amadey | 12e5e5bba84f2a618310f72a7fbb40e04bf2f221a13145b3a91bb4707d7130c1

Analysis

max time kernel
0s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

418KB
MD5

0aca798eb9951ab0dd5e92723e3d2664
SHA1

33ecc4ff22947e411621c8f4cd4719cd95669194
SHA256

12e5e5bba84f2a618310f72a7fbb40e04bf2f221a13145b3a91bb4707d7130c1
SHA512

22f711e5d259d85c31786ad4d8cde81474514f4690fd0c2d108ebb6e27d54bdc88bb46ba4aafe1a2aca94fd70f92adf4829d37e89e9e32e545d926cc7ba2d942
SSDEEP

6144:ZoKCcjSrSPsMJPZ/P3+9303XH5Tv7b9cOVX2j+Hk4fZ6A4zmL5RqfMvmgpum+bg0:ZoLX+B131bc54fk7mLrPvmgpum+bZ

Score

10^/10

amadey djvu glupteba redline smokeloader stealc @ytlogsbot up3 backdoor discovery dropper evasion infostealer loader ransomware stealer themida trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

stealc

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@ytlogsbot

195.20.16.190:45294

Extracted

Family

amadey

Version

4.13

http://5.42.65.125

Attributes

install_dir
0de90fc5c7
install_file
Utsysc.exe
strings_key
b34dd8f60e55add4645c4650cc7f7e7e
url_paths
/k92lsA3dpb/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-521-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4304-523-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4304-518-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4304-531-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4912-537-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4912-541-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4912-539-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2740-107-0x0000000002F70000-0x000000000385B000-memory.dmp	family_glupteba
behavioral2/memory/2740-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4712-204-0x0000000002D70000-0x000000000365B000-memory.dmp	family_glupteba
behavioral2/memory/4712-206-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2740-207-0x0000000002F70000-0x000000000385B000-memory.dmp	family_glupteba
behavioral2/memory/2740-240-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4712-441-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4880-498-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4880-550-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2256 netsh.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2524 icacls.exe

pid	process
2256	netsh.exe

pid	process
2524	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DC78.exe	themida
C:\Users\Admin\AppData\Local\Temp\DC78.exe	themida
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/1572-510-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1888 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
19	api.ipify.org

pid	process
1888	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1648	3260	WerFault.exe	toolspub2.exe
3616	4912	WerFault.exe	powershell.exe
4864	2984	WerFault.exe	nsk52B7.tmp.exe
8100	5732	WerFault.exe	4BB152us.exe
3800	3412	WerFault.exe	InstallSetup7.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7708 schtasks.exe
1292 schtasks.exe
4392 schtasks.exe
4796 schtasks.exe
7288 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4840 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4836 tasklist.exe

pid	process
7708	schtasks.exe
1292	schtasks.exe
4392	schtasks.exe
4796	schtasks.exe
7288	schtasks.exe

pid	process
4840	timeout.exe

pid	process
4836	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe"
2⤵
PID:3632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:1292

C:\Users\Admin\AppData\Local\Temp\1000032001\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\1000032001\InstallSetup7.exe"
3⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
4⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\nsk52B7.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsk52B7.tmp.exe
4⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2384
5⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsk52B7.tmp.exe" & del "C:\ProgramData\*.dll"" & exit
5⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1912
4⤵
- Program crash
PID:3800

C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe"
3⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe"
4⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 332
5⤵
- Program crash
PID:1648

C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:1376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:4112

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:4880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 568
7⤵
- Program crash
PID:3616

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4452

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:4356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:2956

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe"
3⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3260 -ip 3260
1⤵
PID:868

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2256

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B362.bat" "
1⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4CA.bat" "
1⤵
PID:3120

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:4060

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
2⤵
- Launches sc.exe
PID:1888

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\CBDD.exe
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
1⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\CBDD.exe
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
2⤵
PID:4304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b50aa38d-c41c-4296-892e-4de44f8349da" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2524

C:\Users\Admin\AppData\Local\Temp\CBDD.exe
"C:\Users\Admin\AppData\Local\Temp\CBDD.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\CBDD.exe
"C:\Users\Admin\AppData\Local\Temp\CBDD.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4912 -ip 4912
1⤵
PID:3864

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:4840

C:\Users\Admin\AppData\Local\Temp\DC78.exe
C:\Users\Admin\AppData\Local\Temp\DC78.exe
1⤵
PID:3276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
4⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
4⤵
PID:7968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
4⤵
PID:6760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
4⤵
PID:7668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
4⤵
PID:6772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
4⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10650082759529223757,12303942787584563825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
4⤵
PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2984 -ip 2984
1⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\DFD5.exe
C:\Users\Admin\AppData\Local\Temp\DFD5.exe
1⤵
PID:668

C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe"
2⤵
PID:4004

C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe"
2⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe
1⤵
PID:412

C:\Users\Admin\AppData\Roaming\gjvebbb
C:\Users\Admin\AppData\Roaming\gjvebbb
1⤵
PID:4900

C:\Users\Admin\AppData\Roaming\gjvebbb
C:\Users\Admin\AppData\Roaming\gjvebbb
2⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\918.exe
C:\Users\Admin\AppData\Local\Temp\918.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\onefile_1808_133476570057779196\stub.exe
C:\Users\Admin\AppData\Local\Temp\918.exe
2⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4556

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4836

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\19A4.exe
C:\Users\Admin\AppData\Local\Temp\19A4.exe
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gv4NK28.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gv4NK28.exe
2⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\In1tO90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\In1tO90.exe
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XQ90fK9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XQ90fK9.exe
4⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
6⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
6⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
6⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
6⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
6⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
6⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
6⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
6⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
6⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
6⤵
PID:6268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
6⤵
PID:6540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
6⤵
PID:6940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
6⤵
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
6⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
6⤵
PID:6576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6252 /prefetch:8
6⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5408 /prefetch:8
6⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
6⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
6⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:1
6⤵
PID:7236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,122299479960239708,12475524016541664884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:1
6⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,607492954876373393,17922005322214227777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
6⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,607492954876373393,17922005322214227777,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
6⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
5⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,13638346724228222906,7570753033519166298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
6⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6455372951833584924,15487415414600719915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
6⤵
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
5⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:6812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:7008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
5⤵
PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbe28746f8,0x7ffbe2874708,0x7ffbe2874718
6⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4BB152us.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4BB152us.exe
4⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:7288

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:7380

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:7708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 3172
5⤵
- Program crash
PID:8100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6PL4RI2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6PL4RI2.exe
3⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7op3uT67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7op3uT67.exe
2⤵
PID:6744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6856

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5732 -ip 5732
1⤵
PID:7876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3412 -ip 3412
1⤵
PID:5688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
257KB

MD5
8c760672dd7a09db417a65d07e6e8ddc

SHA1
d58b1cf9d50338b54c401f1d6120345bb2afeac3

SHA256
ab2fa49827782fc8057e11276dc016f992964ae06a7b4873835bf6a161141202

SHA512
fb070a21459f7dda2d601fa9afe2ef13b10de8f01eb1454328e0ed61c9011ca41dc340aa32dad778cf06049a03ca849c93d25e4fefad59e53957f7b8943149da

Download Submit
C:\ProgramData\mozglue.dll
Filesize
143KB

MD5
eb93c912abc967be4d0225b78e2c4731

SHA1
bbf087557c2009f56904b5ea177d137121873859

SHA256
660eab23afb23f9322090e66593c16abc7e03d0ab2f7e302646db2222127b4c8

SHA512
5d8c829e70f7313674a9833efebeac0c547e5b1e4178125fb1aaac7d36b301bfdbbe7f344afac6fdc44d7d8ffbeb3b374abbdf99dc63408c920a5afd613bd290

Download Submit
C:\ProgramData\nss3.dll
Filesize
137KB

MD5
8b50231a80f86f1719b514002a75ef96

SHA1
819c3157858cdf09832ce331514b16515f5cba41

SHA256
6f89a9e3099637dd3b595accbe750ec5b44c18ea469442e65794e6537c271a8c

SHA512
c02c29b171a80d7baa520cadbb5f750382d432bfa33f28a6f56e1f755d708af009c7ef054371f65bdc0ed95e9782b29b7e1223be74b92549c4707d369dae307d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
d3bc2972a5ce7aa6355ffeff2f781b0c

SHA1
aae73ca3a2cd0f7b1dd83f8daa6c80cf24f53486

SHA256
30693befccb9a17295ef589e595930adcb2da1013e14a01e45b8fb049b929819

SHA512
e1631a141b890432f882e02683cdbe4b60a1cc4d60a2461a6aa658fca949c33080bb04c88ab1912bef66b54b54086807f9373b66e6b1ca4d96a0c341cd6972d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
17805ca4fe7e9ef825632a56ce9b40fa

SHA1
a5613ad2e9ffb559c452da5637c4b2db1b61a555

SHA256
953ad854173460f1a9f25ab15b66616ba2c7c2a2c21f4895580fed1a134cc392

SHA512
2044c73815136bfa25d35aa0074723ff13478ee3e7d91adc2ddc9a82fe4d5c87bbc79c623c47a01d4fb8df28e6d623b020b3c6cf27387bf191ff09fe42fa66df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
bc0d1209c5a72cb782f59167c214496d

SHA1
d83a6a8410900d5532b23d1aff21bab9d085a594

SHA256
317cc3f865b7184b1561ebf001b5d83157ccffa01c01c64f48377f1b5dce2292

SHA512
955a56be893e891acfaf98a111c4f483f2a9dc1a72cb8c0a0b6a07ebb0d52e3f119fc965c8ae9010338ea8199c70a5463ca19c6b594ca463f06d3df36b79be5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f41f5fd667c6e12ab1be1db071ca8578

SHA1
feb36538f9a759929af7fb4d1c306cc48aaa463b

SHA256
69465ecf167184b1f8232be378d2ce1552a45d9d8eca0f49990fbac332facdee

SHA512
ac20ab362c1029eb791d54e098b3716ab7903b82b7d5c5b7cb13aea1b8b79a4cf53d471cb3f3b7ac4de49c8962ef356b87f764cf49a87a363e4e2617756fc063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\30e152fd-d822-436b-8ee8-3095ac5f370a.tmp
Filesize
5KB

MD5
45fef206af04b1e3ec7d2af7354f5325

SHA1
22134ab4e51eb90db658936ef2e420c1e4815960

SHA256
3d7b4a13e573c36e938d44661343baa6b8fac5b1093bb197859d3cf66cec2cc8

SHA512
b6bab9fea666c1fd0eb73134dc4cea0f0981ecdcb5199acbe1b2a658a90ca0ea02d84ee7fbdf60d09bdf6bc56af6e37355773392ea0d51c1a10459dba12df252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old
Filesize
396B

MD5
6c382afa2cace3a65d2b2c56bbcc395a

SHA1
79c32981955438e816cc6b7a0e79d19501c5ae29

SHA256
b2e0d7f7412ef236b86bda456573025b11501dd84fdae01a907fc4c7e93a6a51

SHA512
d89cf3d69c34048d693e8135ecf40649e53de33b836c9d2c793fa1f6deeaff52bca7d2762cd227ef3791f6be4ccfa22dda2a8a1f898f883570998ce53a6c4dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old~RFe586906.TMP
Filesize
355B

MD5
4f34088b78797a6a65fff9aa0268a05f

SHA1
638064f3647d26e47625beacffb05ff6c56a6346

SHA256
a1101a8e805bdbf6a1cd1990c9847f111cb5dc1275397901e3e97b1fca52bc58

SHA512
f53295fc07b88923ec603c65707820a9fc248adf4acb2474f3e5cd38ff71368362da5085f7e718aa1408dee82bbb92af921a312ce21051016467f52434b77e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c69d2a6ed38f5edea8049084a6bff61b

SHA1
fcd3a3421fd7e548ed659acf6ecccde4a4403274

SHA256
363c7a98dd09bf6383b770c6f1adc88d7fc1ce83276f4473f920c84307d15a90

SHA512
71923c9817554821c0d0394e41f8659c3a97b485c92499206c0a749a944eba8964f6eb61873aa853e6e7a4c4e576b4fe80f05146c4004c6c3757db8cb9074ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a2c92a49f52391ec1f544d34e744fe03

SHA1
fbd4867aaa28dd33e3a0a6fd7c8c29af8d46e26f

SHA256
142a4ea3b271a3e5e5d9d58d50cd7c5b433e54fce54b83979e3b0bb34b35a378

SHA512
e4a01ef61e817d4ad7436c44f479336eeb1fb42f1c0988b9de2c34327179152c4e289641f288e25cadb563faa296227683148d7e53431b0f3257a5e6e531ec49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
93fb1f0e519cb63ba6e5ef5c167f1829

SHA1
14298db7dc94da8643c8471aeb746274f4a5c2fc

SHA256
3718262ed42a5d89248408ecea7d5b89b08ee994208bd0e60227cf99d483a716

SHA512
90d8771efa7ac4229331c8d50cfda5efae484cd847a345d715d7a58b879a0c5c4cb5374e95f49204cfc77f9cc17119180f79218d2a8ff563995f5f3e2dfc1ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize
83B

MD5
199f6c651d16ddc83fb7ea67ff9c8512

SHA1
96e8a0c8184071a1ba857e3455be8258d016b14b

SHA256
bf67eb0774989827ac742ceb9f516c25521e325011e92c2be5e1f107663f2ef8

SHA512
650394fcc4cb522f8fc1d9f18b3d61603e3aa06cba49a1d8e075be94544532f4b980837069e12c0ab21d230398fb9625cceccf6f21caa97e281ebce045b96d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
551ff71130272f57058a0641a2555957

SHA1
dcf1f39e90aae694db4fb34066781604d2d6aea4

SHA256
136394be9b9f850d42ed6d1f28236b2561f589aa7b73eabb811831cc8bd17ada

SHA512
daa40952a5065878f84730a9030fda9f7179121c53d6535abb7ab3e31230cb7b3a001f534c5f1b88e0be53417f60d0f2bb393388fdb91c387028108a86eb822c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
edf0dbd9fc2303324073e86995aa5ee7

SHA1
8940b271f98a0b27e44ab910792fd5883adacfdf

SHA256
6e939e743bee3d2cc9c8aa54352d60ef56d295b9b769eda12f30a29bb63eaaa2

SHA512
4dfcb552efdfc184ca610a9c37e68a98b7151415ed15219d68366c8c682e78b198c5ff7d6068ff8924950b2788b80acc9dac1b8c9f40e48e9e14daffcdcc529d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
fa9e0766f2cb1ea8d09f38b51a9bd282

SHA1
e4d9d56cb6bedd0e4c78cd2b48d89f21822640bf

SHA256
1cbe98a39a542099333731cfb8d2eadc74df96bfe5357b9d5ee3c3451893f2a4

SHA512
40ad61a61636e84c7fce45c05a3e19092dd0e21a0c1c9e09099869d6bdfaba5c83f12cefeaab46825f7e28c70930ff314714eda927cd6c074a8f829df1b456cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f43a7ef4c59dc05cc8e20b4d8c0f8d3d

SHA1
e20a5c0ef65eaa1fe8b4d4147bf58a55da52856f

SHA256
55a278fd115a5b2b890522c93c080173487fac4a30595e57ef1d7ded0fa8a3cd

SHA512
d76be099673461e52ac9aace831b0880fe9e045743662e060c10a498a0224bc2795e7a47d49a27d5257cdc491461890d3b8a5efcc11b8c61d264e29082165b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
901412d64c9216154822f0c173c1cc00

SHA1
bc700232fea15b9852ba04ee817e93a0fd203a00

SHA256
8a29633689119bbd9add3ea62109d1bfc3d5ccc329fc66fe0ce142fd0b80a22f

SHA512
c99a0825493a8a6a45043a6c0ec3e7f541f78a9ff9ae01e4caddefb50f8f1828ff932e7bb985a59654d42e2702766080a73c42e8c47a5f90ee37dc7ed2f6dac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ad67da9f7e2c8da74af5ebe1bc940926

SHA1
f685ae6964b5a3303ea3289bda344acef8a52f1d

SHA256
f2846071c3a5217fa2e5a829c876a0662670c5d8e97651ffb97e3f7455cdd085

SHA512
1cc77e55fdfe93673199d9bb5a52480bbb81f1ad66bd2a564386aceaffaddd542b48ce63219053787349784355c5dad703826a21d0389652ae607160ad5c24d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe
Filesize
418KB

MD5
0aca798eb9951ab0dd5e92723e3d2664

SHA1
33ecc4ff22947e411621c8f4cd4719cd95669194

SHA256
12e5e5bba84f2a618310f72a7fbb40e04bf2f221a13145b3a91bb4707d7130c1

SHA512
22f711e5d259d85c31786ad4d8cde81474514f4690fd0c2d108ebb6e27d54bdc88bb46ba4aafe1a2aca94fd70f92adf4829d37e89e9e32e545d926cc7ba2d942

Download Submit
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe
Filesize
57KB

MD5
c05d63432c631c1df00966e53c77e7ee

SHA1
ca06fa80de0d2a8238cf010188d18db6b72d99f9

SHA256
498ba1566ab558a278e795c84f0c862412d34618eb21cbdb6fe29ebd59c2324d

SHA512
db4732ddc3e78b0018db144b7ca390ad501550d2a19ab8dbb244495f0894a307ff689f03af990cd4e75bb0d5e4fcc2e0df0bef0ab704ba37faee7941daab09f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\InstallSetup7.exe
Filesize
237KB

MD5
04ed1e647c7265216fc38f76fe2b6a4f

SHA1
2f7443b24bc728e6126872a7dcb9886ffd384447

SHA256
74c6ab7bbac65791d3b29ac871746bf9f3b722bcbde657054dd048470156bba6

SHA512
f61b188521e0b2525a5f88433c61f87c72b8a4d2ec6eb7d38be379ecde434614ffc93e6c65e1190290c0982618f9e30f9927e748e27267696bc71c1a6e23cf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\InstallSetup7.exe
Filesize
93KB

MD5
a9559f1830401418d0b13e2f5e3322a1

SHA1
6fbaeac1fef0a6feee1e63ccd3623a267dafc14a

SHA256
a9f36e33f098b6b34132d165c2fa3421de42f265245de4b3835018f1b00b73b7

SHA512
8d2f68a7388e55358e7f0a22be8ec2f67cd437785670feb2f4a211e6e170e6000c03027cde969ae44ac98d449d6ed0e10403fb9ab1d9c2bb27f868dde59c043d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\InstallSetup7.exe
Filesize
73KB

MD5
361773f965380a3ecf448c69c40ab8d8

SHA1
94171a6a0ec5d8636aa8ea02f6bbe3cada235290

SHA256
8975f50bd29a85a071f606464899fe7ccd742f62aa60faef7b4cb53c132239b2

SHA512
0204697fe0eb5ac8809d63a55d6a0c21ab6534c1ef1448bf8b578736a276594152eefc967c4a92e1b0ea1577c4549e77f6f477f5f974fef8d33688b74b321840

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe
Filesize
242KB

MD5
73f9970b828c9a20375c8fb46d78e5e7

SHA1
dcda716a4bbb778ab9d5b68ba251df46a7d1f9c2

SHA256
ba785f0e83304a906ded9929e6c1c5b8e4dccb137d8ec23357b27f285a5df455

SHA512
a7d9d000419db255dc92e82c4a28bed183465984f2fe2cb56c01a39eb083d05e07c8f18e87060e080d2f171907aa42e5fb70bb9d12d910aadc036698136a04e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\toolspub2.exe
Filesize
226KB

MD5
1542f81eadd73b4e672ad4738f4bfe7d

SHA1
2a03123f339766fc7d956309c522fea43d11bcf5

SHA256
ab97be07699b3258512752c344651d0fb43dd1eaaf0e776ef0be84767208dd3c

SHA512
a8b3a9565dca9d3056fab47ff0eb70e2e4aa60c6716b90bf5425af6150c1df921006218b140690903eb5cf23ad047cdf87a972a6ba4be5f6552e2a1972716960

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
197KB

MD5
f77613913b4055844ffec496af0acf1f

SHA1
9c78492681982fb2bf30b235b774e62e3937f295

SHA256
2ef1c710ad36527a3e40956e5001601ad52345c76503f45182def04925841a33

SHA512
92a54ee1e7569dc295c42c770b766037d7cfac945c0ee693aafc469ee7b1ccb4d13d992884c4091684139d908cc38763daf18e495e9ed9a3625c3161750459cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
271KB

MD5
6777b97badac4680895cb01bca2ca381

SHA1
14bca44fb3c55d0fddeb3d1c8db7c92d871bc910

SHA256
9b26530f0e2ef4b4720538d68cf5e4497201ef04ca681c4c60b7d5bb2b1b5863

SHA512
01c70ef1a5e1b566224c19cdbfb07ca4b61c2ccc4ec1448f4f5939f279dbfd85bbf388a2421676eacbc93dfcbcfad370a6a742f44b5b0646858e7fdb98f12afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1KB

MD5
bab5c52e523e421cf7a23cc43b5ab60b

SHA1
d0d8c86666f9bb0cc0dac952e30ccd037ed7ae2d

SHA256
e211e86b17fccea669b5ad161eee871d0e7de5a4a485b704686527b339923000

SHA512
22582d954ac99a284c5457ac0df0089ed3934cec95951077626dc1f83663fdbd542cebc6542d8c3ec8bf61b8774df2b120c7f73a52fd95011206950a88d2e3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
187KB

MD5
e9085b7ebd4b7fff00f082b2d7abf318

SHA1
644d6ccb34f5e69f8162a1b4aa963cd618644566

SHA256
ff0b472a7b4699ad9d9cac7d727c799761294177491346f611ddd4d2b4e8b9e4

SHA512
e38f291c7b933bb4417a3dd63cf97412f5e729b59fd06668d98510ca8fea9979b0250d9d1d9ba7537bd7b9dc8464e6425fbf5d27a39fb508d0992eb1c88ba7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe
Filesize
125KB

MD5
8e8e374a9a7c79368ddd57bc69328591

SHA1
197d0c8de49ebd3b3e6954802708857c5a064107

SHA256
bd13a561813adf991e75c32321410825c1b608e1d587e66894c83a2cafeec19e

SHA512
14800c4c16e3279e32cc78947ea50a98385044c46666b539a91edce51b880697146ccd9587c53a46361af12307584dab559e1ba7a743b0d186ae9d94d4e9be5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe
Filesize
74KB

MD5
91a870b1ce105776c7d367d225136fec

SHA1
df41cb9eb11f4b20352932d96b4db7e9a3c1127e

SHA256
559d75109a6895b89cdf6aaf9d9abedee96c4cc89188bda674282d514591f372

SHA512
79a8a73a24c794a38fb5a35df514c886d89cb32931acf01332bfee254cbd43478feb03c49651e7b024672fd761015bb97ab570c2a07f52368954e9bba0afe6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\etopt.exe
Filesize
45KB

MD5
7e54142d036b45720c4d53859b78b2dd

SHA1
ec2502c2be8adcc0da02c60a11eb7cb4d97330a5

SHA256
81346ca12268cf781aadac72cd7b275ae59fc030b7f9df63076f474b5e1a3efc

SHA512
7268c00ffd6d497ae06273f670d7d04e1546b54ee139e99ecfb3cab37622eff2b0979fa55f81397f9e32a2e5c592fc9e6cfbb28851ad9b1de837ff4b0d1f1deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B362.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
455KB

MD5
90cb58df8a9cb1778e49eee8e2dd4aab

SHA1
7a6659e9916b82563b95b84678bade81848840e9

SHA256
c5383a1242e1b49c5738aaa891d214b39e3b51aa55e9e3429ddb1696b4ee566e

SHA512
bfbe5a5e3a7f96759952509a4e92ee27f17b4169480312801ed7a35e6d4c9a0d2e8f9eaba34a68236edcff10ad770bce2040244e0fbe5bd027625958fa7c6135

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
Filesize
119KB

MD5
8830ba007c39569e8faf3ef0d6ae11a8

SHA1
a7cd534fb2f4f0b04346065fe57e1b827c9af28c

SHA256
9f848d7a636877abf936f77ecb84882f8271c80e01aef11e09a5523e721b31c4

SHA512
964aa54a95271739427f513da2e0086e1a2fd61d67142cddde496d29debf0053055b659126f1b7131c909d675b02beb5e7089c01cad5b67cbf8d7f170a940b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
Filesize
136KB

MD5
4dc35a8c363f753bca4dc3fe5e79acd2

SHA1
65b97ac66005606c2bee5583ba6e7e5d2fcb9e6f

SHA256
b69edebd41750f0910c5851c1afa3a49618ec394507305b4ad30e2b9aaeb87e1

SHA512
1dcb0c18250f1ce28d466f50994448413627a429e5e9f39d027adc05732203a825bb3cb6709a156bd659ef563f943235b5d0c063196bd52ad667c2e5d4515152

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
Filesize
84KB

MD5
dd040de832006c884012bfaca968a033

SHA1
01c3fb4ee6ca302fb134be13c30f82eb9a5cb663

SHA256
5189b0aa164e68011d2201746db49845ff352f42bb3dd22c7baf26b64e6908c7

SHA512
041b8e7dc28cdfff1bedef2b901df9bd2aea74fa1be424f3233777a26a23be71c4067b869c62a2a634a7be8fcc9425a3504eb66cf37ebdb139df361a7f95368a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
Filesize
89KB

MD5
11772c0829348a71f8395b13ff7d4500

SHA1
58d117b1fa5f66ad97b917a1705a2a5cf9f24cef

SHA256
f582722755603e1b3bd73a079b627abf060b6ad127cb8914628828294ddcd0e7

SHA512
c351325304333cdb83a233885187c8c717f1bc74b7212062e61b1978667783216a8ac0ad59fa71ac75c0b36cdf5872561d7945280c18013455b8f57c35899f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBDD.exe
Filesize
136KB

MD5
e52e400e776ada74a55c17352aac456d

SHA1
108f9420900d0c72e2b190f8aee234774b00b318

SHA256
f63d7bec6e2b5f3669ec867b08177193dcafa571952c7286cfc697f8144e2853

SHA512
aa8ae93d18c6272a7575c1c4a2f647270ccf74cf0e6e222b62a4ae53b6f81148b1ed70db724a94a7b64d0dcb9c24aa54d3bf8cb23c961ec61115611f1cb3b956

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC78.exe
Filesize
134KB

MD5
3a78b0d2073716f97d718b1cd57793ea

SHA1
ae0dd9ccc445cfb159f7b94c878554e1897133b4

SHA256
9ae2c57fe705e5b4e7f0e2c732335412505269c1480453a99ae81dc51ebc0c40

SHA512
1d87e30f21ed5f50ad3b6f934071af79630707aba7960a7c0ad94506af7c7da0413094ab90745c224fdb538c40e82ad6e94c1550a1888d80e0fc64afead1c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC78.exe
Filesize
64KB

MD5
8c3d8db748bbf00b32fa96e9ae2339ab

SHA1
4cb3a7e5cf2971b34a96d1bc762833d50746feee

SHA256
1be48a1336bc5907cd4d50a0aedd18a4559476984c9f03c2c32078223246f5ed

SHA512
ed8ff2c6b0c05b5855bf83096ab4efc482d8b55eee3521c06828ebaba4a222c43e36aaeb79b802ac0ffbebe283b9e35ea11e9bb5bc2d3197494aa709435df689

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFD5.exe
Filesize
40KB

MD5
c99124f5dc0d67c0720ecb0d17dd4cbd

SHA1
bfa1508a5d2cd7bbedff5efe4d370b2c3af1e1e6

SHA256
2273f4064f6c00be50aa6b622a03a60eabc7eb5fefd2e7f44d9cec4369558009

SHA512
3148c54224ec609622c9acafd122d83a192009f43f77a11b3898f47869b20efff16898db3fa1d56ae0f435d82c36fc7a2021c94863d2b62504f5a8d85ae515b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFD5.exe
Filesize
48KB

MD5
d576fd172718a06fa7b6e9287b6662af

SHA1
83e1984dc8d56b071c54c0850f77fb803bb1d5b0

SHA256
7bc2cc7d49078ab59a9918bb5f499f7a2d4fde45b32e3f171efa3c118d815776

SHA512
b02d95c3a8f84a3a9eecfe802f9a78673df2c3e52cfa0cff35cfc7a6a65ac0f5aa428797e74f83fee34e13639c5901ecb7c7d41033bf2c6d14ac7c1f5e3d6db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
165KB

MD5
db36923e34b37ca7ad2196664f23b71f

SHA1
395baabcf11a1acfd7adeb9c6a8fec32d2666a01

SHA256
04db38a673e1b333a8213f4805230da3a1a3e0bfc959d04436a08c1c61d9104c

SHA512
d70d71ce005ca076c88ad42de810d88971ef22e3d00a3c633de863fe60098b92140f67e6e25cb2a8ab488777268e34b21e1aaf5164dd8133e44b13b66a629bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
37KB

MD5
44e6cae773ef6cfbc3c64d19a610fc08

SHA1
134bbcd54d39f2bc450fe4de619dda5fc568a00e

SHA256
b255a0f42606071d323ee169ab2babd9525c220f5322349359e6b52b159393bd

SHA512
50f4efc20f1ac16dfd85f5eefdfff775c0313882d77c633c4310f398bc546508b71709de897fc56378d5529cd12050d55ffdd99bb7843f89c588951ab303f44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cuijwyts.ikj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
73KB

MD5
d0f69c5f4adc89f90ba9b179f1ea0691

SHA1
69c024afe67472d6fca48eba6899f282e3b3a3fc

SHA256
52a596cfec912093d5fa104063c38fad543f2ccb6460a85c13175d4b676dab58

SHA512
0e785c74903f67ec4371af65ad297e11e91efee85c6a257c4c28e1156278eb4cbec6bcb666d6d834d9552495f443a699ce488a47af1ffcb999f7edc78ce4ebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
63KB

MD5
29295ee45a601a30412b55214a9de2b2

SHA1
824e618ef6081cb66f583c5b5786a703a63cc30d

SHA256
ce605bb4cdec4674dc75133f27c2069599043b6f17dce53a0892ad76d6611f82

SHA512
d6fb9331c9e12db6f63fbac870d98e2603b4653e9743ecc127ea59720445b649fab12acddde578538f62160747e0e42317a2b305fe1372256f8887674eedfc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4F0C.tmp\INetC.dll
Filesize
24KB

MD5
b623a10a9cd94328725b35b2c9554874

SHA1
f8c97858a88ea715ff882c7fd329a5391e686d72

SHA256
8524d4cfa1bd106edb187c08c90e8294aa48e81affcb0abd12fa826c0ccaf529

SHA512
3b33641ffdfb21e22c52a97ad23a766ef2677619eba1192bc823caa59ad7368453d80fd2a7b8b0dc27af6b8cf050963731639f5d5078ed73b28bcd2074ad80eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4F0C.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj76F6.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj76F6.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk52B7.tmp.exe
Filesize
85KB

MD5
48529d02fa0d05e833b1a9de0b978f0c

SHA1
d4ffdedb7c20f82592dfae39119f34f87e83e282

SHA256
ddb12512144f70baa5b420f3c40c20119554a6feca490330962e3aabf2605390

SHA512
9531bafff6fb96b65a400b2b389bddfd6477af809710b8e42a63f6b713886f89bfd5e12c330e9ff81735817f1e92d98cd4f23f8425620d9aaff683abc7d6bca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk52B7.tmp.exe
Filesize
104KB

MD5
ada5b5f4464cdf63e19134f343eafa7e

SHA1
889c7a1c1bbad12e28e71870056a2d9bf1b4436b

SHA256
942dcc252a39c5225495e02cda8c95e0050a9bf9f3ac2b361a3d2764fa33a24b

SHA512
24860cfe6cc8e005d5d385deae51036ce2c7edf0bb1b4eb57d51310348c6b5182b5c2482ec78aae7ad2b3be8d84882753bee1d7e4bc51c3cbc4d652279b760cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSgtb4AxacI0Zr\2jqyZJGqTPgeLogin Data For Account
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSgtb4AxacI0Zr\2jqyZJGqTPgeWeb Data
Filesize
92KB

MD5
02687bdd724237480b7a9065aa27a3ce

SHA1
585f0b1772fdab19ff1c669ff71cb33ed4e5589c

SHA256
9a535a05e405b789e9fdaf7eaf38e8673e4d0a8bd83768e72992282a69327d89

SHA512
f8ce4f6ad7211cbd17ba0cb574ac8f292727709479e059f4429a818d3b74dbe75d6e6f8cb5576b6bc7e3c1bd0b471127f0ddb38e816fad8aa44a77c15de7e6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSgtb4AxacI0Zr\8Po6yGsP6AQ3places.sqlite
Filesize
154KB

MD5
bcce82063d395dba983c8310eeb8a8fe

SHA1
44433d05fa98d5293e6414e9ec1ed98c642fa09c

SHA256
5318a3b45002b22b1b6e678b93109e76ccb0120fbb495146c17b273694da1e15

SHA512
d3dce97e4b8312cba9622ac8ebb9b40062f8f0ae56c86b225602e1fcccfd5f045e09bfcec3746333645af99974d52c89366cf145cb2f936939370f4e81f6c266

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSgtb4AxacI0Zr\rvLMZUsxzGWDWeb Data
Filesize
11KB

MD5
6a92d9ea9b89149f908d687c85e737cc

SHA1
a914c8eedb28684ea8bd6ae0ba81ec1086b81224

SHA256
d9ed11166f60016efe461d1007be157d960042ce16ae6774b81d1dc1d1c55110

SHA512
6014484b1fff03aba89aabc634db5f9fcd12136618a1bb67fe33597dbc0b38562f172ac41b4e2c1aeb46560d333dbc34a75fdcf8e2734daef8aef3d7b6da63d7

Download Submit
C:\Users\Admin\AppData\Local\b50aa38d-c41c-4296-892e-4de44f8349da\CBDD.exe
Filesize
75KB

MD5
327c29c222a5aaa5a8e8361d9a288d95

SHA1
5752d42bcfb6b719070395eacc6fccd809c23ac5

SHA256
bf53f880dc2200cc60b509d8f636257c180215bf627e979b25eab607ff7df627

SHA512
86893ee9a5c0faa857bdbdf84583becf081316e480e308d6630ea401209f8c02cc0168d025b192186c33d38712b29e2f3ec6f6ea1eaa72a73934865e3ab06d35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk
Filesize
1KB

MD5
9bce37aef3147f5899eff367f4a6fef3

SHA1
dfe25a567a64e839d429702b457fc8867a1a5eae

SHA256
f4a5cf110b02260c91821cd5119b882ba2397eb04af7cec70321ff78b9c4d42a

SHA512
7949be31c1f6537895779e8b6cd715c3083e40e6dcb0a44924480f44d2eb336cf9912d45fb886fe9e893730820048abb1f18725de22501b478d32352363f73a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
Filesize
806B

MD5
7a111265289c3fca696ce417015134ce

SHA1
8902436ab48d61137f406f77abd75fd0ed785f5c

SHA256
184445c219a7cca2281d9abf7dc969904aba414b9501e1a61a51b61e353e3c7c

SHA512
21c520f4bf0589cf24f5a919aa8669212ae11f4af397d822e6bd769f3dd2125553c0f9fff0e990dceea70f675494df5246728481a1a1eaeea04d1808e10752e1

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
1KB

MD5
c07a25c1de1b97e98c9e1efe59e5314b

SHA1
a40a662d6d6a71cd11c90e82ffe20034ba05034d

SHA256
233ece8e93d8d648736e28af62e6140dfc733ff1ce91e4e3037c9c9444cec238

SHA512
76a4c2f8ee08d45e721f232eb68c8336612332144dc04121c0336eed1d900cc8becfe1fac2a09863107c78de8db4ade3f2ddb0cff2d7ffd4c2e86089ef2c4a1b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
45KB

MD5
7d4e032f93d9c8bb30b01903b5ece984

SHA1
029c6d6cd25324bf29d2ec6b353f3eae4a78c1d9

SHA256
cc05f7a34f5fa2a8ce477fde5b7df96eb5bd12a348a03d5e079a4602df5ec12f

SHA512
d01bf1c5dcf56521dc1f9474657c07ca7f10616f43588a2ade8837e1c75827cbcb656e72a3a44a712af8b5e63bff642589832c30aaf3374cbc17718f62033f0c

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION1.exe
Filesize
31KB

MD5
e25ff6946e889b7ea6d06f15cdd3bf1e

SHA1
e1fb27a84b0d390d8f0a747f1f20fa8a57cf3036

SHA256
d3bd1d6736c50944392ee87a187e7eb2519378078cbfa6826ee1453b3ba9b08c

SHA512
985bba3b6f2382afc774bb3e0674971bc4bb360c6e8385d5f202fdde2ba5dfebcb67e28cca8f5ca2d4ca41d950033b5860bbea9f5c06801ee9ed27f686e211a3

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
43KB

MD5
d3319920495e38a873acffdee90aa58b

SHA1
ff4ccde5710e38f17e2102641f1ae71a032848ca

SHA256
5fe3d5dbc90890ac6e0ad0530edce3dc4fc6c93573a5f2dc42c49510834ba95c

SHA512
29c02a2ed2b9ab8e01a2f958af5439e48a64a3d2553604aba5ffe602d310fcedf42c6681231347824727381e30f15d105400c697d37433a658bf7146f3fefad3

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
9KB

MD5
f0a46d73ef11b020d89dc0c5f9ff9a4a

SHA1
84c331ba940275d84f14c73d8664952c05c540f9

SHA256
4cd3d7a2255a642c5fbb6976885497329d13c231c76a1cfcf351d4a1cb0ce221

SHA512
18223401c4f8df96c9975b81f2ee02e92c5c7c43aeae69978c746e95c3b1bb20f655e9d08c59845ffbb9edf3f52bf88744ced180ab836d6f1fceb10561bf2d35

Download Submit
C:\Users\Admin\AppData\Roaming\gjvebbb
Filesize
134KB

MD5
3fdf0dbc21ee12ac69f06f3dcaeeea94

SHA1
b251c42b08b1a66d639df62fbb2645cc2f4340b0

SHA256
7c12bae82c83520ff3fbce7a71b37a32bb4ab1350f630938e762b141732ae28f

SHA512
2e48a2d5b2f2bbc986e225fa698415b0578d136fe6e5a60fd16d57ffa34268eca66b6b3074698b2b3c509e293e2ea7fa42618574fbe75b9476c6939d89437753

Download Submit
C:\Users\Admin\AppData\Roaming\gjvebbb
Filesize
127KB

MD5
4d07b777e0d353e9e8c262e3a76e4f13

SHA1
acc41580a9499ccc42b31ee46b90283eda177ded

SHA256
729099c780d40ff631471a5b69eddbdcc185faa16c7390ac32d210698269378e

SHA512
0bd1bf2a54df282d522af62178c0f192deea6cad498116209764eb648b72e83266092981f99bd8b9dea8cc6f27948405d394f437ff947035fbb39b6a61f36814

Download Submit
C:\Users\Admin\AppData\Roaming\gjvebbb
Filesize
43KB

MD5
0646cf7b2dc271fc74318b00151bdf07

SHA1
ebac0806c5f98c138bc1fe9848e92a1437a91cf0

SHA256
c9c66b1f33ec21e1499529cc18c1c2df9b609b4a87706a0b45f3819806881fc7

SHA512
8ed8eeaae7a6c49bc29051356f1057ca02bc6738b832ade7d5bdbfd0c904d593afac52eb348001828404a063986c88036296dab48098dea98f8361cf61ab8cda

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
9cee3d42db12b6730abd6006c0ea5caa

SHA1
2cdcc595a9059dc7a98b402387b86e59a00eee23

SHA256
de069c7b57528619d648e3dba90219e370219e459c32d34e2491d20a985eec49

SHA512
d2dc0b09aa3556db0a13508c45082045e72fc75d67721f8858c62e3076890d661f6da95dedf8b2f88f7dc149292f4d9b8bb952d939cdb79dc2e7223f2e0af4d7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
309f5d79206b0c95179e58edb078f74d

SHA1
b11d8be4fc72dc922afadc55f9fe4776ca6a5a66

SHA256
5abc75d297970f02652a917066b14c76384123e02074edbb39c7ec13bd0a1eee

SHA512
b22faab4cc7c3ad4fe8aaa15ad5dabd2815ca04d170d812678c7133cb7a90d639697e36fc8f426e54a4620f3ace2a6ed2315bb083487233fd454055dfbaa4775

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
080fb04ce268f1dea2a8b6543fdbeb66

SHA1
bffa09608e25a3127dad95c581832f01c65d55f3

SHA256
08d755cd57f8c74c40e6e36c14dbcca28117a7e6eab6517843844c0124afe5c1

SHA512
5b77f862e821cf094db3d273fe9ff6e8639eda66a781cd625d784ea866b0976a46610bd2d0dc5fe1d937485ce5b9427004c4613626b4b521069434ecd4e0a120

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5b885470c1b6c98209fa59f5b29f540b

SHA1
44319f359c123d1fd2f19ea3fd48ccce6ff1d7c4

SHA256
a56c70ff00e64aefe9bae414ac360c77e9799c01a6075d5fbdb06cdbc31476bb

SHA512
17ad6116cb14f9d6ca6a44ab194508370b9b65224c9b3d3f2dad23159e063d28daa52078ab754e52150163c3ce99d8420aaf5d9e0da9c98ae2c7ac7d701e87eb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
1ebb1defe95a79ac7637c83925154534

SHA1
996f8fcc97f2998ed103a4976b5f3cc187cceb24

SHA256
8e23749d379ce16faf8fc9e6b09825c5fb18ce38c067fa266639634ea12ad2b4

SHA512
8b8f811dacbef4041a2b7d08285ffce1746da45e8dbd897a9e236b71457421ff88a0fe8bc623a99b2a6c12b099fbccc2335fea26cd5783910294a12224010756

Download Submit
C:\Windows\rss\csrss.exe
Filesize
129KB

MD5
5a81a2a837b582a61859cf4206d34d33

SHA1
d60ddd7a954618f3e23a05b0a99bfc4a6bd8ef8a

SHA256
46cd13b63104cd430963ac4c8ba5148e1eee68803e8d1e0ec45719421d0e6d0d

SHA512
587ff943cc02a614ce48d9e4b1d0bc2da678bd0a215e6690ab86207074f55bd4af84122e0ea145d9bee74122109c7bc1997becadba65bb6b357faca641014d54

Download Submit
C:\Windows\rss\csrss.exe
Filesize
110KB

MD5
b54c0ab18008d83769b217a9f49f266e

SHA1
28d9b5e00f2fc058eaf22f817a8107dc676b58dd

SHA256
ee21d2b8542df706b69956858c2c19a2cdcb2c6ce62375449204f259faeb3ca8

SHA512
75ce4e000063aa977c87f81ffaf8bb6434394e10d09456e011101a862063732f1583d6baea5c7134c7bbee6bf389c7ede3210f6991d23fe5241f0906e7ac41ff

Download Submit
C:\Windows\windefender.exe
Filesize
88KB

MD5
a57c967b888cc45f860a42d8ec6a8eda

SHA1
2ad93473cd4ee9a9a44fd468615fa964e1748d5e

SHA256
fcd7aabaad002cae7f26a9007f60f0a28a072adca4b43ef82f9221a4d8da7384

SHA512
1c600eb448faa82b4d05a6d8c4089bef89079798bc61342a300f49ed419449ac874b00c393124be88aa30b278ec95f5ebd774b2058a8090d6bfd1e094a54b0ed

Download Submit
C:\Windows\windefender.exe
Filesize
174KB

MD5
a523c011ccbf0911fd9f728a3ddc1f35

SHA1
52609cad7aa68196e501ab11700c31a9d4bad0c7

SHA256
0dda93a7d5112580bf769bc9a3a70663011eb5fb0678cf5a1c3057fe066a99ff

SHA512
c37a719de5605c88cde15939f5f60951968ed7eac8d19b8bc4a6b3a149930c21fdd4585aaec7796372c88b63a4950c3f269573bf799c4db6e76c403a08cb7163

Download Submit
C:\Windows\windefender.exe
Filesize
59KB

MD5
3dd21900004cb72f5244cc1a998cc6c3

SHA1
aa52521de62e3ea4dda00efd525dd6de4bf648ff

SHA256
6d52cfe1db4716a694061879e541d076973d92d0cac7be0d037c11ced4323a3c

SHA512
f8cafec4f2422d4cbb4a06557ef1d5bca007a5ef1ec9ce462e36c0ee8b27e3a303a7c6fe93e704c439b19fac17743f308540e08bfba87da95399ff26e487736c

Download Submit
memory/1376-295-0x0000000071940000-0x00000000720F0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-305-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1572-510-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2344-112-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2344-33-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2344-271-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2740-205-0x0000000002B70000-0x0000000002F69000-memory.dmp

Filesize
4.0MB

Download
memory/2740-106-0x0000000002B70000-0x0000000002F69000-memory.dmp

Filesize
4.0MB

Download
memory/2740-207-0x0000000002F70000-0x000000000385B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-107-0x0000000002F70000-0x000000000385B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2740-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2984-81-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/2984-203-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2984-294-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2984-177-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2984-489-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2984-140-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2984-560-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2984-82-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2984-80-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/3260-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3376-113-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/3376-65-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3376-66-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/3524-132-0x0000000002630000-0x0000000002646000-memory.dmp

Filesize
88KB

Download
memory/4304-521-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4304-523-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4304-518-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4304-531-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4712-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4712-204-0x0000000002D70000-0x000000000365B000-memory.dmp

Filesize
8.9MB

Download
memory/4712-441-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4712-202-0x0000000002970000-0x0000000002D70000-memory.dmp

Filesize
4.0MB

Download
memory/4728-276-0x0000000004560000-0x0000000005188000-memory.dmp

Filesize
12.2MB

Download
memory/4728-273-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4728-280-0x00000000031D0000-0x000000000320A000-memory.dmp

Filesize
232KB

Download
memory/4728-269-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4880-498-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4880-550-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4912-537-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4912-541-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4912-539-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4972-135-0x00000000077A0000-0x0000000007816000-memory.dmp

Filesize
472KB

Download
memory/4972-180-0x0000000007E90000-0x0000000007F26000-memory.dmp

Filesize
600KB

Download
memory/4972-109-0x0000000003110000-0x0000000003146000-memory.dmp

Filesize
216KB

Download
memory/4972-114-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4972-115-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/4972-111-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4972-116-0x0000000005840000-0x0000000005862000-memory.dmp

Filesize
136KB

Download
memory/4972-118-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/4972-117-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4972-128-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/4972-110-0x0000000071940000-0x00000000720F0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-188-0x0000000071940000-0x00000000720F0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-182-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/4972-184-0x0000000007F30000-0x0000000007F4A000-memory.dmp

Filesize
104KB

Download
memory/4972-185-0x0000000007E80000-0x0000000007E88000-memory.dmp

Filesize
32KB

Download
memory/4972-183-0x0000000007E40000-0x0000000007E54000-memory.dmp

Filesize
80KB

Download
memory/4972-158-0x000000007FA70000-0x000000007FA80000-memory.dmp

Filesize
64KB

Download
memory/4972-163-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/4972-164-0x000000006E430000-0x000000006E784000-memory.dmp

Filesize
3.3MB

Download
memory/4972-181-0x0000000007DF0000-0x0000000007E01000-memory.dmp

Filesize
68KB

Download
memory/4972-175-0x0000000007C60000-0x0000000007D03000-memory.dmp

Filesize
652KB

Download
memory/4972-129-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/4972-178-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4972-179-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

Filesize
40KB

Download
memory/4972-174-0x0000000007C40000-0x0000000007C5E000-memory.dmp

Filesize
120KB

Download
memory/4972-159-0x0000000007C00000-0x0000000007C32000-memory.dmp

Filesize
200KB

Download
memory/4972-138-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-139-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/4972-130-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/4972-131-0x0000000006BE0000-0x0000000006C24000-memory.dmp

Filesize
272KB

Download
memory/4980-288-0x0000000071940000-0x00000000720F0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-275-0x00000000071B0000-0x00000000071C4000-memory.dmp

Filesize
80KB

Download
memory/4980-215-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/4980-217-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/4980-214-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/4980-208-0x0000000071940000-0x00000000720F0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-227-0x000000007F930000-0x000000007F940000-memory.dmp

Filesize
64KB

Download
memory/4980-229-0x000000006E450000-0x000000006E7A4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-228-0x000000006E2D0000-0x000000006E31C000-memory.dmp

Filesize
304KB

Download
memory/4980-239-0x0000000006E70000-0x0000000006F13000-memory.dmp

Filesize
652KB

Download
memory/4980-250-0x0000000007160000-0x0000000007171000-memory.dmp

Filesize
68KB

Download