dcrat | a119e29e28a305d1333be5415f8b59c3bd958c2287e098a5b9d054c19459ae82

Analysis

max time kernel
84s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34c0a386e4a80eda74f0646b87943e6f.exe
Size

267KB
MD5

34c0a386e4a80eda74f0646b87943e6f
SHA1

af2244495eae1a491c50b95031c938dd2d4710ea
SHA256

a119e29e28a305d1333be5415f8b59c3bd958c2287e098a5b9d054c19459ae82
SHA512

35d8088b7d8c048deb0282e9f08716bf1cf2a1c8a5b109e727ade3c09b43866b6b7b168a10cf3913c0b94f54b7410a4c089558c717a39e72e501213812adc1fd
SSDEEP

6144:TbJLAxaHC3Q/QkZ6IKzjuPWLLc0R75JFNs:RMxeCo9Z6ruPYA0RHF

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@ytlogsbot

185.172.128.33:38294

Extracted

Family

redline

Botnet

1222-55000

193.233.132.72:36295

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

34c0a386e4a80eda74f0646b87943e6f.exe80C6.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34c0a386e4a80eda74f0646b87943e6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d8d9fba-ad58-45f1-ad49-2f0f08fcb7b4\\80C6.exe\" --AutoStart"	80C6.exe
6224	schtasks.exe
2524	schtasks.exe

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-75-0x0000000000400000-0x000000000059E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4976-74-0x00000000007A0000-0x0000000000932000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe	family_zgrat_v1
behavioral2/memory/3264-112-0x0000000000020000-0x000000000007A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2340-268-0x0000000000A30000-0x0000000000BC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2340-273-0x0000000000400000-0x000000000059E000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2192-36-0x0000000002630000-0x000000000274B000-memory.dmp	family_djvu
behavioral2/memory/1680-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1680-39-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1680-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1680-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1680-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-82-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline
behavioral2/memory/1648-119-0x0000000000200000-0x0000000000252000-memory.dmp	family_redline
behavioral2/memory/3900-229-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/6520-743-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

97E9.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 97E9.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	97E9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97E9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	97E9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	97E9.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80C6.exe9C6E.exe1B3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	80C6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	9C6E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1B3.exe

Deletes itself 1 IoCs

Processes:

pid process

3496

pid	process
3496

Executes dropped EXE 19 IoCs

Processes:

6A00.exe6A00.exe80C6.exe80C6.exe97E9.exe9C6E.exe80C6.exe80C6.exeUNION.exeytlogsbot.exeDB2D.exeConhost.exeF8C9.exe1B3.exeKy9AJ52.exeyw1fp45.exe1UP94XQ7.exeUNION.exeytlogsbot.exe

pid	process
2740	6A00.exe
1520	6A00.exe
2192	80C6.exe
1680	80C6.exe
1620	97E9.exe
4976	9C6E.exe
924	80C6.exe
2108	80C6.exe
3264	UNION.exe
1648	ytlogsbot.exe
1696	DB2D.exe
3196	Conhost.exe
4400	F8C9.exe
2340	1B3.exe
2232	Ky9AJ52.exe
4808	yw1fp45.exe
3540	1UP94XQ7.exe
1528	UNION.exe
3624	ytlogsbot.exe

Loads dropped DLL 20 IoCs

Processes:

Conhost.exe97E9.exe

pid	process
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
1620	97E9.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe
3196	Conhost.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1836 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1836	icacls.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\97E9.exe	themida
C:\Users\Admin\AppData\Local\Temp\97E9.exe	themida
behavioral2/memory/1620-89-0x0000000000260000-0x0000000000B5A000-memory.dmp	themida
behavioral2/memory/1620-238-0x0000000000260000-0x0000000000B5A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

80C6.exeF8C9.exeKy9AJ52.exeyw1fp45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d8d9fba-ad58-45f1-ad49-2f0f08fcb7b4\\80C6.exe\" --AutoStart"	80C6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	F8C9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ky9AJ52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yw1fp45.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

97E9.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 97E9.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

202 ipinfo.io
61 api.2ip.ua
62 api.2ip.ua
201 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

97E9.exe

pid process

1620 97E9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97E9.exe

flow	ioc
202	ipinfo.io
61	api.2ip.ua
62	api.2ip.ua
201	ipinfo.io

pid	process
1620	97E9.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

34c0a386e4a80eda74f0646b87943e6f.exe6A00.exe80C6.exe80C6.exe97E9.exe

description	pid	process	target process
PID 2348 set thread context of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2740 set thread context of 1520	2740	6A00.exe	6A00.exe
PID 2192 set thread context of 1680	2192	80C6.exe	80C6.exe
PID 924 set thread context of 2108	924	80C6.exe	80C6.exe
PID 1620 set thread context of 3900	1620	97E9.exe	jsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4384 2108 WerFault.exe 80C6.exe
7152 6244 WerFault.exe 4Ku695QB.exe

pid	pid_target	process	target process
4384	2108	WerFault.exe	80C6.exe
7152	6244	WerFault.exe	4Ku695QB.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34c0a386e4a80eda74f0646b87943e6f.exe6A00.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34c0a386e4a80eda74f0646b87943e6f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34c0a386e4a80eda74f0646b87943e6f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34c0a386e4a80eda74f0646b87943e6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6A00.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6A00.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6A00.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6224 schtasks.exe
2524 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3584 tasklist.exe

pid	process
6224	schtasks.exe
2524	schtasks.exe

pid	process
3584	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34c0a386e4a80eda74f0646b87943e6f.exe

pid	process
4832	34c0a386e4a80eda74f0646b87943e6f.exe
4832	34c0a386e4a80eda74f0646b87943e6f.exe
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

34c0a386e4a80eda74f0646b87943e6f.exe6A00.exe

pid process

4832 34c0a386e4a80eda74f0646b87943e6f.exe
1520 6A00.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

ytlogsbot.exeUNION.exe

description	pid	process
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	1648	ytlogsbot.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	3264	UNION.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

1UP94XQ7.exe

pid process

3540 1UP94XQ7.exe
3496
3496
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

1UP94XQ7.exe

pid process

3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe
3540 1UP94XQ7.exe

pid	process
3540	1UP94XQ7.exe
3496
3496
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe

pid	process
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe
3540	1UP94XQ7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34c0a386e4a80eda74f0646b87943e6f.execmd.exe6A00.exe80C6.exe80C6.exe80C6.exe9C6E.exeDB2D.exe

description	pid	process	target process
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 2348 wrote to memory of 4832	2348	34c0a386e4a80eda74f0646b87943e6f.exe	34c0a386e4a80eda74f0646b87943e6f.exe
PID 3496 wrote to memory of 2740	3496		6A00.exe
PID 3496 wrote to memory of 2740	3496		6A00.exe
PID 3496 wrote to memory of 2740	3496		6A00.exe
PID 3496 wrote to memory of 4508	3496		cmd.exe
PID 3496 wrote to memory of 4508	3496		cmd.exe
PID 4508 wrote to memory of 2584	4508	cmd.exe	reg.exe
PID 4508 wrote to memory of 2584	4508	cmd.exe	reg.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 2740 wrote to memory of 1520	2740	6A00.exe	6A00.exe
PID 3496 wrote to memory of 2192	3496		80C6.exe
PID 3496 wrote to memory of 2192	3496		80C6.exe
PID 3496 wrote to memory of 2192	3496		80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 2192 wrote to memory of 1680	2192	80C6.exe	80C6.exe
PID 1680 wrote to memory of 1836	1680	80C6.exe	icacls.exe
PID 1680 wrote to memory of 1836	1680	80C6.exe	icacls.exe
PID 1680 wrote to memory of 1836	1680	80C6.exe	icacls.exe
PID 3496 wrote to memory of 1620	3496		97E9.exe
PID 3496 wrote to memory of 1620	3496		97E9.exe
PID 3496 wrote to memory of 1620	3496		97E9.exe
PID 1680 wrote to memory of 924	1680	80C6.exe	80C6.exe
PID 1680 wrote to memory of 924	1680	80C6.exe	80C6.exe
PID 1680 wrote to memory of 924	1680	80C6.exe	80C6.exe
PID 3496 wrote to memory of 4976	3496		9C6E.exe
PID 3496 wrote to memory of 4976	3496		9C6E.exe
PID 3496 wrote to memory of 4976	3496		9C6E.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 924 wrote to memory of 2108	924	80C6.exe	80C6.exe
PID 4976 wrote to memory of 3264	4976	9C6E.exe	UNION.exe
PID 4976 wrote to memory of 3264	4976	9C6E.exe	UNION.exe
PID 4976 wrote to memory of 3264	4976	9C6E.exe	UNION.exe
PID 4976 wrote to memory of 1648	4976	9C6E.exe	ytlogsbot.exe
PID 4976 wrote to memory of 1648	4976	9C6E.exe	ytlogsbot.exe
PID 4976 wrote to memory of 1648	4976	9C6E.exe	ytlogsbot.exe
PID 3496 wrote to memory of 1696	3496		DB2D.exe
PID 3496 wrote to memory of 1696	3496		DB2D.exe
PID 1696 wrote to memory of 3196	1696	DB2D.exe	Conhost.exe
PID 1696 wrote to memory of 3196	1696	DB2D.exe	Conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34c0a386e4a80eda74f0646b87943e6f.exe
"C:\Users\Admin\AppData\Local\Temp\34c0a386e4a80eda74f0646b87943e6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\34c0a386e4a80eda74f0646b87943e6f.exe
"C:\Users\Admin\AppData\Local\Temp\34c0a386e4a80eda74f0646b87943e6f.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4832

C:\Users\Admin\AppData\Local\Temp\6A00.exe
C:\Users\Admin\AppData\Local\Temp\6A00.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\6A00.exe
C:\Users\Admin\AppData\Local\Temp\6A00.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6AFB.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\80C6.exe
C:\Users\Admin\AppData\Local\Temp\80C6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\80C6.exe
C:\Users\Admin\AppData\Local\Temp\80C6.exe
2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1d8d9fba-ad58-45f1-ad49-2f0f08fcb7b4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1836

C:\Users\Admin\AppData\Local\Temp\80C6.exe
"C:\Users\Admin\AppData\Local\Temp\80C6.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\80C6.exe
"C:\Users\Admin\AppData\Local\Temp\80C6.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 568
5⤵
- Program crash
PID:4384

C:\Users\Admin\AppData\Local\Temp\97E9.exe
C:\Users\Admin\AppData\Local\Temp\97E9.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
2⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:7136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
4⤵
PID:6956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1050898426249126093,904208127269624696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
4⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\9C6E.exe
C:\Users\Admin\AppData\Local\Temp\9C6E.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
3⤵
PID:2488

C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2108 -ip 2108
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\DB2D.exe
C:\Users\Admin\AppData\Local\Temp\DB2D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\stub.exe
C:\Users\Admin\AppData\Local\Temp\DB2D.exe
2⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:2592

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\F8C9.exe
C:\Users\Admin\AppData\Local\Temp\F8C9.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ky9AJ52.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ky9AJ52.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw1fp45.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw1fp45.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UP94XQ7.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UP94XQ7.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
6⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
6⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
6⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
6⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
6⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
6⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
6⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
6⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
6⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
6⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
6⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
6⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
6⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
6⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
6⤵
PID:6228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6876 /prefetch:8
6⤵
PID:6664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2232,15953845443489262254,12656914944240497357,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6864 /prefetch:8
6⤵
PID:6656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8708281963271015822,17026255884753204737,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
6⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8708281963271015822,17026255884753204737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
6⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
5⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3263021836986822108,98336337387160224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
6⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3263021836986822108,98336337387160224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
6⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
5⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x168,0x16c,0x164,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
6⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
5⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ku695QB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ku695QB.exe
4⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:7160

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- DcRat
- Creates scheduled task(s)
PID:6224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:5296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- DcRat
- Creates scheduled task(s)
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 3060
5⤵
- Program crash
PID:7152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6wO5ns4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6wO5ns4.exe
3⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UB0wd90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UB0wd90.exe
2⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\1B3.exe
C:\Users\Admin\AppData\Local\Temp\1B3.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2340

C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe"
2⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe"
2⤵
- Executes dropped EXE
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:6676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
4⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
4⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
4⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
4⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:7044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
4⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
4⤵
PID:7112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
4⤵
PID:6628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
4⤵
PID:6236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
4⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
4⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
4⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6266604113566754370,1839956692962228608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
4⤵
PID:6708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "1B3.exe"
2⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff974f546f8,0x7ff974f54708,0x7ff974f54718
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6244 -ip 6244
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ac9f30591cfd1878c9676c64f9bb6db3

SHA1
41f872fff124774904c73e79ab6c34de86399276

SHA256
ffaaa6d6ce0550c17b6c3b709ae368da88a09cc063972fe9755e58b67f9a3bb4

SHA512
2dbfd74471986fdfe58e31a5e143dc572dd3c5da89e04347d0e633330059fecb5ea1094598cca4dbd78ee357a0d04909a30010f2ae621c368822d5abf6255ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
17242c1a46a0066b1f588997595e4bb9

SHA1
808cac0b7a961ef0e1d7a44747b507145329b9e0

SHA256
8da28210cdd4437fe75c91aa7935dd2e882c78d424e55248d32191f995546d27

SHA512
7eaed44f05d814628e5a4b361c11351064fe67581442b3ec11cfca3229737a7f99c59acc39b1275dc852b8b03bb1ef2b63f73ce676ee8b46443e46ebc923bfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
79a2955fb9b7549b94b54e6ef89216a0

SHA1
5344266d2896429b18800b4d2594020271177e0e

SHA256
a47aaed5195f18b2cee081ea1e112004e4c6aca3df11650683e2b360e18c4786

SHA512
9ce925d0321a5992de0d925e840f27db90816d16bca6df0a6b69f7df0fa84e9ee4df883be72929517cb03d1b1e4cb94cb7603316469b048a20a926075bb6efcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f0cc0910580fe8dc59ad1ef712aba09a

SHA1
36567c21cc44fccc3dbbf17460b35c54fe2617ec

SHA256
e8d9500bfbbd8a6f4db54efa46f8bea97e726471fd09437ff183beb827d31343

SHA512
cb2c9b1b62f2c5fb03335d1e58870d4f98b48084acfb7cb756af49b124487477b5200d228095b9bea6ece98c063774bf95d930360057ff2a7675371b848f51ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2b356054ad5f32f73ca9e7af3df00c23

SHA1
780f1cfd041239effc902a6f6e0e1a552f4532b6

SHA256
71595ecbee7c84ded367fc55d55dfc75dee2624f43777bd129787976b1b04989

SHA512
9d8c73ce850f268221faaa9b5e6762ab3993abacdc382062694eefdf8cd87916f90409e9698e9b7f9a7b7f541659fc2dc78f5823b2989ce89e2f5caf37654c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4f3b646a5e5b84bbe5a7b8d5f0088adf

SHA1
0c5bb4c7ac783a89dce7c730aa7074eee9c2fc50

SHA256
9922a69bd45d19e3b663855c3fc4fdcd368591df9a7869479da8ae905e827ffc

SHA512
fd1c6dcef33a485c168d97863c8768c6a7c6deef3c57252325c74bee0be3e26cdd7a6b9885d65af989cc96d9639b9b12153a0b4b3d34578769ab4c2993e093a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
14f7ae493adb1ef50e52fa70f3e17c07

SHA1
3b5da01df326a9c6fd25836807415779176df065

SHA256
f341784ff54b3a314c2488aeab9b5208cf9d2f09053109ab2bf28ed798404edf

SHA512
15d25f5d0358e57156bc4a33c75ac474723ea7b705dc9a0bc87b52e89354b20c6fc1c224234a254ef609f63add23d8f5a0bde32a8269777699b0a5f5c0890317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f407db0119fa9b92bf5aa81b8e9d8227

SHA1
813bc3abc7f18258fb0b2711e95a53d56db0754b

SHA256
20ee228f804f2627e17ac0663e4060bd019466fd25b362219f89a2bce1f7a53e

SHA512
d8bae0419b2e8126dd4daa7738a4fedd4550151a78144aa791e5def2c837003142fe33d304494088ed189f9f74e0154f78b7ed6cbc0b92d5b5ed20dc685231b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b3f4.TMP
Filesize
1KB

MD5
fe51d6d94b3e0b647b189bcc8a93f33a

SHA1
78d87a223d01dbc4a86318aa88249e665241c32d

SHA256
7542ef3042a6a4a9d5806f43d7e591b27e583d7dc243851977286186f447c1ee

SHA512
4a3cfd2838595d017d591df6819de6a0444578aebb02bf28d8c6f4fd9b0521fd3867afdc9d40cb8ab5492cde25585618b8a6388d12657e63c4c6505775c3e632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
8a84ca9602978d96f16f1733af1fc924

SHA1
a571b92d1c94b268b1b375a3811c545771ae2c3e

SHA256
d7aec03882e4322d81d8dcb0100d2d45426c7614cc408456407453771777a83f

SHA512
08494b002a6eb2e29c276306041ebee2c39115f4341f9f7d3be51ccdd66a2f7ba76a02ba55ca745a2c65be27a199cb49a13c36d627ac7d7f118bc51673866d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7a7a9a1cd58d3e705ab09dadfc9d4d69

SHA1
81d40c56a3c0d09d001e098fffb63225a6af2568

SHA256
25e9e9d0842c23f853d0bf0bc76779e0979bcbb7df3eec55e805d03ec2bdb554

SHA512
6e9619c73258706c5deff086c9193cc74a7873e3131d7677fde0abf2e5125acb28bf989eb90457a865e8a1a3e6e6dcec0b5bfeae5cfb95b5047802b90ab6fd05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
59e9ffe225384a1954d8dc434a26551b

SHA1
19290b5a4e2fd08f3e20d0712c17e9fb26ab985f

SHA256
4eb02d4690d17247fc88a230d46aa8f1db9a0b839326a42e3dce70da909a435c

SHA512
5654579d5d39904bac05b343047b7998a108b1b97e184e05a368f72a9a19fab3dc2190a88ff6e2ed3b5784c2efab1e871f1e29231ae2b5d4481d04abe99dd5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
0ae8c85ff295cc675349e8bdf877d5d7

SHA1
e1e79d5315edb3df6c924b7f793ee3828c647391

SHA256
ecfa0606e1e2a24ca9b5d03bc902c13d94c3cbeeac2d649d02d84aff9e23d3d1

SHA512
e39dc7f32f79e88a75d3738a6c3d6681b8419680d085ce33bf9af30440d499f2b1a16c44790a315954362a6704c233c59b8748baf23f48628b76c9cb12223efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A00.exe
Filesize
267KB

MD5
34c0a386e4a80eda74f0646b87943e6f

SHA1
af2244495eae1a491c50b95031c938dd2d4710ea

SHA256
a119e29e28a305d1333be5415f8b59c3bd958c2287e098a5b9d054c19459ae82

SHA512
35d8088b7d8c048deb0282e9f08716bf1cf2a1c8a5b109e727ade3c09b43866b6b7b168a10cf3913c0b94f54b7410a4c089558c717a39e72e501213812adc1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AFB.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\80C6.exe
Filesize
766KB

MD5
b00351548e4a93394c406962cbe0a415

SHA1
3691961ac9bd9684f27760bbac65a68dcdeac223

SHA256
4c81a08768206a6fd7a8568f7720ec20004d6493a4acb95576940d24403b7b47

SHA512
a0ab82ece04f39683b2143a0adff70b88093623768cd64acde909a057deb02f5112f2082eca459907aa0ee0da23b6bb37bcb6f840f4357032b51e92b789008ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\80C6.exe
Filesize
256KB

MD5
9cd724537b1e8489aa8f3216b054b103

SHA1
ce2fbc3345e0c730591b4ff13709eab5d3694f66

SHA256
68672aecb372e28d490b42c82fe006528b0c212744fcb6af014884c430e8e248

SHA512
5d7413a7b75745eeec0d61cc57df8fe28405a6bc8b92f27b3271573065ddc3a350ccf9bba46b84e8e38838cd6e2acb4fdc2a8451cc8a081988aa391c90824ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\97E9.exe
Filesize
3.6MB

MD5
c7047a5ac136206bf48baaabb96dce55

SHA1
7e775c0dff9461a64e2d82ac95fd302dfe083546

SHA256
015f86a0de5474de4da36935e46943f15b8239916602017540f17f2405e5aebb

SHA512
bbadbf365cc4f75b3c8e7f8bf630dea00ae20395ca287c47fda796f521c29fbc842a9f48f6cde621c681c6c395325781d3e9fd7163a7afa21ce1fbc54631420e

Download Submit
C:\Users\Admin\AppData\Local\Temp\97E9.exe
Filesize
3.5MB

MD5
de916ba3fcd00eb3ced57d8b42522be3

SHA1
c2ec30c62643f04b499c27b07855ec57c78be810

SHA256
0afe275baa0a4d2d62f0829388a8634e25172f7efe329aef7c21807537553ca0

SHA512
50134cb371a8527f57c30d51d6b53cd1f4e5ff9b78ef1ae879f781d24755eec01e635ef66a8a1a9a59cdf6067eaad9befdab3f6d70a56bcbbd91b94e21eabc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C6E.exe
Filesize
704KB

MD5
6f14e7ead29563fb578f8b1286bb3c47

SHA1
1d342eedf4cd57cb5392d3da10ade4a7d1e2555d

SHA256
50d10b06da70a9d4d61822ee96e2b72b1a721a35b655f9eb031076907695aea9

SHA512
75a683bac6b807fdebe3fb2693269a570fee6d77019154c348d41c07e6329c56532829fb542faee4f65e4bdd44e0b548b467afb6db5ad2e5dd802673560d8b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C6E.exe
Filesize
1.6MB

MD5
0c41e933923ba9ef887f26611ff200bc

SHA1
da548f2cd0daef68bb60a1374b13c91fd4a93282

SHA256
f83907391b8ac74e302687bf6ba3e902c8c6a78d9a1ce52c7e3b624ac4902c7e

SHA512
819bd4e845b012eeedff50c71af0b9d5ed010d729bb2d09ef558708ca2fd35d74b6e382ddc73275d223498c1b468763b435212bc1b316ea3f9e10c8d7f02e6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB2D.exe
Filesize
10.1MB

MD5
308e0bcd252818e879a218cc7130f0d2

SHA1
04cb536f4c7350cdf2d77cc5186c74e1de05250b

SHA256
75db3b03d58c146550e3ba4cec72351682aebf379468597f96d106570c0d9673

SHA512
6c2a27a8fceb0e650d3af0ab7f33776a268e7aeb3a2353588641c4853ef0fdcf4ff9f9f4fa3cfce48ceba9c17c57c4551515c12e5bbaccc565e17f9170bec959

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C9.exe
Filesize
768KB

MD5
0b4990c0ad3ca950f9f3617de92fb86a

SHA1
4a1e3762228fda498f757b12303da96544e84d37

SHA256
da57a2bb074e83b677c350dd9b0215c9861e19ff968e003f8e3ecfcc46fadfa6

SHA512
4de4405bb1e9dfe2cbe671fbeb73258fc24a0e9e8d89ecd27088e6825c8ca232c87d8cbfdc801d2db806f7d1abd2660cc2e8419c06f02dd90fad46ff6003c360

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
2.7MB

MD5
da044811ca4ac1cc04b14153dccbbf37

SHA1
6495d9b495010f8c79116e519a8784e342141b8a

SHA256
7c31979024f0d5873af50e66b541135b095a0958d7c0203e01f366cfb2a8d1b8

SHA512
0352129b629768f0192f58e43ac097758f3aae0236de363638ce14a994bdb0f17e31882f6ae7a93643222f542ffb21cf492d3c18dbaf6ec5822c45a8c2ce33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ky9AJ52.exe
Filesize
576KB

MD5
5fbee767d2d71b98593cb0df078e7bec

SHA1
92497df5877cc691978ba6a56fc175727dbfa3bc

SHA256
7da77aaceb9235755abce15d293474f82f68b932ad3d534852e3f9b028f6fa24

SHA512
dfde750f21ea39cd12c5217514239084e58a8e2b6a39cf84ffdb983bc7811628bc01796be83008086347dbdc943f712dc203cb7b527d81fcd089575e6d5164fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ky9AJ52.exe
Filesize
512KB

MD5
7c08f806b72a53298acecccb2c80ccba

SHA1
05253856348e9907f4a9df22f0c1294680f2ffff

SHA256
7dddde251415a53b597ecc48c3f87632d06a5d846f0fc6b2f1785badf01b4953

SHA512
08a6de2abf934853c3249effe250c9808d561b72ff9716bb00411cff403d95ffeb0433bfcf7b2942cd3f9b43ad81e368e16d278e8c04ae115bfd7ec98cdcac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw1fp45.exe
Filesize
512KB

MD5
5c2954899c1f1b26634fe7b1fcf0a1af

SHA1
3bb34aacdf9c0ce376c4edc75cc853da4bae7585

SHA256
9a03456d1d053fab5f22c33c14c4dd5b1fd853ddffaa8607b31454613c71ab55

SHA512
436be5cff2bb600baa9a286c64860a4c8d1a3be1f0c05c401ffde27b23c6385522fe9aac530eb439312ba86d8cb18214bcad807b39f9a5b204ce4a32916383d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd
Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd
Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
Filesize
192KB

MD5
fa9386104ba290a3cb2d5245213634d6

SHA1
557a44c9158661fef566c69741d3378fb1fcabf1

SHA256
1a73a900ad09b3d4114d3a488ffa7bd9a6fb27b82aea06d5a13a3244d5df2bbe

SHA512
7a49036c6ef5db30d5961c1c5b32bd57a076c42c8779fb71b790ef3908911a788c63bd3c6c4d6a7355c9a18ac8fa676304429370b54fbde43cf7580ea44221bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll
Filesize
2.0MB

MD5
963716183a408f278a14d13472070333

SHA1
d3e7dbaf57d3e26e6e3b96531be7bd4609e16542

SHA256
0f4e3ba82ec5615e4d04643d12ee66a73181f58947856b006a3aaef5ec7e836e

SHA512
f649a39d9e9c2613195e1337aeac7ee437f9d4dc5c8a154be8bcf0c1bb805be93c79f8b3e7979e18cb345c61921c422cf4d395239c5f059e96fbf98d8a14d615

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
Filesize
320KB

MD5
d6a5b2fad6239caa1c980a52b872c199

SHA1
47c0991692a218c5e12ad576d8136e805d5518d4

SHA256
7f10177a5fbcdd4f9df5ac76bf7d0c43dd4e38c26ad9f96e612e1ed6e59e8109

SHA512
a6167830b3aeeb71a0d46cdc372f529852fec54ed0ad5b930cc8f0f07d3f89bd3eb7d4265acc0bf41918699a936d06402a5d324e2138385fe9c767928f0a5466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
64KB

MD5
5b6a5655c58306d685a1f7ad321e17e3

SHA1
8b17616540e4e130f4d873a8c0a5d1e960a6d08f

SHA256
f9e63d9095a927c510420d9a9c97a8489e11570ae09e46efcf0738bd10630354

SHA512
d0cc0cfceb35a35f47d67b3ac1cdc73992b9b45506e2166879ef2b8319917167d2582c78672dd89a276e1c7ea0075df7c32a7e24cea7266bf497ec5a076fcf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_bz2.pyd
Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_cffi_backend.pyd
Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_ctypes.pyd
Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_lzma.pyd
Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_socket.pyd
Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\_ssl.pyd
Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\cryptography\hazmat\bindings\_rust.pyd
Filesize
4.2MB

MD5
f9a1925cf7f6ed0f31f0c6940a3de265

SHA1
c8580eed5bbafb60ca261e5b84e04d4c0afa6f1d

SHA256
f53adc71545594a354c4d1ffb92c5166231448ef6162967d006aa191d3a02e4d

SHA512
ab88b1962dc7700a3a9c99348db03c9d80d7937a408437c847dcbd14df44705d2d204b2478a7015647ed2b3fa53ac6ca1a3a232be8358a06f54f39fdade8f3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\libcrypto-1_1.dll
Filesize
704KB

MD5
443e394960b7e6b6de0612d7ead15f93

SHA1
cea43d5ee188a9ba5b68fa98f13c77cf210ea582

SHA256
2fa21eb245360507e22bcfe332613ebbd770ddac532f419371f534e58a528db7

SHA512
245578f4b273b26a168acab2a710d909757321e1caf45e2b3b9f053650f4f3a6e00b708f2d6232784e3c4be7f6cd620fcdddbcf0a55796b8c5ba5182c050f2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\libcrypto-1_1.dll
Filesize
1.8MB

MD5
d73f97f48d90c995e753efb950c0d971

SHA1
258906e84358d15e13d382ceeefa849dd0485de9

SHA256
5d376b9b47dd8c34540640fa23f78554bcee904cb82abea6783551712604fe6d

SHA512
51052ad4c5ced01bb0ecb2fc115505be79ca6be69a1e3fddb7fb58f51ed8a6342db4f48f61eca079a5b7c3c61ff8c4fbaf091e4fd56a7bfab8669b46fb3b1ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\libssl-1_1.dll
Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\python3.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\python3.dll
Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\python310.dll
Filesize
768KB

MD5
10a5836a88bc663466a0f3778c5c2505

SHA1
b53adb499fa1006a16de57115a0ef269ea219d0c

SHA256
1c97071fe2979d7bcdf4378e8373e6944efd64809dfa3916a3c5182738405f47

SHA512
bdc4447a6a2d4f4aa6a37303761318c6c49183d96e44eecb2f92069b28c0f9512a6e10bdaf3cf0a3452f2e22cd3468efd35901a2e8b4d6380a6d60da160245ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\python310.dll
Filesize
1.5MB

MD5
34d047558b80b04f85aa33ca8a5dcf1c

SHA1
8ce389327a8439c6e604788455484054233e3406

SHA256
c0ab0830547d739da2222b07936f0eb5c00e20307f5b5d3a22209debb8e29703

SHA512
d67bfbf42db53bddce1d3003901b140c6927c83429848a26f45e37a5ce7d92c3b7b11660dbabc2aa78cc9a53edb718f518fa1f3bafc9ac2933cf3cf88bda7c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\select.pyd
Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\sqlite3.dll
Filesize
384KB

MD5
ae52ba3e8927484044dcf122818d5c86

SHA1
a45f9bd99adf1135fb251f089664836eb76cb16c

SHA256
ac2811c45e4aee2c1505dc289060a6abc667fb1fedcdb757084a4199ad8a0981

SHA512
8b6681aef725289cb5be3b430baaa7f13d4ebd48543065afc883664de8fed4cbc50622cc51cbe9f3fe6f28ac05313c4ff8d2850a31dacde6afc1e237161263f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\stub.exe
Filesize
960KB

MD5
6480ead24f8bdac14ab96d567d46f9c7

SHA1
351dde495af6b05bd89267bb992da426db95bd19

SHA256
89dd7a1c37c8084b3239d1f87ca1e1cc05c95695702747816b474c042e328599

SHA512
f7cf9e503a284bf02be6ebcdedb3f82f2eca5e510f7dd0b59db7192ab053ecfcdffb6292553a6f5205915111f10b3f098e217ac2aa5ff2de46f4b5177798e4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1696_133476658446282407\stub.exe
Filesize
768KB

MD5
a6e21e14722d3cee0f7244c9b7855477

SHA1
4ce6892058f525e85116e794663eaf8807913493

SHA256
91c0724f3f3f5c5e9921bd868504de901bbec6e5f10dcd26bc020865de9d748a

SHA512
4b6064dc1c2a402a84d8358d909a760c4cf3f2dc9e64216d1b605faddb175713c7b54fdca54032c27e4e91de1a5394b2756117e3bbbb6b67599573c71a3c202f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSrbdYB3iVCS0v\UmwvwFB59AVpWeb Data
Filesize
92KB

MD5
ec564f686dd52169ab5b8535e03bb579

SHA1
08563d6c547475d11edae5fd437f76007889275a

SHA256
43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433

SHA512
aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSrbdYB3iVCS0v\a15ra9st6Sj6Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
d4910f56121ae1e3049ee0ed506ed5dc

SHA1
be48eba194f3e507873740cb844c7724ff4ba616

SHA256
ac70c1847bdf903a698de1badb72b9f9539ae9cc75cb3acc3062e4622977ee95

SHA512
c551d52823886f9cec7024457a06028526e8581f3dabd63646db57b9fa4760ccd9a295431cb1d037c20ead0be96f9fa21b04b8611a66429467ef538a8f0468d6

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe
Filesize
256KB

MD5
8f68e33b9da8e1a6672f2a823cb9d543

SHA1
d1137972ad43de5e674cd4774f02c2372e78c077

SHA256
d449cd9241d672a106fa3af5298fdfdd0aeb5edd7baa3eccb1d973319b45b67b

SHA512
7286f32faa514a2f9b57faebc72a5239d464826e74a4973946145d15c572dfcc225867e4f899c779f1abbac02d989a9c6d7c902560e46b56121aecc4458bccff

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe
Filesize
342KB

MD5
7d2ba453a3d3d26d6d242067ee81dbb3

SHA1
2f81f5162f29cc17e18eae200b506e553b9c68a7

SHA256
38e4a04d498d4d9d5bb840c977e20324bf8a974c58a47e2a68a0bf482e9e9849

SHA512
ab59ac0fcfd15e3d20a01fc3d1bc84856305f21720ef94d6165aa07dd9fd79e50e45bd33b69704bdb1cb053303726a81e801f9badf34ab22fb089539d537e5e5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
Filesize
300KB

MD5
f78b713b219c6121b4a44243f47eb4e5

SHA1
8e829736d2a1f3dc193f0b462c640635d5034d75

SHA256
5d38a31181639c578c4d7c2617bd528f9ad13ad6a1be32ce505af22a53343374

SHA512
54e1901195ef89eaf1cd083e286ce88733108dd317d35b41fb50396e420aad79dad030ee4ada1cd97f685334674d871f8c85b66a66b7285a746286fec049f153

Download Submit
memory/924-73-0x0000000002490000-0x000000000252B000-memory.dmp

Filesize
620KB

Download
memory/1520-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1620-189-0x0000000005E70000-0x0000000006002000-memory.dmp

Filesize
1.6MB

Download
memory/1620-59-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-176-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-54-0x0000000000260000-0x0000000000B5A000-memory.dmp

Filesize
9.0MB

Download
memory/1620-55-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-177-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-56-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-58-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-174-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-62-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-63-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-69-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-125-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-124-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-64-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-71-0x00000000775A4000-0x00000000775A6000-memory.dmp

Filesize
8KB

Download
memory/1620-122-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/1620-212-0x0000000006320000-0x0000000006330000-memory.dmp

Filesize
64KB

Download
memory/1620-218-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-89-0x0000000000260000-0x0000000000B5A000-memory.dmp

Filesize
9.0MB

Download
memory/1620-224-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1620-226-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1620-227-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1620-228-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-230-0x00000000066F0000-0x00000000067F0000-memory.dmp

Filesize
1024KB

Download
memory/1620-231-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-92-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/1620-225-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1620-93-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/1620-94-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/1620-237-0x0000000076410000-0x0000000076500000-memory.dmp

Filesize
960KB

Download
memory/1620-118-0x0000000000260000-0x0000000000B5A000-memory.dmp

Filesize
9.0MB

Download
memory/1620-238-0x0000000000260000-0x0000000000B5A000-memory.dmp

Filesize
9.0MB

Download
memory/1648-121-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-119-0x0000000000200000-0x0000000000252000-memory.dmp

Filesize
328KB

Download
memory/1648-275-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1680-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1680-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1680-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1680-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1680-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1696-451-0x00007FF7C7290000-0x00007FF7C7D54000-memory.dmp

Filesize
10.8MB

Download
memory/1696-414-0x00007FF7C7290000-0x00007FF7C7D54000-memory.dmp

Filesize
10.8MB

Download
memory/1696-267-0x00007FF7C7290000-0x00007FF7C7D54000-memory.dmp

Filesize
10.8MB

Download
memory/2108-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-82-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2192-36-0x0000000002630000-0x000000000274B000-memory.dmp

Filesize
1.1MB

Download
memory/2192-35-0x0000000002590000-0x000000000262C000-memory.dmp

Filesize
624KB

Download
memory/2340-274-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2340-268-0x0000000000A30000-0x0000000000BC2000-memory.dmp

Filesize
1.6MB

Download
memory/2340-273-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2348-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/2348-2-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/2740-22-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/3196-271-0x00007FF6315B0000-0x00007FF6328A7000-memory.dmp

Filesize
19.0MB

Download
memory/3196-409-0x00007FF6315B0000-0x00007FF6328A7000-memory.dmp

Filesize
19.0MB

Download
memory/3264-130-0x00000000049B0000-0x00000000049FC000-memory.dmp

Filesize
304KB

Download
memory/3264-123-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/3264-127-0x0000000004910000-0x0000000004922000-memory.dmp

Filesize
72KB

Download
memory/3264-128-0x0000000004A40000-0x0000000004B4A000-memory.dmp

Filesize
1.0MB

Download
memory/3264-129-0x0000000004970000-0x00000000049AC000-memory.dmp

Filesize
240KB

Download
memory/3264-263-0x0000000007080000-0x00000000075AC000-memory.dmp

Filesize
5.2MB

Download
memory/3264-120-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3264-256-0x0000000005CC0000-0x0000000005D10000-memory.dmp

Filesize
320KB

Download
memory/3264-131-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/3264-126-0x0000000004ED0000-0x00000000054E8000-memory.dmp

Filesize
6.1MB

Download
memory/3264-132-0x0000000005910000-0x0000000005986000-memory.dmp

Filesize
472KB

Download
memory/3264-133-0x0000000005A30000-0x0000000005A4E000-memory.dmp

Filesize
120KB

Download
memory/3264-259-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/3264-112-0x0000000000020000-0x000000000007A000-memory.dmp

Filesize
360KB

Download
memory/3496-5-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

Filesize
88KB

Download
memory/3496-711-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3496-30-0x0000000008180000-0x0000000008196000-memory.dmp

Filesize
88KB

Download
memory/3900-236-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3900-232-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-229-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4832-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4832-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4832-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4976-88-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-74-0x00000000007A0000-0x0000000000932000-memory.dmp

Filesize
1.6MB

Download
memory/4976-75-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/6520-743-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download