lumma | bd09222e00af329436f92ffddb3d0b35bc2ba06142c28731a7701b1f02d035ab

Analysis

max time kernel
99s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebeca8f1f9b546f1ad993fc44dbd2f21.exe
Size

2.5MB
MD5

ebeca8f1f9b546f1ad993fc44dbd2f21
SHA1

cc81ced0e6f1fa731760a2e4a4d9a595775d6fa2
SHA256

bd09222e00af329436f92ffddb3d0b35bc2ba06142c28731a7701b1f02d035ab
SHA512

0d0b4bbbaee453493aa8ef716c475ee4d19c9fdfc67a6d34eb7134802ed51b8c8307db25093139eb2c0bb781d208795f367a9249397917428f2e41a81d62443d
SSDEEP

49152:P2/0Xf262LogWwJYgpW0VAyIYUA8nxuGYaxX2DdM200D3fimSLXzHqqq8XQ1uRik:Xf+cgWwJYLynZuud54yqmSLtX6uR2M

Score

10^/10

lumma redline smokeloader 777 up3 backdoor collection evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Extracted

Family

lumma

http://soupinterestoe.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2316-552-0x00000000024D0000-0x000000000254C000-memory.dmp	family_lumma_v4
behavioral2/memory/2316-553-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/2316-554-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

5Pd0rG4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5Pd0rG4.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3404-1156-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

372 netsh.exe
Drops startup file 1 IoCs

Processes:

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
Executes dropped EXE 8 IoCs

Processes:

VE5Mz98.exewE2zK42.exe2jn0196.exe5Pd0rG4.exe6IO7Lk6.exe7rA1Wi85.exe98D0.exeC9B5.exe

pid process

3648 VE5Mz98.exe
2296 wE2zK42.exe
3240 2jn0196.exe
2896 5Pd0rG4.exe
2316 6IO7Lk6.exe
6076 7rA1Wi85.exe
1076 98D0.exe
1800 C9B5.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

2896

pid	process
372	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

pid	process
3648	VE5Mz98.exe
2296	wE2zK42.exe
3240	2jn0196.exe
2896	5Pd0rG4.exe
2316	6IO7Lk6.exe
6076	7rA1Wi85.exe
1076	98D0.exe
1800	C9B5.exe

pid	process
2896

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

5Pd0rG4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5Pd0rG4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5Pd0rG4.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ebeca8f1f9b546f1ad993fc44dbd2f21.exeVE5Mz98.exewE2zK42.exe5Pd0rG4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ebeca8f1f9b546f1ad993fc44dbd2f21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VE5Mz98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wE2zK42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5Pd0rG4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 ipinfo.io
160 api.ipify.org
72 ipinfo.io

flow	ioc
74	ipinfo.io
160	api.ipify.org
72	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5Pd0rG4.exe

pid process

2896 5Pd0rG4.exe
2896 5Pd0rG4.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3128 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5484 2896 WerFault.exe 5Pd0rG4.exe
3284 2316 WerFault.exe 6IO7Lk6.exe
5300 6104 WerFault.exe toolspub2.exe

pid	process
2896	5Pd0rG4.exe
2896	5Pd0rG4.exe

pid	process
3128	sc.exe

pid	pid_target	process	target process
5484	2896	WerFault.exe	5Pd0rG4.exe
3284	2316	WerFault.exe	6IO7Lk6.exe
5300	6104	WerFault.exe	toolspub2.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7rA1Wi85.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7rA1Wi85.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7rA1Wi85.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7rA1Wi85.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3632 schtasks.exe
5160 schtasks.exe
4084 schtasks.exe
5248 schtasks.exe

pid	process
3632	schtasks.exe
5160	schtasks.exe
4084	schtasks.exe
5248	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exepowershell.exeidentity_helper.exe7rA1Wi85.exe

pid	process
4340	msedge.exe
4340	msedge.exe
1684	msedge.exe
1684	msedge.exe
4776	msedge.exe
4776	msedge.exe
1216	msedge.exe
1216	msedge.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5224	identity_helper.exe
5224	identity_helper.exe
2896
2896
6076	7rA1Wi85.exe
6076	7rA1Wi85.exe
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7rA1Wi85.exe

pid process

6076 7rA1Wi85.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe
4776 msedge.exe

pid	process
6076	7rA1Wi85.exe

pid	process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

5Pd0rG4.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2896	5Pd0rG4.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: 33	5680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5680	AUDIODG.EXE
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

2jn0196.exemsedge.exe

pid	process
3240	2jn0196.exe
3240	2jn0196.exe
3240	2jn0196.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
3596
3596

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

2jn0196.exemsedge.exe

pid	process
3240	2jn0196.exe
3240	2jn0196.exe
3240	2jn0196.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5Pd0rG4.exe

pid process

2896 5Pd0rG4.exe

pid	process
2896	5Pd0rG4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ebeca8f1f9b546f1ad993fc44dbd2f21.exeVE5Mz98.exewE2zK42.exe2jn0196.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4952 wrote to memory of 3648	4952	ebeca8f1f9b546f1ad993fc44dbd2f21.exe	VE5Mz98.exe
PID 4952 wrote to memory of 3648	4952	ebeca8f1f9b546f1ad993fc44dbd2f21.exe	VE5Mz98.exe
PID 4952 wrote to memory of 3648	4952	ebeca8f1f9b546f1ad993fc44dbd2f21.exe	VE5Mz98.exe
PID 3648 wrote to memory of 2296	3648	VE5Mz98.exe	wE2zK42.exe
PID 3648 wrote to memory of 2296	3648	VE5Mz98.exe	wE2zK42.exe
PID 3648 wrote to memory of 2296	3648	VE5Mz98.exe	wE2zK42.exe
PID 2296 wrote to memory of 3240	2296	wE2zK42.exe	2jn0196.exe
PID 2296 wrote to memory of 3240	2296	wE2zK42.exe	2jn0196.exe
PID 2296 wrote to memory of 3240	2296	wE2zK42.exe	2jn0196.exe
PID 3240 wrote to memory of 4776	3240	2jn0196.exe	msedge.exe
PID 3240 wrote to memory of 4776	3240	2jn0196.exe	msedge.exe
PID 3240 wrote to memory of 1908	3240	2jn0196.exe	msedge.exe
PID 3240 wrote to memory of 1908	3240	2jn0196.exe	msedge.exe
PID 1908 wrote to memory of 4964	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 4964	1908	msedge.exe	msedge.exe
PID 4776 wrote to memory of 4128	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 4128	4776	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4568	3240	2jn0196.exe	msedge.exe
PID 3240 wrote to memory of 4568	3240	2jn0196.exe	msedge.exe
PID 4568 wrote to memory of 4144	4568	msedge.exe	msedge.exe
PID 4568 wrote to memory of 4144	4568	msedge.exe	msedge.exe
PID 2296 wrote to memory of 2896	2296	wE2zK42.exe	5Pd0rG4.exe
PID 2296 wrote to memory of 2896	2296	wE2zK42.exe	5Pd0rG4.exe
PID 2296 wrote to memory of 2896	2296	wE2zK42.exe	5Pd0rG4.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe
PID 4776 wrote to memory of 3156	4776	msedge.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Users\Admin\AppData\Local\Temp\ebeca8f1f9b546f1ad993fc44dbd2f21.exe
"C:\Users\Admin\AppData\Local\Temp\ebeca8f1f9b546f1ad993fc44dbd2f21.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE5Mz98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE5Mz98.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wE2zK42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wE2zK42.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8c58146f8,0x7ff8c5814708,0x7ff8c5814718
6⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
6⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
6⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
6⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
6⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
6⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
6⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
6⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5460 /prefetch:8
6⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5456 /prefetch:8
6⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
6⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
6⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
6⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
6⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
6⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18051660096270617378,13888034703500749157,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5216 /prefetch:2
6⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,6391798055350264226,8805283758683151919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
5⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,5221615192291300742,8434519299737819240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
6⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,5221615192291300742,8434519299737819240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Pd0rG4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Pd0rG4.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:5720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3632

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:5932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 3052
5⤵
- Program crash
PID:5484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6IO7Lk6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6IO7Lk6.exe
3⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1004
4⤵
- Program crash
PID:3284

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rA1Wi85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rA1Wi85.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8c58146f8,0x7ff8c5814708,0x7ff8c5814718
1⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8c58146f8,0x7ff8c5814708,0x7ff8c5814718
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x3e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2896 -ip 2896
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2316 -ip 2316
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\98D0.exe
C:\Users\Admin\AppData\Local\Temp\98D0.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
4⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
4⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
4⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
4⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
4⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
4⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
4⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
4⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
4⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
4⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15937154171730003239,10505468087757821723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\C9B5.exe
C:\Users\Admin\AppData\Local\Temp\C9B5.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\nsmEF5F.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsmEF5F.tmp.exe
3⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:5320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3404

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1912

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:3252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:640

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:3128

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4728

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:5864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:2952

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5248

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:6080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\is-VEA9E.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VEA9E.tmp\tuc4.tmp" /SL5="$110172,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:5976

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:5136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:3952

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:5616

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 328
2⤵
- Program crash
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6104 -ip 6104
1⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\FC10.exe
C:\Users\Admin\AppData\Local\Temp\FC10.exe
1⤵
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c58146f8,0x7ff8c5814708,0x7ff8c5814718
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E4A.bat" "
1⤵
PID:376

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\411A.bat" "
1⤵
PID:3324

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGCBGCAFIIECBFIDHIJK
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\CFIIIJJKJKFHIDGDBAKJEBKEGC
Filesize
15KB

MD5
8701021dfc2da6e5c0c16373eef2adb4

SHA1
1298e3a253a45a0c5d22275c50117463f7df4027

SHA256
46fe171ed6e533d557ff9cfb5afc7bb2c7a36c4febdd8533b0435920c8f1d249

SHA512
3aa8105e5f9bec695ba2872cc4c1aa77e243fce7fe37eb6365a0b45db667fa0125a2eecad8124d39cd7ff3ab86db680e6a6a23074094a52cd1287c5d7141bdbe

Download Submit
C:\ProgramData\mozglue.dll
Filesize
12KB

MD5
9e6597688eb7c19c9adc34791b0837bf

SHA1
f90a3ac9c596390d7907c91260744b4343417e2f

SHA256
e2f1dfdff9b8fc126ea1f6a70d2b2a80729feeb6f3d56f747a644541a1c41251

SHA512
d320b536323246b0d14bba51ccb5a66aca03e647629550e34a222e42ab28089e33b8c75c47ad3378e9fc51d53c8ab243ed70d0ad3052ee0189b863e785ec07e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
29018118391f2380d76860b5a2a86e81

SHA1
37752128ba0fd80f73d5de77e893dd7582051d85

SHA256
f0d559b34486cef130ec0cbf58c5e8ab7337c994ba01df89f3ad1cbe17a8ca25

SHA512
941554096c8ea8c70e8d3a7014b38dcc7f6b8adb787a68479c4b6696d53674dc3485866929979924d77d3864cc92eea51bfc0ee0fc01cb51511726535c658a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8477f4e53e7ee594259a20b717b70aa0

SHA1
4d724a8b79010e4f3db751a4f6222f659591d052

SHA256
e0ae4a303455e32bede89462ef86b363158002f2df83390d6229fcd6e3424a66

SHA512
341d2903eb931fa877b7cedb8abe48813019f538189d74a3c907c0cbeb2c43217118f7b4d28a0f9686362266c19d584e434b582a19f90512204dcb11028ae07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a1d28b5eda8ec0917a7e1796d3aa193

SHA1
5604a535bf3e5492b9bf3ade78ca7d463a4bfdb2

SHA256
dfaf6313fd293f6013f58fb6790fd38ca2f04931403267b7a6aef7bfa81d50bb

SHA512
51b5bec82ff9ffb45fee5c9dd1d51559c351253489ea83a66e290459975d8ca899cde4f3bb5afbaa7a3f0b169f87a7514d8df88baaeec5bd72d190fd6d3e041b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
aee443b44c8ea48622ccaf436ab78b02

SHA1
298ac378ef000faaf6ea4e361001db8fb21f2bbc

SHA256
1038433f572911acd5d2eed20acd16b1b0086ccbfd631cce416934e8667ff7d7

SHA512
230a812c7d396381f55615559d3dcd7ca965fc130fd70137a9cb3c89ce091e0e59778f834c083d448fa7b323264700c174169b0868d9b54730bf707828b4394b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
624B

MD5
70e6a68422b420c623c55e16e33bad8d

SHA1
841309624c6946abd7f7fb56721c65cb636d2f78

SHA256
1a0958d0b71c8316a5449d320fa274d30703ebb3ca146ad5f5dd22c6a4c73605

SHA512
958657944da3c5c7d4b07c95d0c70394fb63a536e2e4d9f13850ba2a990d7d81d3d428f303c39557af2eadbd5827898f186f1e25bd09d7ee886ebd4f39d9fa1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
37ef6bf4981653892878724833483666

SHA1
5cf58f7875db9509827380b3a182abb2103484f7

SHA256
3540866ba6dc389536f5c93de886506fe40dc286a5d3cc44b536a15507cdb767

SHA512
3a54a551cf80819902db8b35760d4304adfcbfd8b1d1fc99c1460085b161face06a68daadd6a33fee79703f1d42bf1961fc66d88eeda8c51e22fbc1e3c50d2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
752fd7aec98cf2356015b306e63d18db

SHA1
355a2bfcacffca211c2a0bdeba99c17fdeb8f716

SHA256
5818b6363df159175c2630ed8286cffdf5cb35abeb6db4b1f703129a24706876

SHA512
323e4987143a6678cd82a418b8da79e46f2c923fc35e6c8a015477ac0ee49eaf803ab324aac4d71e876827c5ef72f8fc75cd329be34a3a909b52e3e061a1cb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f5bfaa44b3b7120234b0b24ba6d3367e

SHA1
93f4edce8b720d642b5b0dcbef0176a6d430557f

SHA256
85118729e9e12c069b7f08822fbd4b13e10819c2e9616c637ec5e57482710217

SHA512
2c7b8368a83d0a0305e6e05cebe364808bfef7d13c39158340d40a85e1ad655157c6e6f6423f61e41667f82c95d1cfcbbfe8cdfb7a0a9978a86c1a75d46bc341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a6af4a35b4f2facd56ba47a6566314dc

SHA1
a069394d498b8a08e1b35bbe8c97425727f7f4f9

SHA256
a3c3ffa51214aaec29c938832cb99e8c7618274d85b282acca2a8a8ba40e705f

SHA512
742d0b702aad3472e3d840bf621d76530457072568d36ecbb66fd746a5186a92857fa4465f480110c8638bd71e5557a66b2455566513cf3d65dae66cdf0ab659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
6624fd466bb56bc7d2e98ea129d326f2

SHA1
899e90b386ef8582d66c1de64c838fe908dc2490

SHA256
84a1f6f89320eecc01478ee161edbe1b0d028a62c91971409cbf6ca31fd4157f

SHA512
a0fc7d956250ce9aaf4c7ca0f5d996b64f4027cf4bcd1ae1928b36936e792b65e9a84de663db54a936badfd1d9936030d3448b18a414f5555a891d9410cb5e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
32248155719067cdcc8a67d11c1e1a7f

SHA1
6d617776d94880888d7d7d3b8d61472dfbf8effb

SHA256
12e2b5976b24d20b3f4946a6dc9c489acf4205c01c24e8795955d84aef78b6c1

SHA512
554a0271bd655f7b1220ec66dbb7dd2c94d478cdbf36a226d5922fe187badfb4273712d081cdd826f1477d9293074ceaee3d7201141f4a680768e0168bb0504c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\07375016-86e8-494b-af19-028a8951aa13\index-dir\the-real-index
Filesize
2KB

MD5
10f12bc194dfda56e1949702e9bcf09c

SHA1
198bf432c1eea85518a0afda6b038057be4fd84e

SHA256
1fa6f3e9c733bae7cbf1442e3ccdf601b21976e352e1eb2a77956003fdacad71

SHA512
7b2e55b3ab4ae93a3a81cd67455ad844aebe17ff955e7faef0a7c428c7e6353efd3ea84e332c1b66691995692bd95f4f8a95f402f9260220a15a55e4b17622f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\07375016-86e8-494b-af19-028a8951aa13\index-dir\the-real-index~RFe57b100.TMP
Filesize
48B

MD5
1963cf6021378f354b9c5d3a57f87d9e

SHA1
4aec5d4ae4149600e811b11ad71b31de2296cd0c

SHA256
dc45c343ce3ed1b18948ac7fd0fb04c16f5ec160bfa6b885b5f719c181babb75

SHA512
c56c26593103ed3c8c7d315c02b34010dd5f767a69ee64d6af91cb0bcdc43b8f24e62fcfb44f20508ce033600775af24d521d1a34a7bfad22c8ce53f29668f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
4d7c2eb326a34689443d9dac28a8c9cc

SHA1
585feb4eed27edbfd8394c6d9487fa52f041c887

SHA256
02b1b9d14d78fb96a999d49fec755b29ebd6dd791bbd60cbc01be2e3af4dfd01

SHA512
3fbb48d7ed867cc0c60f48d1e09ad4c3738eeac3b90aa4aa0cb694eb962c84dfa2c830439afc6ed2428699d79592a405cbc4c5f0ce188fe22958b757686398f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
ed04ca5eeb4ec0f8be2f6b383a2e2780

SHA1
5406ba62852a84269a604a377baf5939ab56cba4

SHA256
e25043ecff37fd31088f1bd94705f965e08e8e0224518a96c5237f2b7602749e

SHA512
d01257e2fa4b980506954d8636ffade044c35e71fc5ef2e6d6567779c7a16090357ed8d8024fd44176eb495329d90ad5bd166200660fdce739aa801032d7e62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
6e6aa0bd9efd1d188c5427e9972e7dbc

SHA1
c161e0521f6d6e32ba9ac3489bc20f21b87efce4

SHA256
feff7b8e046d66a995d0605f8e6d4ec95d6adcd4d7c5d2118d29a60dffc67ab1

SHA512
96dd63d4a0edd10c4525de3101bd6ca1c6393ba2dd4b76235bb5d73467a5be96c3e3cec911e10dfc89babba347269876247ccca7d2a3b07018a27e9b4d6882f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
9e09014009658bca181aa87c080de47e

SHA1
549cba6e992ea77313001a1e8325e86034972635

SHA256
1209dde514afac939f261c7fad96f01174d67acd8e5f6967822a5c22c06a93a3

SHA512
8592dea7d240bf7860309285a64283e74b9cd38f28daa4d53d997e443ee8ddb7eb2120763fe35b0ab828957b49d3da26d5b53411d876ea7189747df3b57d05b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
81e614392525dd3b093c422f80bd3b9f

SHA1
1ff81999b4e1662c98582e7f85b47cf7b2df337a

SHA256
07a850fd414b1887e8e93a2810e1dd4b6cb28f67043097044e3e304da475819a

SHA512
4111184a78c6a49b3ec482b69ca06d73e1120bd5acbf40db3028e73dc483eaa690372a8206e08456f08c4f940892d4a86abffa8d1412740b1eb873bfc6dd21b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57abc1.TMP
Filesize
48B

MD5
fb5a2b53c8718d95b86b2f65c283279c

SHA1
a99a57dfebf3a4c71c913d49ee511058cfc8f731

SHA256
1b23d5e1bb5aea8d5a33b54d090b9d75e1a11c4ae09b947190c2c2953eeaca3d

SHA512
fbed022da02c14ec7aa4fab39cbd17a53ce361d0b6c2d0f814166e34661e82f551bbab623ccbd83ee7acfb415f7177bd108a265afa3e269ad80ef51248c76640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b6d5f8b74df0330056c71b059036903e

SHA1
e5eaa84239ba03e29879e08abe4fff3950f916a2

SHA256
85acb658e0dc287de90450fe51a5c42bda096f361f7ee5bf5637339e6e65a564

SHA512
3d153f575f3de7cdb11c924e1c060bef150da45289f2c658b06f32e521b127e04c154a416f205864069acbbd3ac302da309d66343a116d20e265e467735f70db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a307101ffe1e8e420087c928124b7a45

SHA1
d292f3189d52d12dcbcf6c54fe30da20e1f60921

SHA256
c2894c58d1396219078cf582251f726ad6f054adf758c6a7581bf5116c63929c

SHA512
10d2e8122add7ffe7ed01857703e459be08eafa6e78365ff0ac5916d6f82b957c18593c434276ca7c7e2a7876d77a9b8b7a131b330cf7e1b6f5e13c9db8a6321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a180.TMP
Filesize
1KB

MD5
7b1c7a772e54c902beb3a948a5a648eb

SHA1
28a50af8908261ce231c712c64a7d0f9e87131e1

SHA256
47e156969aab28c3870034555e8009e025de5ed0eb47d3011aeb888f4712f1aa

SHA512
59d63bbb22809df2e274dd1516f89f48f715a6261a1f88eba880bd03222ef2ce668dff9d2373a546a84bdccf38bb47e76bf7a52607bf2a2286cf25994e39e275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
b5bdc7d4eb1b59237eaf2eef52c84dd1

SHA1
bf730805bfce1c72ce9c4d0aaf0515a76b965b81

SHA256
97f6b6f81c67c31cc68708347bbe6f35d3c3280f139dd00ce2ae8e16b28f5ea3

SHA512
608e7374d93d2be0be87348e9a033aedaff582b0a78dac96ceb02a850003275cb8273b8ff7b4980655018bd8037229b057bb3917d924a2bd79e9b163c7bf8ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
cbf0d37c25a85f152aca9242ee5087d9

SHA1
f2fa240836dd5e27fa0b4b741f66589360788202

SHA256
edb0fc273b10b29c4235a8191b559cc710407092b005d1ee6d8a998cae6f8b2b

SHA512
72e2a59c12615ab1b3408638078bde95f1f42641df340e6084b53c0ffb437f3ca59dc2973a3f9d9cbb4634a41b500fe51e46eac334314f6342cabc54d5381979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
93a47f887bb0ec15b7d77211ed7587cf

SHA1
295109decd033edc33327ca52ecc5cfa2a19ee2b

SHA256
68c08319c285bb660fe2f5ae2d00ddf9e9f7519964ab1bfcea857aed99893e0e

SHA512
9dcd1ce2333753382f103716b657eb5881eabf8c7300db7246c071596bdb1f13de10c2745d62a8eeff34a6bf2f8b7cf24bf2020db0945e7ec749399dac8c4fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
bab4bd8d876d6379d920d990f88d963c

SHA1
d1851d147122fd7cc6b437054892340ef57b6496

SHA256
f15bce58edc4e6e0ae5e9d8019a5f50011a1eb48bf6bf387d3ec3f9eed08dfdb

SHA512
aebece97176dd6bd8add9cedea4de3bb7569cabd6ec599ca0b27ac457d808887f5e7292b4d99c5c044c7ee382abedf958abb93d224297170400ad034b765f4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
150KB

MD5
619c230bda193623a93e533ec2cb2c12

SHA1
7e8d03621ef78deb9e4ee9db3406b9f3943e30be

SHA256
11edc1a1b474b9fd95fe5a48d6d7bae300eb3077925e985ac1584bd7dd49ca34

SHA512
5a8c35d6b6b2289e4222e6613f0d0c9efbe9f7523d7ab5898568cc94609c93734aec0f60d37419eee4a7d52ab562de26561a0811066001195326e338be76451a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
90KB

MD5
4d21a4abb84dc86c36dbf015519b26d9

SHA1
c838088fa7f82a28ced16f45ede48f942552aabe

SHA256
e04c528d85630f67b49938c4a66a8ccbce2396b1ff093221db54f674340b030a

SHA512
a1a3dd3f487ff9698405eeb73984d25aec3ccb6b965b339b9c0c7ab5bb5d4fbc1a37f599b265a2f7487c80345d1803128110aba2535b5171b40e975c67fc4615

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
149KB

MD5
de189415f04dddc1abe7ae918ab7e821

SHA1
74fd5790bd5f875a2c5a87b0e32d200de67bc715

SHA256
4d64a2a457b8a53e0a61065dc0b92de99cef9825250e7349517862adfac6bbac

SHA512
5076d42d48ebdb0f8571c4a295e0dfdbe193cd98ca96346fcb3d552e7b034f66c72c5507d6c86af116fa44710e0d44a986ed1b6133a9d9daa843e821bf9c9981

Download Submit
C:\Users\Admin\AppData\Local\Temp\411A.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\98D0.exe
Filesize
324KB

MD5
d7f317a0aaf83ff6c4e5bc3a1db644de

SHA1
8c6805f0792ca5fd14828916b9124a69d5ef2378

SHA256
ceb3910853854da69e83f2e653c81152f52f4b8ba74650d8c1994a150695c83c

SHA512
34a360ef4097f2f69d4b07a3948318bc7efc06d0a34f564fd5e787a5b200f0295ad6f1c17bbd4fcbf90433260fd6db3e8510b34a4b4597d9f8463165e17e3b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\98D0.exe
Filesize
197KB

MD5
1c320a3dce5423740fd7b3887d336a9a

SHA1
5c4a30ebdb5718e1180c9de5750d149571923c24

SHA256
2cb05de786ced59446ca29107cace42260089ea6e6d6d7261f3f5d66f3b0db7d

SHA512
fa38c98ccfef54721e42795689274bd4cccbf6d41d1ef6fcbd76aef8fae1caa85872b56467584d60efc6eba356ea52c690d6c99c5f97fae09cc4b72a24aa1758

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1KB

MD5
cc4f7e5fbccb679301737a3d4c68b16f

SHA1
960d0b725504351e9d41cae9e1bcdf8b355665e0

SHA256
c11c62201ce84886d1c56f9c0f5dd167089cb77af131c00f24cffa250be83c0d

SHA512
5ed427dd9cd06fdfee8dbf81611f1b481030d9e611fa34f8fb6142c648e62c4a6f4338058915eb938335fcf381d041dc0f57fb6332798859bb0727af41995b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.exe
Filesize
274KB

MD5
76a4b2a0f39590e5955c9856901058b2

SHA1
ca138856246575fc9a19bc2e9a596c8e5a8a2796

SHA256
8e8bbb268b2174883f9d3111e2da23735b6ca48d678b3aa3a816c1708bb48034

SHA512
bf4411525e348ed65499e7678deb90d8bb7e77d41a6d4f9ca67c18696141f3b1f7868755d5f94c726f9413c3dd6b65e8751fcd326f8b08458dfb89c623094250

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.exe
Filesize
343KB

MD5
11794dde2b200cb10d8144084a319d71

SHA1
a4c8dc6d4a07ca29cf6f529fc8d1cb7dd215c581

SHA256
d90130f7c6faaa99c7da23c02867224049325f2207db61a6b09eb2f179b83e37

SHA512
fba6e09655cf2ee0e0954b2f0faea179c79e877dacf2569049a091a3a3ad8478d5dfc3e78c5962b75d00dd78ee10c301ad440e197c3d08fea45b57f04304546b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
116KB

MD5
2e4799fdbdc288f23c0ef50755395b2b

SHA1
6ae2ee9a579718e4d6c3ef64fedc2f76caeee32a

SHA256
27d31d44ed84005b4368cfb752b2b9c67b96b26e260bce5d45b53f2303a126ef

SHA512
f675984ec8bb01801dab200f70c0b9de21e20b4593055cfafda75800ecc37eb21f0e0fe49b929f5679d9360937acde48cce528208b3572b06882dcef1604f16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rA1Wi85.exe
Filesize
38KB

MD5
9522f529259929d7a1baad676c4689a2

SHA1
612e661471ffaea3cdaff96fd3a9569b69f6552d

SHA256
c6ad5d1a3fe46f2f1f441e10ab173057178b6115128414c6ffe4944d9c81d70c

SHA512
24fb619a1c32f16e0a1c01d51a819462c240fd250e79b50ff3c844fcedb231efffe592f9e09c5e758bb2cfbdb2b05f07eb5884d954e6c8b3d793d819f1060de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE5Mz98.exe
Filesize
176KB

MD5
f0efed5e02efe2484a20b6b1112d64e4

SHA1
f99db6184fb8ec2b151ed2b02be447fb5ca58349

SHA256
0d5360e72ec0873b1b7b38410501162f204fb7066d6c2a22df8202e7f7f3030a

SHA512
29367092ddf28591a5f38d1ed3f8e7d40b7e1ab708b50701ec3c91e0aedadf0b179edefa6a4e1d3d266d1be962cff6f9cbbf170df2f3c2e23cb5387cdc5e0d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE5Mz98.exe
Filesize
174KB

MD5
adc4af8aa6dc4fed57d416ae52b5c1a9

SHA1
e3a4bed6ee9cc58af66d9a7a1524baf4660bdf23

SHA256
5063c04f28e9bc033283a53206a9e0475d286f77556d341f50beaaf5739e75e5

SHA512
fc495921f6f359e16c72d85d120d1ffdc2d7074ac8063ab39b791204d6c612759fd18bcea77e97abc56bf223113686b3b7c55c760a7bbd38f2ba7d75348d6bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6IO7Lk6.exe
Filesize
114KB

MD5
e0554951ebe71690857bf13b922d75ed

SHA1
1aa79d18c47f417667f5c60935ef511739d24c7e

SHA256
527575b5700dae1b3aed29257fdaa49cc223ec7b139f2a1bea7a57cc4995d423

SHA512
d74bfb7a0d04115034a4d0e77198b983f1a2fd0b30be92e025aa3d2a7f31759b21bdc12f388eb5813110c69b115d34bfb2f4366eabdd8471cd1ee38b6df2d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6IO7Lk6.exe
Filesize
199KB

MD5
8906dd4a7f751799b58ea9a70c61528c

SHA1
212551d1411074d039eb09f997b75e08be94414a

SHA256
fcc9a722e8e563026222457ccf0066aad36e279fa9d35e253cb8f1b9ba6c4f66

SHA512
87b2f66929b1eb2d4d193b8fbeeca850b3a3b8ec6fc1edc485a059b016889a1c291dff1122c214579728945bea014252d7418feb04f8167ee784045325730cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wE2zK42.exe
Filesize
124KB

MD5
165df6269238096ba5da2a6e0f46930c

SHA1
a944b7c4ef4fb9aa9801377760f617e76cb983e1

SHA256
593c055ea0ca33d2a3f489ac7a42b037d49ec96c143fd7309640f6520c537a89

SHA512
49cf1b85981cdfe5a59e6e57c0df815845eef8d436f6a52a80bc21850863f06f6e98780e8f1f0273abbc10491651ba23b12a475fb4ec99ce6bfbc23ceebc3d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wE2zK42.exe
Filesize
178KB

MD5
d885382d379ade2ee17c6a81e95fdb4e

SHA1
55fa163840f261151914cf88145fe4fb21d12c49

SHA256
7831cd92fc6d792e878b8dee2d2dd34960e8f6c9115d6687e5ee07340a1f2cb1

SHA512
f8964f5965ba6e6f8bad7e73cb110544fb86cc3efe9bcfe12d8697ba793b893f62b4dfe9f30cb84bc8149336498e8b507269372e2ae7c8c48c9ae845e763931b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe
Filesize
80KB

MD5
07cecb0d14048894f9b3fc49b54eb3c6

SHA1
e10269d633b0d011a55549831bf3d1aa5be0f998

SHA256
c4d6eeff64d6858786bc25001d4cb0a02715a9674d395af83b5a74742291bebe

SHA512
93f7c59024f42dce2d855e44e06c0f36baaaef74c4339e304fcbd5fb1cf68d1cd677af19583c5dbaffc811917eb17de7ef7856e8d487dc678bc5dbcd529a0fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jn0196.exe
Filesize
112KB

MD5
023a67c4e49d0270abc1832f3fd3b58a

SHA1
4f350642814ad5218ca4d00305845813c6889c22

SHA256
5cfa444a416b7fcb38ed4a7d803b6dedc41ea9909718262345203b2c13433b01

SHA512
c7388669dfbc3e4aae3064ae8889b31b447f370a89a4e5f94a0df3a814ffee7108a4a6943c4590e25457504f2835b3514ed41f1eeafb59902dfb39b8f98a5a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Pd0rG4.exe
Filesize
728KB

MD5
be282cb52121a6ee1bc596bdacb2eaeb

SHA1
f68541c9fc83024c3a56666a40bf449c37f80bfc

SHA256
ba58336ee1e0c1d3a8e5a85104c91048ef1ba4e1c010bc626a333d036e1c7d25

SHA512
a4898e1a9acb3f84180cd4355dd9ac078fed2f5cc7f2a891ec21f1b6a4b206735a0b18624c8a6bb88f6eafb60da8d46f359f19e017a09a882113f9d92d9a5c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Pd0rG4.exe
Filesize
667KB

MD5
20ce11bc5cbf4cacf8287e820f9464a6

SHA1
fdeaa13d660337b0b02a39c11f66779aa8b5de80

SHA256
e0c7000d8d84bb202dad9206f5bcf00787fc86504c8620602c7743717ad7b4a3

SHA512
498c4c430c4139a46f57e3361902c0804b6c764c9449c89c213b7d8fe7040f9c7a1ed01022fce8477c18bbc6876a865c353032895f9e17c5e2a233a8b60cc19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
157KB

MD5
0985c9635c15b61c177f46ec38d9d3a1

SHA1
e8893f0bcae5f667c0a8a888948f5035b4b52132

SHA256
f6622379b133fbdd0912312f1648fe43662ca5b167226de6b5364cd29cdfe71d

SHA512
fb7974b59996a1228185dbab76eb08c574808703e94d10a6539a06d3531d5821967c00be66698784b09fc1e0603e397a8cca413eb46a0a787903035bb9f7cf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
115KB

MD5
26820999cac7140d20743beb6e481baf

SHA1
177e7cfcd666f371593a2d4b86a19153c9d04143

SHA256
7f2aeb60871c394c4d6677293f037fe64fe536e99c85ead1bb2f4f57e31b4361

SHA512
f46456d1489025ac25fe4b3ac648943ea2f59be21f8c471bca7d4129a099a05ddf302adb504ddf6f4428d5da469e5dd8313ad5671f18fc67720c600b2cc9e37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
86KB

MD5
97c0af47fc820387b3e05052c7439175

SHA1
9298f68ba311355b043da2f32732bbff8837db39

SHA256
73eae86d6ee01adc7ce55cfc86a82513625d68f917aa6db6c05496b060a04613

SHA512
4c91889e2ca5dd660c2515ec0330beabaf4a7366588a88a41f9802b070f30eee12b58fed7588c2374757272c6dd1940fca20198848a70148514b0b4130f23268

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2juzivvj.w45.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
164KB

MD5
e836a632a5fd2fb26f118af5466beeb5

SHA1
6a1b1959cff12c284d3e5b226c5828883e789e71

SHA256
e6a064f41a4bd4c870e9e8df576dff8e6045a16fb945f295241bebc4a9a15ff4

SHA512
4d496878f081df37138060646c1049d74ee7e50e66d65dd66648ea1ab356cc7755f43c28685569fa8db2ebc70eacbc0743671eb44c44a5bcc0e742ce160319dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
57KB

MD5
2f926552d16aff29f7521cfe3c36e9b5

SHA1
1f31a6136d8d7c8e9d35f36bae9205aa2592c5cb

SHA256
3abe01d6058adf17a64a11bbe28ca4c5b5fc10b3a78081716740c44bef4c7265

SHA512
d22c81d561eb823c1c135f40224fd6c43b91206e8cf04a48f3be56ce3b929ac5822fab11e9d8d451daceac504a8756dc89760e37dcaa19f9510958f7e7c9d60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
121KB

MD5
2e8a4c473d43fd01cbe5a11f404159cf

SHA1
fa102938269ce5415d7086ea628e5df9e62e8398

SHA256
85ba3bde3dcbf3123d70200bcd3a7b4ba87a0e80c673b11f14a612d1dd568ce2

SHA512
1f34ccb3926e0d9f39fffd60cfbb31443bd0b6af27df99779780d14bbc87e7b49e28d9f62532c33b94084354b2a5d9ff98248cdd97aac37342c87ab9f51f3fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VEA9E.tmp\tuc4.tmp
Filesize
176KB

MD5
ce883b4d072cd6896e67022e862d7d54

SHA1
a48082dc698975b555c221fe5083274324f6aac0

SHA256
fe9d2e22af7992e5f16f86a926f825e0369411d9175c860781ab18f227b4c7ce

SHA512
7e837bea52d66725440a1802057f64b1fbd0bde04dcdf87cf5ecd9f4451c4c8ef5e5e6013f9a12700035cff7778019d1eb854fe6e02a5f5c8ab8b119159a8b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VEA9E.tmp\tuc4.tmp
Filesize
159KB

MD5
af5f93f9edb72f45f2de118b72c336c9

SHA1
dea4c05b9f146635cf53e9f58c5f002831b92531

SHA256
bad4e9df4db1675bd2287c7d6d6280714d755d9514284cdc09c064fe1f633988

SHA512
a0fe8dbc866657a1e00c0f1ee3645d5a5adbcf9e7696acecf0c8f0e2fc5522b89da8a6ece6a0676952bd7b501f1c14a5d027323ed1126e0bb9cc99a170e013f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCCF2.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszCFEE.tmp\Checker.dll
Filesize
1KB

MD5
cf5043c2cd81c7d3d4a6dd9c59e0bd8b

SHA1
4f34dbf3ed1853d65a61b8172bdef1237ab7dd2e

SHA256
a0d451600b902aca4a623b8c37eee3f9720ce5bc2a2144d023d2a748ef32999d

SHA512
f85acb49c905f662d0bdd329a03ac8d8acf207e6a71d68fafe8d64141956605d3fe38eb49b7253f71a29b3ebb9438108af9f3e93a451358ccb634a28cd9940f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszCFEE.tmp\Zip.dll
Filesize
13KB

MD5
9014993d07c1c24595e0c771e25cd766

SHA1
578d10375573be58223748495f2aa6b25456c045

SHA256
e15a13bd4fe51af64990435aba5079850bae5159b1605766cbf6b94409f57ef9

SHA512
9e5f1e82225b4fe3f2f50bfec01d551d4b73ea8effc88bf64a8c57b4a1a5d828803b20d08d935f6a4dcbbf3844c02ee2d6fc6f37e2bb8ac334831eec1fb7a168

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSTqkEImGJdAza\dfcjPsODtGjNWeb Data
Filesize
92KB

MD5
92be7d444b8f6922a7ab205f66109c15

SHA1
25ea6a81f508348a61b7f4f668186069b00ccb8d

SHA256
89121f65705e315dd36be848aac783b0cfc307a6848392af9346f1f288e474e9

SHA512
c8c10adcc6f1dbe3d5c9022d303f2c6cc68c458949a8997f3bfcf5ca9a3620d1e7400b46ec36727b9c6d760d108ea889aa97a0ae9d505768822b6a112793bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSTqkEImGJdAza\sqlite3.dll
Filesize
397KB

MD5
c6311019ea2cdea64ca7732be58ba983

SHA1
ce33e043f327ab1d1e975eb17381fe437b17525d

SHA256
9c9be69e67be8d35caa0bf9657abd287b77307022dbd2aa9f5dd0579fbc43b37

SHA512
18fe0f8fc479f8284966d062fb3d5ba3ed02d78ffa73ac29b6a3445b712b8ab51ce35146815b82c1b44ee716c34063cbe6442a514827b12c760e5349e87dfeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
142KB

MD5
8727570474fa9750bd9745635f278c86

SHA1
674760f5f6daab1a04d07217e0d4023649e08f55

SHA256
021dbdcfeec1f24d2bb66f5091fda6f2d612fa9d2f85916b403dff3f20a1f0fa

SHA512
4d7aa9e9753574958ced37f1865f41e9cb580e309f0cad93e984166fa56ba75408390cb086a46a65d53ac2929adc9aa099608f46036770ea115ea78f7ec7b368

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
259KB

MD5
e67c25ab386b903003fbb2eba2aac669

SHA1
a44656f84155050ca48cba2470407573682a97c2

SHA256
2d12cf1f35cd5771f3a620710b6e68b24e7a00204b59e584a69a154511c28b1a

SHA512
1cec5ae0c8125aa72cb4ae51e27f1a1cd4be2bf0b7755f87edb159cbd3c968df2d1a4cbdc86f5795d1b82313ff74b8af42624cabf5e159c10f0730b124a9cb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
191KB

MD5
d584c9ea5709a40766cdac0d0a47abe2

SHA1
980f3d3f2b6311fcc0f8302b83c36b8184cfb0d3

SHA256
d65891b98dc574e2b4643afeffccc30fbf6c84cc7590e075ca95e40790d94794

SHA512
fed7e8a5f180ef81016828471ad8a88fa8936949242b31050608f3164869fb99f623bd1d1135b455318d862aa7678b63be7ecc983d61cd93a1acc8bda7e9cfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
103KB

MD5
49cde684deca121640229acee5d4ba24

SHA1
1be3655b71a5481634d3cea037ff34d5c07c25f0

SHA256
741bd7f41f68c431c4f5a9398802cc970fe953a4399f7cd49e00c7c233064e52

SHA512
3ad00bfe6ce386053d6b0fb99d601c0bf469243f4f7e5d9d9186cb9ea2d6bf201d9a88a7201986adb414be0ffe3071c765b54fe79af8d1760c9c995bf680b343

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
89KB

MD5
83b02358a69dedee3da82e39c3feb49a

SHA1
e8ae196a8af1d8d4288a40870b9e38d4e07be491

SHA256
a2cbac27e9dd4bbb020a36e7c54f3379ace7e6e112ec41abe4d786e5ea3d9d3b

SHA512
9fa81be0f10867afb824bee4a3a8e5948e7b7722c4714f0c7c497db76d4edf93b6c921828fd7fa02fd14d7205022ed6602ac99becc52fced586a33bcac3aa822

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
40KB

MD5
e2f48f280198846c3b568d75b1bbc29c

SHA1
456a6ab651149615ff32d49296b94cf2419f2f75

SHA256
4db5f5b5efc94ddf77ecff7e59eb085ef15b8700df739c0ced37f145cabc357c

SHA512
d8b492051471500e56baff98dcae9b00c471c6a67d95457b2edae6d1e6823e991158ea15b30b1f6f23f76f85816d12e3c91da1e74ba268e58a53b24e3f41b55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
208KB

MD5
62a87acc8a48c84912cac8763593806f

SHA1
c9f97f7106f0717a380d5042afc15da80299f4d2

SHA256
1e061655fda1b49b02073bb47015910baee4e8cb1a07263f3cbf7a1b09b68be0

SHA512
70be5cafa7febb1e8154b8434e688e6a593603d2d4cb8682cb01d595ec748dafd615cb85b42c7053e424717b7a0d65e3b83983f2389aedb4360dcadc85d053e3

Download Submit
\??\pipe\LOCAL\crashpad_4776_SWJPAIWTEZJAFWFA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/412-1004-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/412-1017-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1076-661-0x0000000000C80000-0x0000000001046000-memory.dmp

Filesize
3.8MB

Download
memory/1076-662-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/1076-752-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/1076-660-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-668-0x0000000000C70000-0x0000000001F4E000-memory.dmp

Filesize
18.9MB

Download
memory/1800-738-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-667-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/1836-724-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/1836-727-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2316-552-0x00000000024D0000-0x000000000254C000-memory.dmp

Filesize
496KB

Download
memory/2316-551-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/2316-554-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2316-553-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2344-1148-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2396-896-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/2396-936-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

Filesize
68KB

Download
memory/2396-933-0x0000000007D90000-0x0000000007E33000-memory.dmp

Filesize
652KB

Download
memory/2396-897-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/2396-922-0x0000000071880000-0x0000000071BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-907-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/2396-921-0x0000000071DC0000-0x0000000071E0C000-memory.dmp

Filesize
304KB

Download
memory/2396-920-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2396-915-0x0000000006D20000-0x0000000006D64000-memory.dmp

Filesize
272KB

Download
memory/2396-895-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-61-0x0000000000670000-0x0000000000ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2896-411-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

Filesize
120KB

Download
memory/2896-422-0x000000000AA00000-0x000000000AD54000-memory.dmp

Filesize
3.3MB

Download
memory/2896-435-0x0000000000670000-0x0000000000ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2896-75-0x00000000040B0000-0x0000000004126000-memory.dmp

Filesize
472KB

Download
memory/2896-546-0x0000000000670000-0x0000000000ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2896-39-0x0000000000670000-0x0000000000ACE000-memory.dmp

Filesize
4.4MB

Download
memory/3340-1015-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3340-1019-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3404-1156-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3596-923-0x0000000002910000-0x0000000002926000-memory.dmp

Filesize
88KB

Download
memory/3596-575-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

Filesize
88KB

Download
memory/3616-719-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5056-1189-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5320-776-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5320-743-0x0000000002B50000-0x0000000002F4D000-memory.dmp

Filesize
4.0MB

Download
memory/5320-767-0x0000000002F50000-0x000000000383B000-memory.dmp

Filesize
8.9MB

Download
memory/5320-971-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5480-119-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/5480-107-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/5480-211-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/5480-118-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/5480-117-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5480-149-0x0000000006600000-0x0000000006632000-memory.dmp

Filesize
200KB

Download
memory/5480-212-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/5480-120-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/5480-116-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5480-132-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/5480-138-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/5480-188-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/5480-222-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/5480-229-0x0000000007570000-0x0000000007581000-memory.dmp

Filesize
68KB

Download
memory/5480-296-0x00000000075A0000-0x00000000075AE000-memory.dmp

Filesize
56KB

Download
memory/5480-332-0x00000000075B0000-0x00000000075C4000-memory.dmp

Filesize
80KB

Download
memory/5480-345-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/5480-139-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/5480-150-0x000000007F480000-0x000000007F490000-memory.dmp

Filesize
64KB

Download
memory/5480-151-0x0000000070910000-0x000000007095C000-memory.dmp

Filesize
304KB

Download
memory/5480-164-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/5480-172-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5480-182-0x0000000006670000-0x0000000006713000-memory.dmp

Filesize
652KB

Download
memory/5480-180-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5480-113-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download
memory/5480-352-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/5480-368-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download
memory/5480-115-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/5616-951-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5616-948-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5708-984-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/5708-720-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/5876-751-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/5876-864-0x0000000003600000-0x000000000363A000-memory.dmp

Filesize
232KB

Download
memory/5876-810-0x0000000004310000-0x0000000004F38000-memory.dmp

Filesize
12.2MB

Download
memory/5876-804-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/5976-809-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/5976-990-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/6076-557-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6076-577-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6104-938-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6104-739-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6104-733-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6128-1057-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download