djvu | fd69bb9c704200cf842d1622c32a9a1e8b60300aa120aabef2ef7ac7a7286eed

Analysis

max time kernel
39s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202ba429ba5a71165050dc8e8bb14297.exe
Size

284KB
MD5

202ba429ba5a71165050dc8e8bb14297
SHA1

7f180aa21f4fd88012702670f3eefbcfdaf4f086
SHA256

fd69bb9c704200cf842d1622c32a9a1e8b60300aa120aabef2ef7ac7a7286eed
SHA512

8d625f4bdec8f322e9b804b1f783f3587c4f27d028cd77e4a7a407125b5efde3855f1c0a27c9691e47c7247b36ad82e8c1b371c1ddce178aee576f02c14cfac0
SSDEEP

3072:SJtDTawEkLzSwndQwuSxnsLWxWIRSFQgQ59uHO8FrS:8ZawEkHS2QwuSxsSwWSF6nK

Score

10^/10

djvu lumma redline smokeloader zgrat 666 @ytlogsbot livetraffic up3 backdoor discovery evasion infostealer ransomware rat stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@ytlogsbot

195.20.16.190:45294

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

redline

Botnet

LiveTraffic

77.105.132.87:22221

Extracted

Family

lumma

http://attachmentartikidw.fun/api

Signatures

Detect Lumma Stealer payload V4 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6268-756-0x0000000002500000-0x000000000257E000-memory.dmp	family_lumma_v4
behavioral2/memory/6268-772-0x0000000002500000-0x000000000257E000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5008-598-0x0000000000B70000-0x000000000100E000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-30-0x0000000005190000-0x00000000052AB000-memory.dmp	family_djvu
behavioral2/memory/4260-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4260-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4260-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4260-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4260-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4804-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4804-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4804-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
behavioral2/memory/2776-90-0x0000000000F10000-0x0000000000F62000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
behavioral2/memory/5912-623-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral2/memory/4336-777-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1336 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3412
Executes dropped EXE 2 IoCs

Processes:

DA64.exeDA64.exe

pid process

5044 DA64.exe
4260 DA64.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2936 icacls.exe

pid	process
1336	netsh.exe

pid	process
3412

pid	process
5044	DA64.exe
4260	DA64.exe

pid	process
2936	icacls.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/6912-296-0x0000000000B60000-0x000000000123A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe	themida
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe	themida
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe	themida
behavioral2/memory/6912-589-0x0000000000B60000-0x000000000123A000-memory.dmp	themida

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 api.2ip.ua
65 api.2ip.ua

flow	ioc
64	api.2ip.ua
65	api.2ip.ua

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

202ba429ba5a71165050dc8e8bb14297.exeDA64.exe

description	pid	process	target process
PID 3580 set thread context of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 5044 set thread context of 4260	5044	DA64.exe	DA64.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5264 sc.exe

pid	process
5264	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3992	3764	WerFault.exe	202ba429ba5a71165050dc8e8bb14297.exe
3616	4804	WerFault.exe
5140	6912	WerFault.exe	4lc965Gr.exe
5796	7532	WerFault.exe	C819.exe
5900	5420	WerFault.exe	toolspub2.exe
1940	1320	WerFault.exe	InstallSetup9.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

202ba429ba5a71165050dc8e8bb14297.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	202ba429ba5a71165050dc8e8bb14297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	202ba429ba5a71165050dc8e8bb14297.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	202ba429ba5a71165050dc8e8bb14297.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1924 schtasks.exe
7212 schtasks.exe
6740 schtasks.exe
7216 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6032 tasklist.exe

pid	process
1924	schtasks.exe
7212	schtasks.exe
6740	schtasks.exe
7216	schtasks.exe

pid	process
6032	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

202ba429ba5a71165050dc8e8bb14297.exe

pid	process
3764	202ba429ba5a71165050dc8e8bb14297.exe
3764	202ba429ba5a71165050dc8e8bb14297.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

202ba429ba5a71165050dc8e8bb14297.exe

pid process

3764 202ba429ba5a71165050dc8e8bb14297.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

202ba429ba5a71165050dc8e8bb14297.execmd.execmd.exeDA64.exe

description	pid	process	target process
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3580 wrote to memory of 3764	3580	202ba429ba5a71165050dc8e8bb14297.exe	202ba429ba5a71165050dc8e8bb14297.exe
PID 3412 wrote to memory of 1756	3412		cmd.exe
PID 3412 wrote to memory of 1756	3412		cmd.exe
PID 1756 wrote to memory of 4940	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 4940	1756	cmd.exe	reg.exe
PID 3412 wrote to memory of 4636	3412		cmd.exe
PID 3412 wrote to memory of 4636	3412		cmd.exe
PID 4636 wrote to memory of 1612	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1612	4636	cmd.exe	reg.exe
PID 3412 wrote to memory of 5044	3412		DA64.exe
PID 3412 wrote to memory of 5044	3412		DA64.exe
PID 3412 wrote to memory of 5044	3412		DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe
PID 5044 wrote to memory of 4260	5044	DA64.exe	DA64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\202ba429ba5a71165050dc8e8bb14297.exe
"C:\Users\Admin\AppData\Local\Temp\202ba429ba5a71165050dc8e8bb14297.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\202ba429ba5a71165050dc8e8bb14297.exe
"C:\Users\Admin\AppData\Local\Temp\202ba429ba5a71165050dc8e8bb14297.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 328
3⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3764 -ip 3764
1⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97DB.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4940

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A1E.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\DA64.exe
C:\Users\Admin\AppData\Local\Temp\DA64.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\DA64.exe
C:\Users\Admin\AppData\Local\Temp\DA64.exe
2⤵
- Executes dropped EXE
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2dc9251c-72fe-43c1-8323-ae18a71cbbf8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2936

C:\Users\Admin\AppData\Local\Temp\DA64.exe
"C:\Users\Admin\AppData\Local\Temp\DA64.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\DA64.exe
"C:\Users\Admin\AppData\Local\Temp\DA64.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4804 -ip 4804
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 244
1⤵
- Program crash
PID:3616

C:\Users\Admin\AppData\Local\Temp\EBF9.exe
C:\Users\Admin\AppData\Local\Temp\EBF9.exe
1⤵
PID:3356

C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe"
2⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:7472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
4⤵
PID:7808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
4⤵
PID:7800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
4⤵
PID:7760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
PID:7752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
4⤵
PID:7744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
4⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
4⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:8
4⤵
PID:7908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:8
4⤵
PID:7356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
4⤵
PID:8068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:8072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12974968101181173855,17795728837125085551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
4⤵
PID:7312

C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe"
2⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "AppLaunch.exe"
2⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\F64B.exe
C:\Users\Admin\AppData\Local\Temp\F64B.exe
1⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yF7SP58.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yF7SP58.exe
2⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pd6cT16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pd6cT16.exe
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe
4⤵
PID:6912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:7100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:7212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 3052
5⤵
- Program crash
PID:5140

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6yq2TN9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6yq2TN9.exe
3⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fH8zt94.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7fH8zt94.exe
2⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
5⤵
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3
5⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
5⤵
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
5⤵
PID:7996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
5⤵
PID:7984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
5⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
5⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
5⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
5⤵
PID:6960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
5⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
5⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10399379843793951938,14110058327726939527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
5⤵
PID:8184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe
1⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
3⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
3⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:1
3⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
3⤵
PID:6600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
3⤵
PID:6924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:7132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
3⤵
PID:6340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
3⤵
PID:6236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
3⤵
PID:6780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5264 /prefetch:8
3⤵
PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6736 /prefetch:8
3⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
3⤵
PID:6496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
3⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
3⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
3⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
3⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15327441056599016663,743015185669758941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
3⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6009221759583444753,4169674738277763034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
3⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6009221759583444753,4169674738277763034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
3⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,9630070577777040925,11866417969431366755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
3⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9630070577777040925,11866417969431366755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
3⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
2⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,2852429251616483366,16364434441794020078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
3⤵
PID:6220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:6212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
2⤵
PID:6628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
3⤵
PID:6720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:4460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
2⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,11606501212786721112,9871599017244754538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
1⤵
PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:7484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7216

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:7024

C:\Users\Admin\AppData\Local\Temp\418D.exe
C:\Users\Admin\AppData\Local\Temp\418D.exe
1⤵
PID:7332

C:\Users\Admin\AppData\Local\Temp\onefile_7332_133476129535980533\stub.exe
C:\Users\Admin\AppData\Local\Temp\418D.exe
2⤵
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:6560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:5264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6032

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6912 -ip 6912
1⤵
PID:7348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\B19E.exe
C:\Users\Admin\AppData\Local\Temp\B19E.exe
1⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:7696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:7672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,2389280734892506222,17780473966961413614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
4⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,2389280734892506222,17780473966961413614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
4⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,2389280734892506222,17780473966961413614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
4⤵
PID:7720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,2389280734892506222,17780473966961413614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
4⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,2389280734892506222,17780473966961413614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
4⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\BBD0.exe
C:\Users\Admin\AppData\Local\Temp\BBD0.exe
1⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 984
3⤵
- Program crash
PID:1940

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 328
4⤵
- Program crash
PID:5900

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:6540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:6612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:7568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6392

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:5932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7916

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:6740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7028

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:8156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:2068

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:7216

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:5736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:6588

C:\Users\Admin\AppData\Local\Temp\BEA0.exe
C:\Users\Admin\AppData\Local\Temp\BEA0.exe
1⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\C17F.exe
C:\Users\Admin\AppData\Local\Temp\C17F.exe
1⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\C401.exe
C:\Users\Admin\AppData\Local\Temp\C401.exe
1⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\C819.exe
C:\Users\Admin\AppData\Local\Temp\C819.exe
1⤵
PID:7532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,6370126626366082622,4200089303753866118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
4⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6370126626366082622,4200089303753866118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
4⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6370126626366082622,4200089303753866118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
4⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6370126626366082622,4200089303753866118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
4⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6370126626366082622,4200089303753866118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
4⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 876
2⤵
- Program crash
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7532 -ip 7532
1⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\CC11.exe
C:\Users\Admin\AppData\Local\Temp\CC11.exe
1⤵
PID:6432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:7524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
3⤵
PID:7420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
3⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
3⤵
PID:7324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:6796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
3⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
3⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
3⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
3⤵
PID:7712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
3⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
3⤵
PID:6856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3020400391275746778,17200860211534951296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
3⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5420 -ip 5420
1⤵
PID:428

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecb3546f8,0x7ffecb354708,0x7ffecb354718
1⤵
PID:7852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6032

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1320 -ip 1320
1⤵
PID:7952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7c2a77e778dcb9c8a7b5172c01f8edac

SHA1
0f4b9333e40c3810e9789426d3d35c69afbc6770

SHA256
583940ddd6ef99fefe71d77141cd398625ceb5cbd62eef02a3ba29b9d167ab5b

SHA512
dc5918ec931959a5df5412777d6e00f3ab6c751a40809a7eaf8b39f61c90376cdb75dfc34ce1ba68db5d6b87f0038fe11a58d30b55b70a20dcaef7fd7c5fcc9e

Download Submit
C:\Users\Admin\AppData\Local\2dc9251c-72fe-43c1-8323-ae18a71cbbf8\DA64.exe
Filesize
76KB

MD5
57f8cd28ae6894c8e824f450cb5634aa

SHA1
19306524828fa29eba01a2153b454eaeba643346

SHA256
ecfffd1ca044281fb0aa1b3eaf3b1505989575f3a52cdfeec7ac5c2655b36918

SHA512
f52b0bbc7ec7f391b6a3d9b7148865c02452f2ebee796511a459bcfe646b3ed4f1d5e484687eff7d37cc1ad7d861e973672dcba6520e333aaef71cd03977f602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a57cb6ac4537c6701c0a83e024364f8a

SHA1
97346a9182b087f8189e79f50756d41cd615aa08

SHA256
fe6ad41335afdcf3f5ff3e94830818f70796174b5201c9ee94f236335098eff8

SHA512
8d59de8b0378f4d0619c4a267585d6bfd8c9276919d98c444f1dbb8dec0fab09b767e87db972244726af904df3e9decbff5f3bb5c4c06a9e2536f4c1874cd2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f41f5fd667c6e12ab1be1db071ca8578

SHA1
feb36538f9a759929af7fb4d1c306cc48aaa463b

SHA256
69465ecf167184b1f8232be378d2ce1552a45d9d8eca0f49990fbac332facdee

SHA512
ac20ab362c1029eb791d54e098b3716ab7903b82b7d5c5b7cb13aea1b8b79a4cf53d471cb3f3b7ac4de49c8962ef356b87f764cf49a87a363e4e2617756fc063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3182163fe4521fe84c366d2b715a95b1

SHA1
72f4dfa6906ccffc450925ed521dfb21d1aabee1

SHA256
32c9eb1ac0270fc13228786ad6ee434c108af2f3921a3de15ba6e84d31adc87f

SHA512
e141b8953461b69e94524edcaf270b9412f2c4b6443efb738d2b65e48d57a6c9fdbf711a3c35b9d3e6b1ca7475a74770ae73911c39f5edf8c7ced1f9db2e3ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ad82a02d5885903de12066d16becde9a

SHA1
e84194b6e024d72788cf9ad584945fae1febba7b

SHA256
421a6d0a65f3bad4f1530a1997e849137427c0f9a304c4551f06f9233e0aea63

SHA512
90bd02d5bcbb719b671da2f6d2b5bb2ac4db0cff3549547907601fbd69e84804cbe77063265cc498f35e19f2c791ce04a1072e1d89a49cad7056b6f2507559ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
14e5ea5429feb535aa7eb79fd09223b7

SHA1
3cfbb1d2990106c4ae9085404ee6bfbcf44ab180

SHA256
86bfda8a38f8fc97358149e625a6f3d0cdae7a53cda6430276ce3d1f680909cd

SHA512
ee40f5eba816185c45c2b845eb9e5c3cdabc35a4a2ddcc0668b2f4437967ac86979819b7caeeb4d2d619fd0011c81bf813e2483ac6b9e110aa9256f7e4243d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\441970b4-51d2-41fd-830a-b6430e92ecee.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6c00c833ea7d9f5d983f72a33e026a88

SHA1
b01b1934b619cc3982c13759881c616fee28bb42

SHA256
56f4138496eef8314adc85fa00a7dc7c616d0b213ce7500899f1535e066dcb66

SHA512
fd60c1f2fd1bc2e64c1266c04124fa62c611c9b73cc78e8fec3cb3d0bee9ea9b766ca79308efc1e1622118b31cffb0569dc570da9c3237703e3cde4f31ef626e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
13a43f28d14b5e2ee27155ab4bc33b8f

SHA1
ae103ba913c65d8bc7f513df8a9f038bf29b2bb9

SHA256
41444abb2f79774c8bd76cc1f29e7d055749068a4a34ec47879804284a58398e

SHA512
6639884b944aba179d71e0b6b6ba85c94e75b68e27c264ef918b98c9d195a960f724ca14d6aa32ab9011714b9dcb2fb55ed87d5c9da5794dfdc89183710f27de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fe3e4fc2726cde8f4c7da2e72777d841

SHA1
43315b597f914a3a2ee52847d929bfc67b2c019d

SHA256
bb2f6d96edd85f9302197bb790bee488f73c872238216a1f4719225d58be883b

SHA512
0eff476f6cee8e49127aefff3b664767b04976463f3e58de0fc94dcfebe30d6ceae6a228c92ffea35aabb46b7b9cb293a44924474efd39153838c8f41cf05232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
29c70fbc109b9d636a30ed2f46d0e721

SHA1
0f40b4fca1f7f48f818422b8dc8a8967f1720b45

SHA256
12038042661e0e72f2380e2cbfbe683625631908942108a2a7e4666bc735f2c7

SHA512
d71d8c8550330ec47977dd5d225c09b42fc29619cb235adb201dc155f5318538cb1baa03878245b4b5c35805a003bfe3691f8375e5e79a8332ac2ea72cf51902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e5111df7c2cadb6776057b987d7de55f

SHA1
3a76a098e73baba3b3925d34e82ff1b8f9032920

SHA256
17a4342b0494bf3b98dccff8807798dd23ca36c9988ea7d073c65b23587362ad

SHA512
74f9228fe45e041d7d8048af2aa476f645d2e0fb6a18e39b43ac9cc1023f92a50575ee8f23816bd2bcf444edf7f523090a6914243950db7df3072a04a9e95e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c9285b70a52bedd5dcb84bbbbb799bee

SHA1
b89d1b3854767be5288cffaa8d115bdc57fd59d5

SHA256
57dde36fbbd3c55bf96c4eb62c654c882045d5162f47ec23c54718b317780bdd

SHA512
17b9e9f5267b93386d75b12efddb1c42c9482ac12daf7d57751ab21109676ef7f6d90eecb3ab5acbb83dbd40e170cb24f3d902546c953dbccf1210588819fc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
39eea231ec1e52d978808910679e3731

SHA1
26c0193a4cc57da202c6455a3ab03146d6542246

SHA256
3e0eebdd8cb48034c31f312e2a6ef4746edb3a7c01ce9f1905f158130c69777a

SHA512
d6a9717ecb9c2e0aeed33fc6dfb84b91a28cfde72992f3f36ed35e7a7cc86d65c3831f1aafef7446ad05cb631d05f6269520b218e962213e79c67185c563046d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ea3c7cd7a2baf77ca170794233fbfb54

SHA1
5b1f054f440cfe6d11554e41f61681e3fa9a9bf9

SHA256
0ed00e3c9750fa2a1814a57e636009385c1159d453ef3293fbe539c28dc8c7ec

SHA512
f2f0e38aa3afcb6173e92dd809888d76419bb3f956fab96b94af3e734af23f269eefd50ed02933d7204558e8284f8c2ad65b0fb414494ff3bc09cd35e89a6e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
04414f339a007ab0dd7de101f7c39912

SHA1
649c9b66c7cf69ce40be4be182f43ffeb4b0b387

SHA256
667a5f2f7a8c2b556d7a9b29809cc06137409b7299d4941e8df9fb0758faf851

SHA512
94e4e7906a1cb43da697663f47445061a2230b9796776382edc1e49da431d30d2751dadf492245d7148125813c1811ecbc75d00274166f999f53cfa89397ea6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2525b2d75e522662e0bcaf21a00f9562

SHA1
ea475b3df6bd5d97368740c933f04096cb9221de

SHA256
cda55e66c4d33cd09fc926aded38615ca91c8dd3c18f49d0e160d2cc6e585baa

SHA512
cbba7ba53db71df53cebacddd5de3f755b27a2a397ace22d140718d39e4cbc7951e77a6626b488247b9f16eb4a4bc1ccab80c224a3b016df883d0a8e74975964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
64e4173e2dfe7dbfe173c1b3093f4685

SHA1
be58dcfec4e7ad8c3a2547eaaf52cffbcb10d02c

SHA256
4bb898a1f92f29e7a9fa8bfc3ec37be0dd5eda226d67b0d1625804744748da08

SHA512
5dca4af36d06145f12945d24536e88aa75075dd66e0d5409a1a83488f94e047593fd4e9697059394867ff449c59a2ae332d35d6540e2ffd3a5b6ac3153414880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
91ebeab507737e307cbe3187e646864b

SHA1
cebb25b2d974e20691b3cc0a7aa89195e95de75a

SHA256
f32c3b40a4f4c20309f92a48c8670587b956ebf4602cd2017af842d6c3ea24fc

SHA512
b73a5de6912f226642efb8f967fa2c164aa1d50967a6096cb23eede59d5546f25442ab955be235aa912cc37a2f5a8da67ab81aea6868d8e26808c6624d3b4ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
8dd44c6ec41913e811fc7a87ee5e3289

SHA1
5613069e9146f2b1a2214a64ce7943538394818a

SHA256
e0dd07bd6aa9b0756d00622e042adc1e1a88aa5725f3507911ad38b0bf6d6ad6

SHA512
ac61834e06bec687dbe71cd8a0ed9dd74fe2e1f6c70424737daf1ecd612e6313796d1242ffc75552114232d39c0235f3a61cc458a0e3b76949f2bf8486fe8b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
193fc73f044bb8989c33db4b83d582ab

SHA1
d6867a1e9ae5c68d382ad47d3b303b9ab5c35da9

SHA256
609aeba34fe84affc593e389d9e0b35448ea8164040e11ece58b4a1f2bde8ffc

SHA512
a34f1ee8e8e820d05f0385ec2725d1fd3c0c935a6272bb33d8011521050f9e9463cf233764678ed4939e1f7faa06a9df29d784d2a256ead63cb3d7314499a95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
64KB

MD5
37d9a79ac347d5f13381efab67683a00

SHA1
ef541b05f4133ab035a8d41fabf2acf2be3cf78a

SHA256
b38be19a9568a6afeda02e2ee340c0b1780bda20560ec83a226e5b0756435321

SHA512
efbaf3d24549f59d7b0e565f20bce8e0df73673d453d656d6558a37b5cb08f1ea20189a98d1168f935048f77cc4928a5fff7153926e786e88a6fc7b0eccac474

Download Submit
C:\Users\Admin\AppData\Local\Temp\97DB.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\B19E.exe
Filesize
30KB

MD5
07eb26c97b0640c358a6b00609c57794

SHA1
96ae8c40c8840e681153e4d0a9b67a3789179d2f

SHA256
7fac5ec92685d6f37f38de5c372460035752122a6640583af623d5c021ad9654

SHA512
2c53a869e56de361e73504af090db5f6079fc51c77a1f09236b7452cd1cd20cae33fa5ab4ab8ed9858c0ae6698ef8807b53e7789f8bbfbc71c8ae3113ab487a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA64.exe
Filesize
166KB

MD5
52f62afe3f6f5eec96c298d732d27865

SHA1
5d48a8ddd3a895ba6f013f2edb9f6f4095009982

SHA256
9ee5e6b9d9077695a45210e4cd7fc4e06c69a58124a92e39c911d80be2530ffd

SHA512
4e35528e80d95033e420a963133f6cc7c1565cd3155b7ac805fa835955eb4ca66e044345a270b7aaee7f6e36d4065ea182cefdf37d2f29d2729a915be16fab0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA64.exe
Filesize
172KB

MD5
40d76cceb248b925c2078110cc01b3fb

SHA1
346773ff555b788e26985151f2eb4e826341d7a5

SHA256
a3636f5437b6ee83c64d5142f121ee3409abd2baab2e08eb980c40746c848563

SHA512
c865327b45233d3f6543c47ab5acef4c0d5357e487cafdfa843d5972542efce26b833b1fa7d2aa8cf28e8c9d0754e67f9f2823fc386f2d1bf419a0b759f028d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA64.exe
Filesize
300KB

MD5
bc222b9e832743044a327cde99b1e87b

SHA1
c3488c851ebf8f0009e76d9a2da854418a55a960

SHA256
caddc76c648103b9f2c595fe14f27492638dd0cf3bf630936646f1ecaf0ca6d0

SHA512
e4dbad7ddc492cc4a9804f4ce9f5a717a7af8fef38ffec91d8cf502c7fef9b0ae6553a875198b91a4a36f5527926409eb37bb3421251c20145a72b34529cfd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA64.exe
Filesize
211KB

MD5
41f37bced3158c529ac1f7aa4e0c1ebb

SHA1
2960afe85b38fd60f16bff143a3076890fe110c4

SHA256
4fe70015194678355886094f16e221fe7d00702007cde0e3733d7f3833e4dbd1

SHA512
9edf8d1bda5d3ae08ea4fcbbf46a6f04d5027ca4c08d32cd779df5accab3fe742f4d565f1da9e99df74982836a4d3d18a774f3cb7028de776efceeeb0ffd5640

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA64.exe
Filesize
497KB

MD5
289d88cc58a2a66fd5863c229e861995

SHA1
e04448d0bbfd7be452d4d0742066084fe337fb98

SHA256
b689c58fd2ce1bb79dd56918039abe7ae84bb7c0d60f1cc99f238b779dbb6cb8

SHA512
ea8bb16ca8729d4c1f9577a6caae01200221e5adaec8ea5df5a44a22393246555b9fa793a96dfaacf23e66871f798c9b7f3e1b1f0f7e858a9a74b729d77a1b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBF9.exe
Filesize
154KB

MD5
83df8ac653498e2ca07b5493a1e2c227

SHA1
ac2b928ceac49fd7efc7585be9b298f4494627c4

SHA256
acc18275a0b14ce93603aa292c1249eaec9c6e1494d526410994988e4e3ac661

SHA512
24a3040bf299844851e2bab218bfaf1ef713f0cc3b61f3a3e64b1f407520da5d0e49cf5e842f685efd3bc8b8a2c09c1063136444bb7a369f028e34695ac14f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBF9.exe
Filesize
108KB

MD5
9046124bc435e74aa0bc4c92d2562af2

SHA1
a127b839cf8f87474d27a8e164230e3a7271ba9b

SHA256
bf689b6c22485f0ceefff10fa53fe512fa2d650472c83941ab7beb7b42631f94

SHA512
4981beb22fb1a41e2121bfd62ed6b3701f5709db7331495fa5a54737fe0b7499858b005638f26dbd0d86f9212a9a8716d7b3148f68d8dc7efdc07e35ba1fb414

Download Submit
C:\Users\Admin\AppData\Local\Temp\F64B.exe
Filesize
21KB

MD5
3144e5595622342bd8245352ab2e78b6

SHA1
eff494ab32cdcfb1f3415ca5b911929973cd07c8

SHA256
fc84c29f5436bf31c33d614b824eceb13f28a6cf1ef2f899383bf05d7532ba5d

SHA512
da5046999cd4c8ee238655ba1bc9b817847021cd697aeb357a7accda32092f2dc6a92235ff8574d8fd513e26bc4d223426891ca207bb2209c072977580085cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F64B.exe
Filesize
4KB

MD5
30ab80fff190bc7c53860976017027b8

SHA1
64f5ce42b3bcab9f43686d3ae2d2150c58752f77

SHA256
cba535e6b90120afe1825d74576dc0bb3078b19986ce3d9696aa0f192d841ff9

SHA512
a6d1b9db1bb5eaed63f995d9bed7ec95c024d5f787171e89394cff570a928306a6c7237031bd07900c5fac832209d474481714cf58436ec880878e2406106075

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
41KB

MD5
75c085ff4b0650f3855dfa5090b03504

SHA1
95cb94879535dccdb82ee6b913a7a0726ccb2ac6

SHA256
fc1e988eb23210ac1a9b85cd6432ffb03e4f764f43549835395c200ce879feb9

SHA512
d523b01492bacd04ba08d3d677b834cd8ab0719091a1235fca42ec76573a27d14651a1b8a59ede60c7b00ae4ace561fd82ee864386c758ebfe87a756bc47d4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yF7SP58.exe
Filesize
45KB

MD5
a1740ecf1740e1ded33b2ca65935c692

SHA1
90face59756c1272fbf988f800d0424f47733b1d

SHA256
6a1259c0f55480c5090933d08a285629dcba17201524f4991a9325cafeb16e54

SHA512
19dd929db6977f783dbf94afb13b35f17ca6c0fe167d9ea929c03b0bf1fb14bfcbbdf86cbd95174301977d39182de76c84c2f0e9db63f936e1cae19e06dc4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yF7SP58.exe
Filesize
15KB

MD5
483d7974dc25b32ddcb6c8bf5c7c06d1

SHA1
8de4ef1a51b711fb1d6ff123bf822b38c0fc4b98

SHA256
bf5762ed864658f5cffa8ca91761fd42e5140d103a136e651cf32fc9cb1d3ace

SHA512
c8085ae4da39cb5871a2c268829b606c795f068d6e1e3bf0ea852668eecadd880c681cc370165f29cde26155ba192c5f8fdd50e9ecedd0f33cd8890be72c9ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pd6cT16.exe
Filesize
102KB

MD5
3e200c98d31c6a4b49eba39434879c76

SHA1
f472890acd004795cb4c25ff6b115d9559230b44

SHA256
f484ccae98669e15ee99c82a4858e7ac0dd994f47d8234e5ff38cda095a9c15a

SHA512
00049b8a062ed5925fa9daa050d63317edbc58628f92efc9077859151399d284776f8916bd7c9230aa371cca318d8fd4bfc8e5064c8e2fff22525c737b115bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pd6cT16.exe
Filesize
13KB

MD5
1bbbd29dcbac7470e89d89e4de573e84

SHA1
bbe52da26f304a0a262c26676883a6341946d539

SHA256
bc19bce42edc2d9753d9345a9c6427f8fc899d438dde1e680205ac526e40d762

SHA512
e82de471fd94a6aac4fee6e429f96e2b94ee2a3cf31694634e6ad46ecf246ace2c67b88fadeeb5cabed6e9ba744c62ec3b4391fc4ee7a4680e120305b3422a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe
Filesize
12KB

MD5
05d5eb84b9d583c3ad284097d220c873

SHA1
7f3196cbaad2b5fbd504b8de3372fb790edb5a69

SHA256
a6a6bab6f48719b8fb542dcc8efdd79a122eb79eb39ad8b13ce8a0000e1dcd36

SHA512
5eed4b17ecf5ceb2b20473c6bf30167bb4c5c67b6ff60c1dbd4fce498ef7e5e8dc39614f4463015752cdf93a0adcfd77de0b60e7fcca031aba66401db80536cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1LH65Zv2.exe
Filesize
32KB

MD5
1fb2b5e2ed85f7efe967447cb99a2170

SHA1
847a9b2d29879f28689fac4a9c04e0c779b12faa

SHA256
349c8ccd6ea9e92fcef18e2b0a75c923ab7aa4920aeaad03e38352990186b25a

SHA512
c0a804e88e5ac181fa0aee79d48329f86c0475f1bc6e97afb8f89cc76e61798d399e91ff35e639a3e6805480199a1cbe0662381e6e4e286a520a9c33029d9e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe
Filesize
93KB

MD5
6ecc6e9f31a21fb60605202f471b0e84

SHA1
8abeebadf67b5102668627c6e5182a11694a5e83

SHA256
2fce41c90b16f3e15edf15ff6e50c2b7fa8a5eaf497df5f3f14efe29e93b9ca6

SHA512
9fcce3d9812bd685195e6d24202f95c502c49c94444173913556b2276b061d995221296de05e10576a4576160faab1481aed1760f41efc02a4dba168a80f5b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4lc965Gr.exe
Filesize
33KB

MD5
3ca524ff154e2fe5983aa5d60eb7ba74

SHA1
713ae32bbf0cbe5497b186d3326ef239eb482ecc

SHA256
e38c7eb12316403e11e577a722053a73672574b592eea72109180ac8a002721e

SHA512
49c37cdce6762f2e0c367ece14ca0a76316ab964186c5f167c3867429baf3fa8fb8b8475e725179b7d99fa17fe8d041b3c5b9fd61fce1f4552e6e82acbfa2fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
105KB

MD5
b06232785c8d2b4b8f400d106ae299fd

SHA1
e2e97baf6040d561d44227c219b8b8ee396f5ad4

SHA256
773c76ab730000ce0b3821247322ac4910fac7bc154d1db13a63c5acf0869100

SHA512
0187ba8e372af6a0fcb11ad16a004056de0abbdd4996dedf6e9dacdd2eb9f0e4155609dd2921bdb8c7ccef7ab2455649649a5f46a67c50ae7fb35bc6b4c594a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygld0emk.kxt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
99KB

MD5
4878d63c9837d74f3e64f006b30d31c9

SHA1
76a40c021b7b84015a7ae9ed52511cc623f280cd

SHA256
1b602a07ee3fa2de10d4c1ec02b3809aa4eb07c738cdb03a9ff5f49105907369

SHA512
5ea6b44ce60f7dd2dd4ba47295eb58298e3ac8898731dc908496f88623bdf61c0df9bc677033513c35e307b2c116a032bffaa8a8907e48cd63199a1817edb0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBD12.tmp\INetC.dll
Filesize
1KB

MD5
c7ae096c02849c7eeb07623b18de8a59

SHA1
9f57c75aa9f96121413a793d356d876a09f564ca

SHA256
711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0

SHA512
2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBE3B.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBE3B.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSqmXDPDqAW8oy\ouiu0e70Fv8gWeb Data
Filesize
92KB

MD5
02687bdd724237480b7a9065aa27a3ce

SHA1
585f0b1772fdab19ff1c669ff71cb33ed4e5589c

SHA256
9a535a05e405b789e9fdaf7eaf38e8673e4d0a8bd83768e72992282a69327d89

SHA512
f8ce4f6ad7211cbd17ba0cb574ac8f292727709479e059f4429a818d3b74dbe75d6e6f8cb5576b6bc7e3c1bd0b471127f0ddb38e816fad8aa44a77c15de7e6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSqmXDPDqAW8oy\qYriMqJ5ls1bWeb Data
Filesize
73KB

MD5
f728a5d7da95407fd571a0af8d14940d

SHA1
b3d91c6623412f4587bb6b895260ec7eaf3685a3

SHA256
5c6a3d8d8c4d152826a5f3c8425d92b3accad3600aba41f95c09e768a946f89f

SHA512
eb9462de3296df752a21953054dc3be8d7a2a4ca21e0b063fe20a8fe957356d89016a109b14977acd3ec5e5a9a31511dd3252cdd9b6aef503cf83b2ff5546b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
33KB

MD5
43f1100a25c898a0662e23cb7278f5cf

SHA1
67323b8a5a57d3a65bb4db03fb9f58f0da57df0f

SHA256
3a4d7e8952bbb41cf764ae79caf5b351ef1727d55071f2d1795e14f5cbdbbbdb

SHA512
6809f2b2456d4edc03c792d9e3f3379caca65c021d10685b499e9f42cb7cc55ae92f386b6d6547e686226457e3a0c8435ce93506683d6817de8b0f0e35acb7f5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
132KB

MD5
d1370882db2d30ef6c2dcc19af66e5a5

SHA1
a9f9b12e2ab639e96733021988a7577c713c6c43

SHA256
f59987f94336bcd22187058db1173572a803555f87b04c307473bbf3c8a7ab47

SHA512
e4c2c29fd9a1441c54c9293538a6c8d1402720a9871bb4224eded50abf9fc87da394c60c9f88e04b0cc4369d282a95676a10422c4923a2de6a8d3677661eb214

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
77KB

MD5
ba82daf14fbe9b1f0024d22155bd1634

SHA1
def8d6ac8cc5adf0954080088a84802843085e9f

SHA256
f379108f9af9e856f00efef2eca3caa18a5a7369fc5174b4f15942a4a260b529

SHA512
81fb9d49cb27324724f5eed5d64355e06c9b7639a5aa05f5c8e08afa7e6ecdd5a218486abfd5d016d62986839d70c6229f86e737ab4ee50534f19b439902cc3a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
45KB

MD5
66a6480cd3b4e6ce3ee965ab21a75f1d

SHA1
b3e942d3b9e12e1f304f5f0bc5badcf25ab4c42a

SHA256
70245fc14ea8de040e67f0f8902fba7293c7fc8fb3c88f3095a4c14f8b6ab766

SHA512
4f211a55de82331fe42be46e278ae31786f0935ccec6950618c3b4fb5479408733d12c8af5e3322833cd74cab153c928486495d41b9ced3e75c856958884dba1

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
76KB

MD5
4af2e43a280d0fedb5feac81ec07e1ba

SHA1
6f6c2305e81614fec99be4989d2f527422c41d40

SHA256
895742e7539901b9ddf3b5c90c551588ac23cb23d4c853d1b836f128dbd11aaf

SHA512
e1d993d81b5f154a2ae359bbfdaa1f949b636db9f4230593933076d7c0b3d46628726d51c04d8da556947f2f64e86c5cd096df564204450acc06974bbcfb0df8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
149KB

MD5
37a25911a3610591df26f3bb3919379b

SHA1
0ec145da72d1e8bd763ee957d3246449ff98906e

SHA256
6e12342a9c928f13c6959d1ad9ab227c72f2d1fc6bc1dac58e038d511f5de52d

SHA512
bd023d1267b561f361c67fb4e8a8fda0d60bc5c67310d02bf018fa7e060751204bbc1c9bd0d1798c2d8ea983add34dc4b4149361260df4a9d73de6844a48a00c

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
83KB

MD5
227782fc7f91959b0669dbbd4722e998

SHA1
87dea7754b7c87839f8e2592fee700bda546457c

SHA256
05b31f1e916779645575c77603f03badf135c94c3ff60f495c513f8a60219c9e

SHA512
daa7e0770fc2b5e5368e77cbedc343574ad6e947d8be74ee61378b62652378967af2de71a5288969e149e0b8eda2a9a670173faef6a111736dcb249a9f472cf5

Download Submit
\??\pipe\LOCAL\crashpad_3980_ERZUXARUZZWBULTC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1940-45-0x0000000004FB0000-0x000000000504E000-memory.dmp

Filesize
632KB

Download
memory/2728-658-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2728-659-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2776-90-0x0000000000F10000-0x0000000000F62000-memory.dmp

Filesize
328KB

Download
memory/2776-438-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2776-92-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/2776-98-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/2776-503-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2776-99-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/2776-89-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2776-94-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/3356-64-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3356-65-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3356-59-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3356-290-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3356-60-0x0000000000960000-0x0000000000AF2000-memory.dmp

Filesize
1.6MB

Download
memory/3356-505-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3356-437-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3412-593-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/3412-5-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

Filesize
88KB

Download
memory/3412-824-0x00000000086A0000-0x00000000086B6000-memory.dmp

Filesize
88KB

Download
memory/3580-1-0x00000000035D0000-0x00000000036D0000-memory.dmp

Filesize
1024KB

Download
memory/3580-2-0x0000000003440000-0x0000000003449000-memory.dmp

Filesize
36KB

Download
memory/3764-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3764-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3764-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4260-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4260-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4260-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4260-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4260-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4320-93-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4320-405-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4320-193-0x0000000007C10000-0x0000000007DD2000-memory.dmp

Filesize
1.8MB

Download
memory/4320-102-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4320-118-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/4320-91-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4320-206-0x0000000007DE0000-0x000000000830C000-memory.dmp

Filesize
5.2MB

Download
memory/4320-129-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/4320-190-0x00000000079F0000-0x0000000007A40000-memory.dmp

Filesize
320KB

Download
memory/4320-97-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/4320-95-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/4320-101-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/4320-100-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/4320-96-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/4320-88-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/4336-777-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4804-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4804-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4804-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5008-611-0x0000000006480000-0x0000000006648000-memory.dmp

Filesize
1.8MB

Download
memory/5008-600-0x0000000005B60000-0x0000000005BFC000-memory.dmp

Filesize
624KB

Download
memory/5008-620-0x0000000007FC0000-0x00000000080C0000-memory.dmp

Filesize
1024KB

Download
memory/5008-618-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/5008-617-0x0000000005DA0000-0x0000000005DB0000-memory.dmp

Filesize
64KB

Download
memory/5008-619-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/5008-622-0x0000000007FC0000-0x00000000080C0000-memory.dmp

Filesize
1024KB

Download
memory/5008-612-0x0000000007880000-0x0000000007A12000-memory.dmp

Filesize
1.6MB

Download
memory/5008-626-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5008-599-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5008-598-0x0000000000B70000-0x000000000100E000-memory.dmp

Filesize
4.6MB

Download
memory/5008-621-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/5008-601-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/5044-30-0x0000000005190000-0x00000000052AB000-memory.dmp

Filesize
1.1MB

Download
memory/5044-26-0x0000000005000000-0x00000000050A1000-memory.dmp

Filesize
644KB

Download
memory/5420-845-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5556-594-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5556-592-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5912-625-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5912-627-0x00000000073A0000-0x00000000073EC000-memory.dmp

Filesize
304KB

Download
memory/5912-623-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6088-562-0x00007FF763F40000-0x00007FF765237000-memory.dmp

Filesize
19.0MB

Download
memory/6268-756-0x0000000002500000-0x000000000257E000-memory.dmp

Filesize
504KB

Download
memory/6268-772-0x0000000002500000-0x000000000257E000-memory.dmp

Filesize
504KB

Download
memory/6588-739-0x0000000002EA0000-0x0000000002EDA000-memory.dmp

Filesize
232KB

Download
memory/6588-729-0x0000000004400000-0x0000000005028000-memory.dmp

Filesize
12.2MB

Download
memory/6588-715-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/6692-748-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/6912-590-0x0000000076B20000-0x0000000076C10000-memory.dmp

Filesize
960KB

Download
memory/6912-589-0x0000000000B60000-0x000000000123A000-memory.dmp

Filesize
6.9MB

Download
memory/6912-447-0x00000000090A0000-0x00000000093F4000-memory.dmp

Filesize
3.3MB

Download
memory/6912-271-0x0000000000B60000-0x000000000123A000-memory.dmp

Filesize
6.9MB

Download
memory/6912-279-0x0000000076B20000-0x0000000076C10000-memory.dmp

Filesize
960KB

Download
memory/6912-296-0x0000000000B60000-0x000000000123A000-memory.dmp

Filesize
6.9MB

Download
memory/6912-295-0x0000000077CD4000-0x0000000077CD6000-memory.dmp

Filesize
8KB

Download
memory/6912-287-0x0000000076B20000-0x0000000076C10000-memory.dmp

Filesize
960KB

Download
memory/6912-280-0x0000000076B20000-0x0000000076C10000-memory.dmp

Filesize
960KB

Download
memory/7332-567-0x00007FF603730000-0x00007FF6041F4000-memory.dmp

Filesize
10.8MB

Download
memory/7532-773-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download