glupteba | 6969817805eeb5e26a007e3e31157fe892aaf3ba3c122f96f3dfdb725f7b1d12

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe
Size

2.5MB
MD5

3d178664bc15e781e35d12108a2c5ab9
SHA1

e4169852794fcf6d9f7edd359bbec16f406bcca4
SHA256

daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad
SHA512

2e1dd29f083b8ce39518c6d04cbfb824d59cfe1a946eda66234ea50b2670e9464a74e7ca16a1f9017cfc5e866b7dd6ee847d990d41670ed1a23b02375b1b94c5
SSDEEP

49152:fqylkVQqIh2X2aCYKsfjgSlopRy9YH5+n5uMTsITqnu0I0UCa5cL7LnmZLqJenjo:CV+h3rYKsfjmyiZcu5uy0WL7jVejTSL

Score

10^/10

glupteba lumma redline smokeloader stealc zgrat 777 livetraffic up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Extracted

Family

stealc

http://5.42.66.57

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1828-556-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/1828-555-0x0000000002540000-0x00000000025BC000-memory.dmp	family_lumma_v4
behavioral2/memory/1828-557-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2752-905-0x0000000000520000-0x00000000005D4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4252-825-0x0000000002D90000-0x000000000367B000-memory.dmp	family_glupteba
behavioral2/memory/4252-843-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4252-1000-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	svchost.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1820-913-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral2/memory/1232-1199-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

772 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

uV0Lq44.exeGP2mT40.exe2Qg4413.exesvchost.exe

pid process

632 uV0Lq44.exe
4808 GP2mT40.exe
1384 2Qg4413.exe
3708 svchost.exe

pid	process
772	netsh.exe

pid	process
632	uV0Lq44.exe
4808	GP2mT40.exe
1384	2Qg4413.exe
3708	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2196-1540-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exeuV0Lq44.exeGP2mT40.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uV0Lq44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GP2mT40.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

171 api.ipify.org

flow	ioc
171	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

3708 svchost.exe
3708 svchost.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4960 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3708	svchost.exe
3708	svchost.exe

pid	process
4960	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1160	3708	WerFault.exe	5po4uT4.exe
5364	1828	WerFault.exe	6uv4PQ0.exe
4560	2200	WerFault.exe	toolspub2.exe
5512	5188	WerFault.exe	872E.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5780 schtasks.exe
1840 schtasks.exe
1460 schtasks.exe
1456 schtasks.exe

pid	process
5780	schtasks.exe
1840	schtasks.exe
1460	schtasks.exe
1456	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exepowershell.exe

pid	process
2344	msedge.exe
2344	msedge.exe
920	msedge.exe
920	msedge.exe
4296	msedge.exe
4296	msedge.exe
5184	msedge.exe
5184	msedge.exe
5420	powershell.exe
5420	powershell.exe
5420	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3708	svchost.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: 33	5944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5944	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

2Qg4413.exemsedge.exe

pid	process
1384	2Qg4413.exe
1384	2Qg4413.exe
1384	2Qg4413.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

2Qg4413.exemsedge.exe

pid	process
1384	2Qg4413.exe
1384	2Qg4413.exe
1384	2Qg4413.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3708 svchost.exe

pid	process
3708	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exeuV0Lq44.exeGP2mT40.exe2Qg4413.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2928 wrote to memory of 632	2928	daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe	uV0Lq44.exe
PID 2928 wrote to memory of 632	2928	daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe	uV0Lq44.exe
PID 2928 wrote to memory of 632	2928	daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe	uV0Lq44.exe
PID 632 wrote to memory of 4808	632	uV0Lq44.exe	GP2mT40.exe
PID 632 wrote to memory of 4808	632	uV0Lq44.exe	GP2mT40.exe
PID 632 wrote to memory of 4808	632	uV0Lq44.exe	GP2mT40.exe
PID 4808 wrote to memory of 1384	4808	GP2mT40.exe	2Qg4413.exe
PID 4808 wrote to memory of 1384	4808	GP2mT40.exe	2Qg4413.exe
PID 4808 wrote to memory of 1384	4808	GP2mT40.exe	2Qg4413.exe
PID 1384 wrote to memory of 3996	1384	2Qg4413.exe	msedge.exe
PID 1384 wrote to memory of 3996	1384	2Qg4413.exe	msedge.exe
PID 1384 wrote to memory of 920	1384	2Qg4413.exe	msedge.exe
PID 1384 wrote to memory of 920	1384	2Qg4413.exe	msedge.exe
PID 3996 wrote to memory of 4752	3996	msedge.exe	msedge.exe
PID 3996 wrote to memory of 4752	3996	msedge.exe	msedge.exe
PID 920 wrote to memory of 3980	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3980	920	msedge.exe	msedge.exe
PID 1384 wrote to memory of 4768	1384	2Qg4413.exe	msedge.exe
PID 1384 wrote to memory of 4768	1384	2Qg4413.exe	msedge.exe
PID 4768 wrote to memory of 2208	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 2208	4768	msedge.exe	msedge.exe
PID 4808 wrote to memory of 3708	4808	GP2mT40.exe	svchost.exe
PID 4808 wrote to memory of 3708	4808	GP2mT40.exe	svchost.exe
PID 4808 wrote to memory of 3708	4808	GP2mT40.exe	svchost.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4648	920	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe
"C:\Users\Admin\AppData\Local\Temp\daa567d513d049f218c6a71a786c44119f9acb0ea480f424468a8a09e9c75dad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uV0Lq44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uV0Lq44.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP2mT40.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP2mT40.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5po4uT4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5po4uT4.exe
4⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:5320

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:5416

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 3060
5⤵
- Program crash
PID:1160

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6uv4PQ0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6uv4PQ0.exe
3⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 996
4⤵
- Program crash
PID:5364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UJ1in37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UJ1in37.exe
2⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
3⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
3⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
3⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
3⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
3⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
3⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
3⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
3⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3992 /prefetch:8
3⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 /prefetch:8
3⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
3⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
3⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
3⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
3⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
3⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10376929528064349577,7335018790919854266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,2885334083922763034,15965473380728047925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
3⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9130643454388161743,673062327509527460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9130643454388161743,673062327509527460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
1⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x14c,0x170,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:4752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3708 -ip 3708
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1828 -ip 1828
1⤵
PID:2700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Users\Admin\AppData\Local\Temp\5A7F.exe
C:\Users\Admin\AppData\Local\Temp\5A7F.exe
1⤵
PID:5624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
4⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5477862063528917264,807950291859254452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
4⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5477862063528917264,807950291859254452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5477862063528917264,807950291859254452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
4⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5477862063528917264,807950291859254452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
4⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5477862063528917264,807950291859254452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
4⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\7887.exe
C:\Users\Admin\AppData\Local\Temp\7887.exe
1⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\nsb87BC.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsb87BC.tmp.exe
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:4252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4400

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3164

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:5632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5348

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2552

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:2232

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\is-3ED9M.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3ED9M.tmp\tuc4.tmp" /SL5="$102CA,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:3696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:5296

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:1624

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 328
2⤵
- Program crash
PID:4560

C:\Users\Admin\AppData\Local\Temp\80A7.exe
C:\Users\Admin\AppData\Local\Temp\80A7.exe
1⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
4⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
4⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
4⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
4⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
4⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
4⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
4⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
4⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
4⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
4⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13375666819537121486,6577224543426457653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
4⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2200 -ip 2200
1⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:4960

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:4656

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31D7.bat" "
1⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\334F.bat" "
1⤵
PID:4504

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\6E94.exe
C:\Users\Admin\AppData\Local\Temp\6E94.exe
1⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\872E.exe
C:\Users\Admin\AppData\Local\Temp\872E.exe
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 820
2⤵
- Program crash
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5188 -ip 5188
1⤵
PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bytematrix74\Bytematrix74.exe
Filesize
121KB

MD5
a691ad91f76aaa85984e80fa8406b79c

SHA1
2d873b2619c9e1b54cb5fa3d0c80e0125fbac3b7

SHA256
ff666afd882fcd0a7207fd03eec0f1a33cd519f229b7864a5481ab7d314fa1bf

SHA512
54253821eb28abed8f643dcfe3eda032129f00c8ecf211985a4664e16aaa341bb9f5f8a04c4262a36519ba9d43a1edb776936974e9cbcbb0c2ffb1e26c6e585a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4a7e054ff36f584b0272e61b1d9ffefa

SHA1
fabdad5da7b3a4e635dc49cd2e7f07bebb9012a7

SHA256
e3365d241927509711527adc0edbb3f2a0da996c59b14bcdeb78288934096686

SHA512
53b101f4bd311ba8fade73521a363bd7e65d43158d9ce0a370ff1e9ecacbfe2a42d34b56aed024653b5b49052bd7bcf8b8259fa2d70a5e9aaf9519dee0204ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
25315820c89b2a139048e92dc7aeb145

SHA1
49a2aaa85f6361efb02cd57da973deb105fa3d28

SHA256
85108425d74bf1ed9cf5e28698168c158bae603994a58c11b162afe6ca526d58

SHA512
504e01e69643f6ee5ee5227f007bf8dc9dd9389c63b368c41f59048e9a344d464ed10e08591809d134731e4ec53dfe15bf70306ed204ffbd46cb831f8b11f7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ce94360a0267af7bd2e97117da7c1fa

SHA1
28330c69737fc4e77bc501ecc988a6a6cb8db5a3

SHA256
d38c802f51e2144955f151846c640349d7cf4b158752aaaa4c841f81f850a470

SHA512
a3e0eac276575aade49a4f32972883b8ccc4f505cc146ca16726d46d85b5fde33e8bce293233b72b606805979fbbb9c47fa873d372dfa9cc474619207edcde90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0bd5c93de6441cd85df33f5858ead08c

SHA1
c9e9a6c225ae958d5725537fac596b4d89ccb621

SHA256
6e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2

SHA512
19073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d7e486aac68c3ca2898c37e5818d0acf

SHA1
19612890cefb1df8b34ea7b76a5111d0899f8a95

SHA256
44990476a1e337d86273bf987791af1382d624974dc9c45ce9b13c99b227274a

SHA512
ef859a09fe7492a337c7b86a88652ded414955dc9ea3dcb75b4b8dcfa35f8ee454b7df0744a558e6aa8bcda4a489c3ad8179456a9746872383ec45ecb9f39520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
49KB

MD5
238ae8c090b6db759dd67cbabf78bd7f

SHA1
a659ab21f2d6d9c0ffdebda9cbaaad4d28175e4b

SHA256
811c416ac5f3fb3b06630813cebc52ea38d74a1b0f4da0c292fb52e9d841fcc9

SHA512
7afa904e4afc4b714774480be78354f0f3f5740b0fc5f177ea1296f034a08b721c3ab6e37b68d85d6db871c15bc5261790d72a5f55779e0aaa6b8ef8642a67ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
624B

MD5
e0e4eb95916176f8a9312d72ee93c395

SHA1
5174078b1ee588821bd4f88e49a7f0543acd0a92

SHA256
3218f3edb9c5c8332a77a7a5523afc7a3bd9174741e317f90c36a039aeab02ff

SHA512
e96f3d73b9fb6aed525186ba074ac300eab6355906727c2a8f9e0859bbb5392861b377ebc861c71d8e4f9612d4cee494de0ef4cbc8edd74abb79333b268ed022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
674542d397c03ac1478b1610c6696500

SHA1
586cc56d7f5b812d37995ce2a519f95ae027bff9

SHA256
123e194b3fb7fffbe4f14cd3ea73b31d9830e2616548de52ae3502842278fc9a

SHA512
fb40c30300a24116df14dd9e427a1e4d37d9015d719f8285753695ed5256e8a95c9a9e1d9fb1e5dd6e635fed22c1a679ae6baca19578c5e5a02c5292b2b08cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5306b5ccc1f10d76802c5d5c440ac535

SHA1
25adfe976271d1178b9a612f8b8845e333160063

SHA256
688c850b01d06fb045999d0d26c5ff4698aba2bcc6544a5362b0ab5a3c29e560

SHA512
74f6bc5130a30e08a1d3049b3456773dfd421e54e9d9bfb5b3e79b981233f9537cbc3eba15ef9e9fde75f3362ca55e575cef78d47561fea1138c80b978c1f12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cec0344b8d6d909ea89f4f52a588033b

SHA1
9d465b5fd03fb5e81f381ab098737ee6a7ca1ca3

SHA256
164da96641f1bc3752ba6049d8cef08c5dac0f594d779b8547bf27de7f85f41b

SHA512
7d80c562601fad69870a1c77a215b5873cf2c0dba9f1aa4f1f3eacb71ea0935dd36d77ca96bc9cf9596c2b68bf832e521254c3c7e7a0f7dee791e0fefe4accfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dc55a531879a35809403e39e4b49bfc1

SHA1
eecf7058d34a80a09c536b17de178ea04b92cb85

SHA256
8fab7486395f1d64097b6d1e56f5b04757631de325b08924a58a3edfb88a7cd6

SHA512
501ead191899f1b8ab33f1f3e79ac667f94e56df812ba957087c8627b84b39ab2e645b933bc61951366947e916ec6ff8d5d5045e70035a74fb64b65805f84241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3001dd1e04217f2644b715f7ee525984

SHA1
b3f040964431424ea5f76069dcea3cda87683ec4

SHA256
917ba952091262f19bdec2a68a16f8f95bdfaf7dbe25287cafb3cac0feb2b7ae

SHA512
afcd8d1b6bef958fd2715df9827f19610a939f2ba760bc4ac3bc53f0a9074ba69f74fe59ce7d3206a9e85d1d3f83c8fbefbc979980639d16a27a61fc56340a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5f402630-2acc-4a74-a4e5-e657c7274573\index-dir\the-real-index~RFe57bf49.TMP
Filesize
48B

MD5
df60ec3a51c19f5b54df9c7c377371d5

SHA1
b263ea4b082f604c275351520561f77672205a0a

SHA256
916b9157207aafdb22dc6fdc1f88769c947ef569f1a5d347171ac1252a769d89

SHA512
55b752e43a0c564a3c32c42664b862ec7b572ee4740f44f532a7b61023d1a37b8f55566c16c9106604e77e8f7d7a308d3180ffc3b7cd3b14a6a0b385baf06906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
2699891bbf2f0ea23d5c44dcc0904817

SHA1
bb4d7d3b6f828f396534ef04a12c4667e02ec575

SHA256
215d08c50c1fd4bc6bf441cf1e10c400feb9a378c0971ddfc6f1dba32df4ad94

SHA512
30b75f863bd825d0290634f321ba70b8526db687d452cd67a63808b3b0d140766f59ffce13fb0e07cae62bb06730da29cd847e449f32112bf37f16006f630e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
d0cf045245692082fc2599ecb6b21778

SHA1
619799ecec57d64ecadee33e131cc2eb4d02727a

SHA256
20eafe7db7f0093b4e51ca98248bbdd6582dac7d0c900a2c5f4aadb5ec4bfc51

SHA512
5f2b56808177c41437b8b6511c7b625659e554d66eeef49dac0503ba4c8e8185b23c484bfddcc3728060d3880de34554fec9b0a4d901aebc897a936f70a94ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
7fc6f56452b39ad70b1897962ef5d187

SHA1
785f41fef0b3c2df2eaa876f2e758ae9ad3be325

SHA256
ad24db6bdf0689a6721d806a2864554f636ef846b07184e1bcc709421b33963c

SHA512
c063da8dd1f7b6c2ff148c17193714324961d49398e38938c68e2368b5007ce05807fbee96befa71b1047010836b0c4e28e76382ab48ddd2f73f6fbd67f09482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b9ab.TMP
Filesize
48B

MD5
d6d7d147af131463ed28dfa46de4190c

SHA1
66a423359ce14508353cc501913582663ea396d7

SHA256
255baf8835520c70872f3c65420b40111017eee4971fc52acb45f0a00f13bab3

SHA512
379ee29bf44300a59045ad5341ec08be63afd150ab996942ea48a02763d07cdc06f164b36c6c40bb8db60d53f7ec95645e52f180c00fd711f6301c12ae6c921e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
01797912df499e9bda801e99862cea88

SHA1
aacb672339deeb0403ecaa050d7af623b977c781

SHA256
2132a6712f7341ffb9c4379bccdb03c0278a2e82ef222f010eeedbebc26f2314

SHA512
bf331709843e966051fef89022313e8a2359567f7a2a3dc26be662b0a87701c9058cd514a032c30a2099c9f865f26fa709d957d914be75f220fa0ae9fe4e0ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
96b1d235166208a7f30597f02a48ddf5

SHA1
227d54be36e7423cbc8c4540bed36a7ca6871847

SHA256
0f31d59f83e350779dbb632f2ea588b2759e67dacc3f3324e7669b6662e6005d

SHA512
fb12f295eee30e120f5631ee259a5e52a8427ae942950ada9e744137060f97dec41d284a792927a5680f6cc0db138d9d8ad3864152e601751c463e08594d5069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8b66c6dd8f7786555def93da80ea60b1

SHA1
7ff7ffa761aeb9a2fcf3289804d2d407111b93e8

SHA256
3640114f8f11f1aa2a199a4d403d1b39f6f436dd33f3878d4efbd24f0c0c9f17

SHA512
6f79ed1a56a8f0127583c781b73c837fedb2ac052a4c6bf61319b6306ebdd23d59ba7ca8fe868cdc87392701ea2d73ec26ec3fd18681eb86c57b0f9c1dbad66a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad95.TMP
Filesize
1KB

MD5
c2b98d6f0c61315a3086acfde28b6a57

SHA1
6faf237282a62991f4d6c6f197a1b729db72dde7

SHA256
56f1455ca862f78a0a058c45db289365160b836fde40839faecac8490c4325d8

SHA512
112c1f484e4d8016b5f423cf1ddd6bd1043c7134dcf86e7adbefdeafe967219490fccceb178f0d7b547fb40e54b58f8e26dbd2e5f1d4b7b6657833b1081691c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
42KB

MD5
c46ba18a2b7e2693ea27e85b9b7019b7

SHA1
9ee3c72caf8bf79bfefbd3d65f989d54712d9b24

SHA256
3807d23ae930bd260e18e216b5aa9691e2b8380cb5acc0e8298b319a0008a18e

SHA512
04394df80a5c108a5ce8738cb86df8f717ac7dc1b454e472a708db7a61ce9948e1d1b9fbcd97efbdc00f6e727eec3f5b74afa28013839544edcdf2d00b0af415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fe69f9c1-206a-4705-bcde-1876b375b3ac.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
25e5407e743cdc6f66eb49b43a03826e

SHA1
75433b56d491b801b8146b096b5b4bb8da87a771

SHA256
474eb7e76983a913072a3a818cbb30428e78d40306d634d05be1a1123207588a

SHA512
55bc5986ceded27680707ba30d08297a4b2503a2c9be96ec79ec288632d688261c09555a681789dea04456662dfa10aa2c2b3891ef25968a1b2f4e55d3d00802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
db8947f5968b544636e28753ee51f7a1

SHA1
feac4e50dd7f2dc2e0774f9691479e12a48afa9e

SHA256
0aa43c6ad3f0c646c76134f6dc3485c24aa23212271291231e2f87361afcd6ad

SHA512
caa1e716a1e6a1a118293e77a24f55ef4b51ae18cabe7ffae979d57e8279ee79507121dd498f9b8438f893acb20e278387810cdbb6e7af81cc36f272210e41d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c8c6c76dfda4364395e7e7e8569bd7fd

SHA1
a9131c6a58185239061b44c898756bf09be2162a

SHA256
56227cf7938f26f675aefceac86015222835afcf7570525d7c6ddf088acb4ae9

SHA512
0ac8eb6251eca1c7051de8b0f5f037ec723b0a29b2811f30f78cfc90fadda2cacab5dcf7bba4e07c1fc766757c7c10314f2a936bd374cb9428014e29d3fba264

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
794KB

MD5
0cab95ee180ebbda77711a7a0ec000d0

SHA1
1955bec73cd12c5782f72b4f5350c8f4cb489e84

SHA256
9ed158e7d5972f66ef3bde1d567af969b445dc912c9cdae109f1d974d4f5b1cc

SHA512
98a0310f311adc861658d81efbb3c44c826c273794301137fcc7e0bcc6e36548ec961678a28ef4a8093baf2c13b0a1e242e2c5ee1aa195f509168ad9ae5bc93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.2MB

MD5
54ed18a9c95888c8975d08ba95de8ec3

SHA1
3bdf28a000686295c2f8f76bbea093823805a19b

SHA256
4e0db379affff631a62aa357af2a53e6e626908c68a05d0be00091aaabf5cbc3

SHA512
549c3faac72130d8a31e53fc19a040be224b43d1bf0ba5591944300bb2eec1d9122b78d7a638f11df9f36a5a3c599c456e7efb1dec2461ea30fc24239b682758

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
605KB

MD5
fc82a0016612d41f141813baa09674aa

SHA1
f75b55280ff853dfc9d19f0de0167fca5cc62806

SHA256
6a5c5e7a728f4e9ff3f9adde5a9f92bbd6e48b8d2f76299db3fa4539ec5fa28a

SHA512
3a40a40692a72b721e3dec986bfe05ff18380a7e8025ea28f85ba72679bac8dc9303ce937c51e2509f5290eb8ca578fcc04db5070f0c53bd27de17df487c9c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\334F.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A7F.exe
Filesize
770KB

MD5
e6a44457df44c840b7f2f193c2c66e50

SHA1
3850a277ceeab5c4401a678df8c69eecbfa794ff

SHA256
ef5cbd8c34804c3a1c154747961021d89f6a3f08cf3665e527efd23cfb295138

SHA512
b4625332a98b141187a3af5f68151f5706c433ef6e7d8e5a17bd9a0f386b3aef67f6ed9ae536e139a8c54ebe2d14cc14c59dd4f736c06ea517890bc499370965

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A7F.exe
Filesize
93KB

MD5
1a67dcf51f5d098116e97be21eb37ecd

SHA1
cbb37439cb38037a837d55896636e5b7cc265943

SHA256
62cc18ea7bd78fe6f79a4db9884277d6555fa9fa21773caef5369a26d22fc873

SHA512
d5774ec33154007dc95d9638f8508c708b6438e2dc2cc0b0b5329185c8ac08b9a5e21d44686aa1372d9238cc93b017b6f92c32b0f872c9e79f6901409480d6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7887.exe
Filesize
65KB

MD5
bdeeb48e36261ca90ab8b28592e4366b

SHA1
84ab607d3b8524bc67ed7d11cef1a61757588b91

SHA256
83c4e92869d500cbbbc429f95684bebc3fb585c500e703a5d23033a508992044

SHA512
e5ebaa7ab052b3dfab862779dd2bf2daad92d85862e5e68450c85e4db74ab36dcbc9d2c8ff26dd6c1732c3e70d3a35d680c539a7172bcbb5960fe815b9ef85a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7887.exe
Filesize
523KB

MD5
7998820d3860084a7a01d06cf8e72cce

SHA1
d6601bf8d80a367bde6376f2cd81d25c16b3fd5d

SHA256
c8c2c27c40bf9f1837bcc9c675e3a8c9f3f926167fc9d92fd0494103873b7527

SHA512
c8f58a0ca6145f43594138a589d1e6e0b817d2038548a9650e640f3db6c2f2691fe49ad9b2f7c5e2972805f50819b314cda4eb7ad8e35ec26f4e0b3108bf81cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\872E.exe
Filesize
91KB

MD5
a7946114fbb4e0851d979c4a003324b5

SHA1
f7817284ad572bbd4ccce099ea41d071282c20ee

SHA256
f2b7cf66636630c450f1fa273821ad6153ae49ebe247b75a72ee9c9d98427941

SHA512
ec2613a968f2975fab12afa3c7e009b58d2fbcce37feef8f361dfda62884241090dc82068259ff3e4a93137c10616710f91c69a213cbe99782bac346d118abb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
88KB

MD5
065b6d6093052cbd22b2a8ab486ce22d

SHA1
918400859a23c2f3b346759a192a18987602199a

SHA256
b16aff748e944bf6210d586a08035e8f04e169e30f3f15aceb955c05d3fbb0e4

SHA512
43002fce89198497bad017498aa2f4b885a94c219dfa4024f7ff7eab337ca3700aeb2fb6f9c9539a28ee5df5e6dc3b756a17f7a001ddf78e9c252aaf7fc25305

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
41KB

MD5
ff586482c378efd33d8fe1a040593cda

SHA1
26e48618df846a94cb03e19ef566fd43d1c19e9e

SHA256
ee4be3a32cb29dbd339c942cdb57359eb384eab40428ea8e1a055d25238bb77d

SHA512
df004f0f1cc85ae90c3c2dc21d8e800fc6f33297df574b056eefbb3c298458532cbf37d99b801e97dda2f6152e1bf60a7bd406ca254fd730dac5a023903a0349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UJ1in37.exe
Filesize
38KB

MD5
1e555532c1114b6644b5fe6ff9870b4e

SHA1
19cb0f87341b6190cd6e73fdd76446b84d55c19f

SHA256
151bbf08266568f4a33843a509cf8ee0b1d6d6ca764da2e9c3d98b7cf4eaf650

SHA512
cdcb7769a87ba30fc4873d11e4e5eaf58793d29474f0b9139f751c573893d05f5b54e264420dd8c382e39725ddb5daff67342bffe3c217bb7e1322ecaf44cbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uV0Lq44.exe
Filesize
79KB

MD5
896b78e8ad1e5f8076c362c84e91d01e

SHA1
3bf18e25ca6c59e46cdc3d0ffb2283bb22958b03

SHA256
5ae171f7bc71f6f8c7da523bcc38697d528c6a29f3cdc3fea685e451bc2b8522

SHA512
8dfce81fff0ff39967779f2f77f7f17440e88d04df4e0719d3e787dc7b1dd3511d771508c84d211fe3acf36d11552aec12e6ff9373e525d1c57cb42ec78b8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uV0Lq44.exe
Filesize
1.3MB

MD5
6f4b37e1ccd5410d2bc4be01b7ed6efb

SHA1
6f0e3afbdb33b081d6f8a47ac8fdfe877a894c84

SHA256
d1be108f5b417c6dd8195ecb2831ec751eacc4348afce892fd9decea6752f383

SHA512
1c4ae8b763794cf23a1c61bb5837a891ce1c58463bb62a645ab1d4d623abc459492d86e620ffde00fa6cabb83aadaa5977e8be18813aae7b358ddb8a9d571380

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6uv4PQ0.exe
Filesize
233KB

MD5
1f5104caa75df0bc4687951748cadd2d

SHA1
5ab1457b3d3fdd01ec347bb23b3bd0b235bd7fc2

SHA256
3865dd4e506ce0dbc912f298592a4ecc68803804bc2afca73478589368ac693f

SHA512
8cf5d81e8c7cff0ecb5338fcf2224c3cc7c665df2171ff6d15df7798f376366ba1c23a0855cff8c2982a44eb59e1ce8cede3acfbd842e7db98f8d8c8d49f4704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6uv4PQ0.exe
Filesize
187KB

MD5
8549e831e6e0f248960e83d81735a905

SHA1
89deca4853f9fb17c4e9dacee25692933b130f92

SHA256
0b5036172ed9af98210833334336189dea4cea9a663a70ce146079a676d23e1f

SHA512
3a70f2fca880b116835dd639511ed08bb470c26b90b35d06f8f7ca746dd217e91a375aac19af30bc463975c51ff41e4b404ba4a37eef284aa4bbfd8bbdcc3226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP2mT40.exe
Filesize
1.1MB

MD5
6b9ac3020f1b6a25f5d87ddba986d433

SHA1
f36ca9d528f9530937cc332693eec370aa05c17f

SHA256
54430ba6583260e1986a825f0cb8e8258cd8b955bb6fbdf5e791184f01cd4322

SHA512
e678bf8c26fd06ad83524ad16ca9cb775958996bca1daed83dab47c635bf69153a799615e237d5bc50045397b12b26da0907e6a832385e3ff0c4d4b09c1080b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP2mT40.exe
Filesize
1.4MB

MD5
63f7dc2edc813207723e7e6eb2477b88

SHA1
759678fd19877480c9b6a809e81b227cd75ff7fb

SHA256
c756bba239628074a46eedb186152ecda818f63eb27848d55ec619e0e6fb0d8a

SHA512
6b45335d7b089cf79790e4ef7b08f0874329f7ddb9d0590d57fa03f8c81ea821c93500ca0af34763f21392dd9d7ed32f6d1367ad15e4f12664c686bec887ac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe
Filesize
449KB

MD5
ee3284179b6ab83caf39a5c5df828c34

SHA1
c9bfa599918e7805e0259aa82674f63183cc4932

SHA256
c2e840fb0381355500dd0e322370e011f8be34a224e70ca02585afff7f427e7e

SHA512
b785d59c501ec50d321a70c87861b6aad7abe7df084749a5f11e55cb9388b846b040d9f8de9c88255aacca73cab6741a6911d03068ea1523c85776d59603d5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qg4413.exe
Filesize
322KB

MD5
d6a8ddf012426df19ba1b99e290a75d8

SHA1
64b50bc42af31cef3e7e1f95767eb00de5be28a0

SHA256
9115a66880c50c49c7d85f63b3da815e0bb8563722152c147af9406e8753e1a3

SHA512
4d9deef0d48eca8c8bd8b6cebc3a9c7766fa00cbc39ccb22cfbd5dab47080053a1fd92251b2ab339727aea2c2a892f0e1a76000cee61387698fb7285d0fa675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5po4uT4.exe
Filesize
240KB

MD5
a125f8e8567a0391ee6ea1913d65a00f

SHA1
4ac7f05c53a3c0eb506efaa269ccbc808cf140f5

SHA256
0d9bcba9e36483f1dd01331d5ea99f656ad9796c4b745aeaedf584c8bef302a3

SHA512
03156c52f62a9b85bb90b26fcbc87fb587ee8b55ec56366cf82086b8c078e7fed515056d28c371b8b1f72e9bbaa59d8bf499058a714d29a5d39fa1d33d627440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5po4uT4.exe
Filesize
49KB

MD5
3f310ff86f9d4ae7c230c8581b0a3b4a

SHA1
7ca4befd7c14a5b735714675684d11ad0dcb25fa

SHA256
d1519afb7d5f8bc7b65db98a87be3f13380ade6f2c0074d5a9cd4d21aabd5bea

SHA512
b707ddedc1f87076b6202e2cf83afd10fbb1938426e7b5dcaf72a6c312bec31c9d5b9d49967f3564e5d8aa2bbe0aa693cb253d6946c962f18bea6ddafbbe1495

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
514KB

MD5
adf19bb27ea469d46ced8244e5abce6b

SHA1
4a9004fd4df99011d3f0d932c60e1dc3ee4023b9

SHA256
845ab1287a19f8dfd1055bf6647ce4e3dfa803abdf0cf7d9517df42d774e8b98

SHA512
54358f8f8f567cef9b004eb56aacf77a3bd4fe9bb57f2360793677d27692068faed67adb3725a93b3382584f5090ff61049b1b1a0246385ba7c03f864aa9b130

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
1.1MB

MD5
3a3572965d1dcff31226406672524209

SHA1
6e3bb6bd1e470f3e50a02b4beffdf07bfb5a03de

SHA256
731bc86987ba6c453fbff285c0203b70484a090909f90f30638a1663ca042066

SHA512
21bae958fa651c77ee78240189a364000984753c63e0662847b5674da0ecb5e352651f5955f603a3a85a80b9ec7587138bb92af57b27028f2dc2bab0fc8e543b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpqsnpl3.l2l.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
61KB

MD5
57c32f4f60bbeebb3b9a1c50321a2fc8

SHA1
c044046f3aba0df9bc34449c646679f05d2c3d72

SHA256
7269684689451b56876576a2845b92664274b33cdf975de99587e00ec5a6aff9

SHA512
db023bd6cfb873c4554f8ebcb58c559963837e6dafca99dba93367e8cb8d7d7e12266abfead4926fdca82ade17fc663b1e1b7c8655af2637a5e5896dc76979d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
123KB

MD5
29646cdfa042cf3588fbb8032e9fd92c

SHA1
4954c81306ed9e60bde63e996a60d7b9f8f56944

SHA256
479fdceb0be87852757ed65e8f6f861ba4fdc89c93d5dbf47d8bd648653c11b3

SHA512
ab1a10c390cea6377c5d04cb6d3d4650999861b13a121afbcf17ee67ad0b996fe000b8111290a0fc401b3459624576a8f81f77aff91389d5039d12ac651f5aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
4KB

MD5
edab46fe3a540e749a7b132c9060f3ef

SHA1
aac2fc71c8e5c7f4bfeef93b43cc8671e3d98e31

SHA256
88923bf68fabddca7f532d888eb37a5fac5c036a8858be327cbad1cbc5186a13

SHA512
7f7b3bd53be0cb9abb5a6f88f790bd664a0bcace074c373c851d9a482a5e251f872f9fb216de15c523c026696d06f7a356bca16e8647eff6a4b45349f197805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3ED9M.tmp\tuc4.tmp
Filesize
81KB

MD5
7c536f24a5c8bc09dfe9ac11d78ee315

SHA1
8ed74f3b7d9955d21f85618ba8ef0e3b05dd8fbf

SHA256
55fdd12fc8483d204543ff80f6baa6b53799031c72efbfb07c70539d2ab24b35

SHA512
714f18317cba445df594f5db1d503247bc19f5cfa9eb5ceb69c2263d6d0d7808bc136d4ff381dcd43ec290af519618171cd168e22a43167d4987bca2639abf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3ED9M.tmp\tuc4.tmp
Filesize
109KB

MD5
aa05196f82feefeb0e3fb577d50fc74f

SHA1
45d0101c4b46c9830c895e988bc63d096ca03c05

SHA256
692467ecbc946c80d21069a7f92f10c5cc2779b8da54fcf8fbc70d097bfacfe1

SHA512
0b28d78514a31055cd0d805ec5b59c82f987626eba15b32ea6fec9921cd65242a1c29ecedb9a7c4144a657efded49fa3ae856b1c45c634459c33ed0db3cd73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7B38.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7B38.tmp\INetC.dll
Filesize
4KB

MD5
bd1442f74da393350b8939bda4460f97

SHA1
717dc2fe82a274969554730d257341136cdb7b87

SHA256
48d283ece6b927dc9f8b90a35020e25c2dfd1ed8abafa5bc418c2c68b39530de

SHA512
fd53fd08af60e2cbca751b46fa0b68801e6fc122366d80d5ff63c0d3de55637393b35b217491e9cc396e9b6334ecf5af4ecdcc9e2e0712d9f0fb8bc6d7c77e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy7F2F.tmp\Checker.dll
Filesize
22KB

MD5
cbd0b11e0b9a43729b7af239d386bbc4

SHA1
99ad2e4c0e77a75bd4c2bf1bf691ebb862ff6ca6

SHA256
6f375de6d3e54d2bbcf0f6538b19d1941b56fd7c0c0789f8a15dcf779636860e

SHA512
ef7eb712d179d83527c9dba6de6bac36d328ff92963714fbcf8f2bf85a55bc84bab9fbb5dc7f73248a64adceac2108afd923f61a06959b20131b494fa614eb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy7F2F.tmp\Checker.dll
Filesize
4KB

MD5
ecb2e29686eaa756f738e8ffad39859c

SHA1
75daad90df788b849bd592952fc6647d7a7e9ce7

SHA256
d21419dca0aa69ecb3edcb237144b8adab7b05d31f036f250242cdbfa3bd2974

SHA512
96f177f18f4e541f77c4479830bf442e5562f215304e0b1c79aee04b80eaa6200ec7c2b2d43ac9a1ac16f698403033bef7cff88d87dec7b6c828a373ddaa0173

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy7F2F.tmp\Zip.dll
Filesize
3KB

MD5
b653226146926bbb21ebeeb8d3fc80c3

SHA1
80d8f202f148784b1b1a46efa54a9b4806e4ccbf

SHA256
d548a974c08e6da559d67a08ec86476ea9c13111d2366a1b0bedcab3b7265daf

SHA512
627c2e7ffd72b17fe32b4ef6f08cced4f62cb8bb94060fbf06852d7e9561c7a2546f82a20fb71cb2ef2b7e09fbabd557bc8a7fd73f149be76025b50479745c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSWlyrKAS1Ex86\ZsCGtNbADz3rWeb Data
Filesize
57KB

MD5
9bd5e7d1104c669f0f9c670e11f5abd3

SHA1
ccd7ecb0bd41ca37d06f42c812565db29a105be4

SHA256
1d1f1705778a0a63d015499c4b36a66d23700b9434a9c1e1ddacd90116e49b8b

SHA512
e6c8d8c5c22587980d5541ea37736eee4dd36eda2808d8f257dd7e560e202c55b00a5f1d25a5f89092ce8283a86f085be0d46e49c5a960c6c9cec27d8583342f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSWlyrKAS1Ex86\sqlite3.dll
Filesize
3KB

MD5
4053beac8a5799b04bd0ed71e24dd4f4

SHA1
29a3e4b6d91b095e7dd56ca16c0993cac94465cc

SHA256
ee1d5b19be2ad6def7d07c86be9131efeef2e3634e37eb237fac8ade832d9bee

SHA512
5f4f32fa954b3d2416d7c0d4b203e314d8a1d3ea707934afdb0f27eb4d2fde8662d1c4f889ca8ee36159a509657c4549f9ce93e947dff94396f9739ff8d01603

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSWlyrKAS1Ex86\xftIHRe9sUG8Web Data
Filesize
39KB

MD5
1959db7edebc26d9e82279e7fb5c1b97

SHA1
2b5f1a3ce0867635219c13e14d5e0d1e93bdb1fa

SHA256
518b17795a75312bdd4be241da097ca8438691f408339bdbbbe003c45ffec2b6

SHA512
6ff493763848b55ea6bc7ceb170d7ed34b552c86338035e5e13cbc8cf27d2489b6e9cf6428e2a920077e9bfcb11bf027ed8a497e068e40c8c29f4ebe2e96e9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
180KB

MD5
88f6b3818209c562c388f79bc21b9f1f

SHA1
9a69b4ebe539baac54392f07d6501693c378c3f1

SHA256
e5bb299c952af2f572881fad3940be52e29e6d3250677be47242c9a501411a35

SHA512
d6f7361b823e121742de940a46159a2438d1afbdc55afa0a59791ba105fefd9e8cf99e760c4097eebb763f7a64e3129e64fe9c7e8a0b047dc88b600470557f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
98KB

MD5
acaa3331ac5e77214b0bc1261b8ce20c

SHA1
6cc37520faf3787abe186ec909946db2059299a4

SHA256
56b7a7727d28a6fc6dbcb7142ff975b3ad70344c85bce2d0527077edb05e3dc3

SHA512
b98176a1607b3f03cc55abf89acbdccc835fc76905872a3ab6f82f5a1b5bfeae578e55023f0a875ccd5f17a4ae54bb507645fa7ed3c46637965170890ca02c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
149KB

MD5
938c9946bef011625a8f042403c38a1a

SHA1
69df7487dd602e05bc3f8814428a6c37486c4361

SHA256
381593ddea56c3f1d8d43145c7912772aa7931a4370a9d0bfe6aa66bc60730b3

SHA512
b89b39528c6cfaebe1e4c53c989db61309c4c08f4a7992fc62881b9889ca251f87014fe8660f2079ff22dadf36a033ca7395218f106710496d09f8aa780e5f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
381KB

MD5
c36dcdad2d8206ba9897ac0e9bdddbb9

SHA1
d4f7606e121d0530e2d633963410c55b78605c5e

SHA256
c88c1fa3f047c4e6c201c74d31a7ec4142b9dac531edb9e2e47d8bf8fbde3661

SHA512
e4062b1ccd9e60f0b7f55f3c8f9411f19f4cbd4e0e92f5e3c3890b24cb689bc0344712bfa842a685e68e28688ce7ac9c9e5981d493988fa3fa9b13787498ab91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
567KB

MD5
c72139275a40e07871d07351fe9ffde8

SHA1
a0100f540ac87bb12f20b74c95fe9ace108ef29b

SHA256
5b785cad391210b29c6890fe72d4d3a31695e030b240070f4f8335374b5732e1

SHA512
0bc623703e74edfc83761bb9309b96c0aade441359200077dbcd0852cc0dc56dd9e6ab4d7ae134562964e9dfb8b306b7627767cc85dbb9e826f3c90ea6744584

Download Submit
\??\pipe\LOCAL\crashpad_3996_PWNEJVBKSDNTJSVP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1016-1284-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/1232-1199-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1596-730-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1596-736-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/1624-991-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1624-994-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1820-920-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1820-919-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1820-926-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1820-927-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/1820-913-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1820-922-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/1828-556-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1828-555-0x0000000002540000-0x00000000025BC000-memory.dmp

Filesize
496KB

Download
memory/1828-554-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/1828-557-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2196-1540-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2200-743-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2200-737-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2200-961-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2752-915-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2752-908-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2752-921-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2752-917-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2752-911-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2752-905-0x0000000000520000-0x00000000005D4000-memory.dmp

Filesize
720KB

Download
memory/3076-721-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3076-999-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3132-1302-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3132-1174-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3132-1546-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3492-947-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

Filesize
88KB

Download
memory/3492-578-0x0000000003140000-0x0000000003156000-memory.dmp

Filesize
88KB

Download
memory/3708-462-0x000000000A290000-0x000000000A2AE000-memory.dmp

Filesize
120KB

Download
memory/3708-84-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/3708-475-0x000000000A970000-0x000000000ACC4000-memory.dmp

Filesize
3.3MB

Download
memory/3708-51-0x00000000006E0000-0x0000000000B3E000-memory.dmp

Filesize
4.4MB

Download
memory/3708-39-0x00000000006E0000-0x0000000000B3E000-memory.dmp

Filesize
4.4MB

Download
memory/3708-463-0x00000000006E0000-0x0000000000B3E000-memory.dmp

Filesize
4.4MB

Download
memory/3708-549-0x00000000006E0000-0x0000000000B3E000-memory.dmp

Filesize
4.4MB

Download
memory/4012-561-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4012-579-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4220-1184-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4252-1000-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4252-843-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4252-825-0x0000000002D90000-0x000000000367B000-memory.dmp

Filesize
8.9MB

Download
memory/4252-791-0x0000000002980000-0x0000000002D88000-memory.dmp

Filesize
4.0MB

Download
memory/4696-906-0x0000000002F70000-0x0000000002FAA000-memory.dmp

Filesize
232KB

Download
memory/4696-759-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4696-838-0x0000000004300000-0x0000000004F28000-memory.dmp

Filesize
12.2MB

Download
memory/4696-773-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/4836-727-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5420-347-0x00000000077B0000-0x00000000077C4000-memory.dmp

Filesize
80KB

Download
memory/5420-229-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/5420-96-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/5420-99-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/5420-100-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/5420-101-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/5420-102-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/5420-103-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/5420-115-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/5420-369-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5420-357-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/5420-355-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/5420-344-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/5420-332-0x0000000007770000-0x0000000007781000-memory.dmp

Filesize
68KB

Download
memory/5420-272-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/5420-202-0x0000000070750000-0x000000007079C000-memory.dmp

Filesize
304KB

Download
memory/5420-230-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/5420-98-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/5420-228-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/5420-97-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5420-220-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/5420-222-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/5420-221-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/5420-201-0x00000000071F0000-0x0000000007222000-memory.dmp

Filesize
200KB

Download
memory/5420-200-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

Filesize
64KB

Download
memory/5420-131-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/5420-135-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/5476-1005-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5476-775-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5624-907-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5624-642-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/5624-641-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5624-640-0x0000000000080000-0x0000000000446000-memory.dmp

Filesize
3.8MB

Download
memory/5632-1285-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5632-1538-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5632-1564-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5716-665-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5716-666-0x0000000000390000-0x000000000166E000-memory.dmp

Filesize
18.9MB

Download
memory/5716-745-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download