205d8c6f602306bbb3981be327a72be154103bcaa109759c2d7d77e738bf9e0f09b23ad2f6632d8081c781759193f08a563c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
765ed9ebddf50dbb6ef1230056315c11

SHA1
68fe5de5f1073971ebd56d34f91ad7387b6c6d35

SHA256
4ce42a19394d83fb804143c4babb11008b8af66e45f0af5929dca97025352bf7

SHA512
7efb7fb64c6d436deefb8dfaa2ebd7ddc20a049186823268f912006dce5bee962ec81ebf7bd14246f48e6670a16d23335bd19e36d68974882caba604e0f2fafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
97841c7ffb7d013d7e1a0dcb065f228f

SHA1
d44a041717163007e72ec215253783daeddb86f4

SHA256
3c9d2600119b7e2577b9e09021eb9847e7831506bf3dfda3654b920e9c56b44b

SHA512
4255dadfc5e68926ccce9a7402e57acd861b41d525db1eacaf8e677691c4e80876260262f80d667ed5fb7cb4b9da62b9b5aa037d9d08923d3e1afae87447d233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9is6Ix1.exe

Filesize
624KB

MD5
d01230c721026a8a570883d92efea455

SHA1
30fd323af765ae24a1e4539470d67dae84be4ab6

SHA256
c1943a59d0d0e1b991398c14ab2c157ef905cd3400f4591338988eead2798150

SHA512
852550b657697b7c27a548d8e9bacb5ed6fdc1b850df801e415b52e912628267bcc5b255524e4aa8eb0d3a15692e660239e8056796b2621a5875ef11e99d541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9is6Ix1.exe

Filesize
624KB

MD5
d01230c721026a8a570883d92efea455

SHA1
30fd323af765ae24a1e4539470d67dae84be4ab6

SHA256
c1943a59d0d0e1b991398c14ab2c157ef905cd3400f4591338988eead2798150

SHA512
852550b657697b7c27a548d8e9bacb5ed6fdc1b850df801e415b52e912628267bcc5b255524e4aa8eb0d3a15692e660239e8056796b2621a5875ef11e99d541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sv8Bh13.exe

Filesize
1002KB

MD5
e789fbf9758364b92fc7b26925970015

SHA1
f8815524278208c5f2d41b1599692db07cb67725

SHA256
d0980cb9de6ea466d244573e5ac346d3756c2f9cb8fd9ec51be9c3705ee2515d

SHA512
79d44a54fa81acb291f0906e2beaaade017f0481a63ce44ba8539eed43da474d1ba011196fe009b831fd37880e367eb6450d9894421e4ced0012448a4ae17ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sv8Bh13.exe

Filesize
1002KB

MD5
e789fbf9758364b92fc7b26925970015

SHA1
f8815524278208c5f2d41b1599692db07cb67725

SHA256
d0980cb9de6ea466d244573e5ac346d3756c2f9cb8fd9ec51be9c3705ee2515d

SHA512
79d44a54fa81acb291f0906e2beaaade017f0481a63ce44ba8539eed43da474d1ba011196fe009b831fd37880e367eb6450d9894421e4ced0012448a4ae17ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8su113Sp.exe

Filesize
315KB

MD5
0e00052c66f1d42d366fe1666e963944

SHA1
f75e460e324ac9f09890e896d4ff0f880b671a3b

SHA256
fe3fea8fd1fc3d128a564451799bddefa8a79e6b30a13a1226068617501f0a0e

SHA512
51a5057a8f19ec44c9ecfa72c06df738dd2f2561c7623ffd8d32441e3e5980e15827fdf0c47e28cf7d62b86bff6f859db27e62a8de71c986296c118b54e269b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8su113Sp.exe

Filesize
315KB

MD5
0e00052c66f1d42d366fe1666e963944

SHA1
f75e460e324ac9f09890e896d4ff0f880b671a3b

SHA256
fe3fea8fd1fc3d128a564451799bddefa8a79e6b30a13a1226068617501f0a0e

SHA512
51a5057a8f19ec44c9ecfa72c06df738dd2f2561c7623ffd8d32441e3e5980e15827fdf0c47e28cf7d62b86bff6f859db27e62a8de71c986296c118b54e269b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sI9nT55.exe

Filesize
782KB

MD5
18321aeedd7eea3324fa67b80a8ca9e6

SHA1
73c15db72f343734326fbddd29220e25e1164412

SHA256
6dfee0ced229f8ba731409a541e02ded7909f74951cd9d5f0aba8724dfbab9dd

SHA512
51362d16539308dd7d30706e059536e60cc18d0de020c1b10157368253ce1da9b3bdf05c4c8ddf8f277c7a313873ec86e1910ea51537c337ac890a3a65371294

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sI9nT55.exe

Filesize
782KB

MD5
18321aeedd7eea3324fa67b80a8ca9e6

SHA1
73c15db72f343734326fbddd29220e25e1164412

SHA256
6dfee0ced229f8ba731409a541e02ded7909f74951cd9d5f0aba8724dfbab9dd

SHA512
51362d16539308dd7d30706e059536e60cc18d0de020c1b10157368253ce1da9b3bdf05c4c8ddf8f277c7a313873ec86e1910ea51537c337ac890a3a65371294

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7LJ67kZ.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7LJ67kZ.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ui0IB30.exe

Filesize
657KB

MD5
53d640649a7698edb0f5329cb8acfd72

SHA1
5c73c667f2550d2f21e50824fa34add46847e00c

SHA256
4d919b07204f480429cc6326665d43e16311694b5c4d59200828282be8708adb

SHA512
d385e106ec92935b7159beba9605958c8344c33423ac7ff3a1da528a7b89a10236716ae2e998418dff85d0ea4de2f4365b687561d05f8ffa64fec6530a164e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ui0IB30.exe

Filesize
657KB

MD5
53d640649a7698edb0f5329cb8acfd72

SHA1
5c73c667f2550d2f21e50824fa34add46847e00c

SHA256
4d919b07204f480429cc6326665d43e16311694b5c4d59200828282be8708adb

SHA512
d385e106ec92935b7159beba9605958c8344c33423ac7ff3a1da528a7b89a10236716ae2e998418dff85d0ea4de2f4365b687561d05f8ffa64fec6530a164e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1VD25ZK2.exe

Filesize
895KB

MD5
bf38ecf5f22f3720a5512cdb8cd0b432

SHA1
915356e797911a3295e12043ff87c6d0b009ec67

SHA256
65c8fe4aa464d45a5b76ae4c3b393bbadcf540fdf8448bbf15f51c26e7264ae7

SHA512
341c04be5ca49f0546bcc95c8a124b6cf03efe5062f47faee921060c55d4bda427a975f219863d31c9742ea52d198897022ae10996eb21c6f1a55dad256527da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1VD25ZK2.exe

Filesize
895KB

MD5
bf38ecf5f22f3720a5512cdb8cd0b432

SHA1
915356e797911a3295e12043ff87c6d0b009ec67

SHA256
65c8fe4aa464d45a5b76ae4c3b393bbadcf540fdf8448bbf15f51c26e7264ae7

SHA512
341c04be5ca49f0546bcc95c8a124b6cf03efe5062f47faee921060c55d4bda427a975f219863d31c9742ea52d198897022ae10996eb21c6f1a55dad256527da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gA4122.exe

Filesize
276KB

MD5
c243d7d012ceda4eaabaca2ce36e4747

SHA1
46ea049d41ab57df5a682af868312b7528d37bfd

SHA256
d9e54e7bc4b9850c056935db6f81421d7a3ee21191c0be94fe2ca783c457b828

SHA512
cad4b9b9c123bb6dad3f53c07fa78abba482c58ab50dd720f2c1ae82b3a1830036dd05c87ba40539bb99ab3d3bb03091eaaaf766256a70944b25f5be49133dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gA4122.exe

Filesize
276KB

MD5
c243d7d012ceda4eaabaca2ce36e4747

SHA1
46ea049d41ab57df5a682af868312b7528d37bfd

SHA256
d9e54e7bc4b9850c056935db6f81421d7a3ee21191c0be94fe2ca783c457b828

SHA512
cad4b9b9c123bb6dad3f53c07fa78abba482c58ab50dd720f2c1ae82b3a1830036dd05c87ba40539bb99ab3d3bb03091eaaaf766256a70944b25f5be49133dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
bc3354a4cd405a2f2f98e8b343a7d08d

SHA1
4880d2a987354a3163461fddd2422e905976c5b2

SHA256
fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b

SHA512
fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apyjsobt.553.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB2A.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB3F.tmp

Filesize
92KB

MD5
2c49291f7cd253c173250751551fd2b5

SHA1
9d8a80c2a365675a63b5f50f63b72b76d625b1b1

SHA256
5766d76fbd9f797ab218de6c240dcae6f78066bc5812a99aeeed584fb0621f75

SHA512
de4a9ca73d663384264643be909726cb3393ea45779c888eb54bb3fbd2e36d8ad1c30260a16f1ced9fc5d8fe96dee761a655ff3764148b3e2678563417d6d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB8B.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBA0.tmp

Filesize
20KB

MD5
a4953ad23a99e16db4245a6e92b1fa1a

SHA1
252b6b5da25526bf634b4aad82d87dcbc7151a57

SHA256
ab70e52067da24424bb6a587680c78c4b245feae23a3d6848860b1621163c6da

SHA512
6053618538f1f2a9f1a2404d83f53ae06f48c4a0b7e2be6df2ba1d181671fa243786e2872e323df581e7b3b93764443336ef4fc1741aaf326dfd4e88e4670080

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBE0.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC2A.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
220KB

MD5
b2915274886b13ea19bd82842f267402

SHA1
50bc51f291cc75914409f9df2e22b3bcac73637f

SHA256
619c6bacf7c2ecedf483d69ca541789b4ef356149f87a1f1863fef170af56006

SHA512
892a20f0307eb6093edc310cd68ef294904fdbc2ea8834db83e00758e5b3720fee5da1e1effb82483d335cfd9190fdee20c4257349970368bd554436f44c74e0

Download Submit
memory/1876-990-0x00000000003E0000-0x000000000060D000-memory.dmp

Filesize
2.2MB

Download
memory/1876-725-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1876-662-0x00000000003E0000-0x000000000060D000-memory.dmp

Filesize
2.2MB

Download
memory/2796-561-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/2796-319-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/2796-324-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/2796-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-323-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/2796-322-0x0000000007A20000-0x0000000007A32000-memory.dmp

Filesize
72KB

Download
memory/2796-573-0x00000000079B0000-0x00000000079C0000-memory.dmp

Filesize
64KB

Download
memory/2796-321-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

Filesize
1.0MB

Download
memory/2796-308-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/2796-320-0x0000000008830000-0x0000000008E48000-memory.dmp

Filesize
6.1MB

Download
memory/2796-309-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/2796-310-0x0000000007790000-0x0000000007822000-memory.dmp

Filesize
584KB

Download
memory/2796-318-0x00000000079B0000-0x00000000079C0000-memory.dmp

Filesize
64KB

Download
memory/3216-677-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3216-611-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3216-612-0x0000000000520000-0x00000000011BE000-memory.dmp

Filesize
12.6MB

Download
memory/3300-293-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download
memory/3416-325-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3416-329-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3416-328-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3416-331-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4276-562-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/4276-578-0x0000000009980000-0x0000000009B42000-memory.dmp

Filesize
1.8MB

Download
memory/4276-606-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4276-577-0x0000000008B90000-0x0000000008BE0000-memory.dmp

Filesize
320KB

Download
memory/4276-576-0x0000000008B00000-0x0000000008B1E000-memory.dmp

Filesize
120KB

Download
memory/4276-574-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/4276-557-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4276-560-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4276-555-0x0000000000470000-0x00000000004CA000-memory.dmp

Filesize
360KB

Download
memory/4276-563-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/4276-579-0x0000000009B50000-0x000000000A07C000-memory.dmp

Filesize
5.2MB

Download
memory/4348-905-0x0000000001FF0000-0x0000000001FF9000-memory.dmp

Filesize
36KB

Download
memory/4348-903-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/5388-1601-0x00007FFFCBAB0000-0x00007FFFCC571000-memory.dmp

Filesize
10.8MB

Download
memory/5388-1602-0x0000024938C30000-0x0000024938C40000-memory.dmp

Filesize
64KB

Download
memory/5484-1505-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/5484-1498-0x00000000022B0000-0x00000000022E6000-memory.dmp

Filesize
216KB

Download
memory/5484-1510-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/5484-1512-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/5484-1517-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/5484-1527-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/5484-1531-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/5484-1546-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5484-1565-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/5484-1597-0x00000000061A0000-0x00000000061E4000-memory.dmp

Filesize
272KB

Download
memory/5492-955-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5492-951-0x0000000002DB0000-0x000000000369B000-memory.dmp

Filesize
8.9MB

Download
memory/5492-947-0x00000000029B0000-0x0000000002DA9000-memory.dmp

Filesize
4.0MB

Download
memory/5536-664-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-661-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-706-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-708-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-710-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-712-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-714-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-716-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-718-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-720-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-722-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-724-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-728-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-693-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-689-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-687-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-685-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-648-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5536-683-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-658-0x00007FFFCBAB0000-0x00007FFFCC571000-memory.dmp

Filesize
10.8MB

Download
memory/5536-675-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-651-0x000002A6E68E0000-0x000002A6E69C4000-memory.dmp

Filesize
912KB

Download
memory/5536-672-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-704-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-1507-0x000002A6CE1E0000-0x000002A6CE1F0000-memory.dmp

Filesize
64KB

Download
memory/5536-660-0x000002A6CE1E0000-0x000002A6CE1F0000-memory.dmp

Filesize
64KB

Download
memory/5536-669-0x000002A6E68E0000-0x000002A6E69C0000-memory.dmp

Filesize
896KB

Download
memory/5536-1502-0x00007FFFCBAB0000-0x00007FFFCC571000-memory.dmp

Filesize
10.8MB

Download
memory/5888-647-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5888-1488-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5968-627-0x0000023E23900000-0x0000023E23910000-memory.dmp

Filesize
64KB

Download
memory/5968-631-0x0000023E3C380000-0x0000023E3C448000-memory.dmp

Filesize
800KB

Download
memory/5968-626-0x00007FFFCBAB0000-0x00007FFFCC571000-memory.dmp

Filesize
10.8MB

Download
memory/5968-620-0x0000023E21C30000-0x0000023E21D90000-memory.dmp

Filesize
1.4MB

Download
memory/5968-629-0x0000023E3C2A0000-0x0000023E3C380000-memory.dmp

Filesize
896KB

Download
memory/5968-625-0x0000023E23960000-0x0000023E23A46000-memory.dmp

Filesize
920KB

Download
memory/5968-657-0x00007FFFCBAB0000-0x00007FFFCC571000-memory.dmp

Filesize
10.8MB

Download
memory/5968-633-0x0000023E3C620000-0x0000023E3C66C000-memory.dmp

Filesize
304KB

Download
memory/5968-632-0x0000023E3C550000-0x0000023E3C618000-memory.dmp

Filesize
800KB

Download
memory/6660-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6660-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6660-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6660-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6776-294-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6776-227-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6948-1088-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6948-909-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download