lumma | a7f088a1cd622d248cd2904ba001c8d5eb9ee90db7fe6d043414bd513a6b0275

Analysis

max time kernel
0s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Size

2.5MB
MD5

f3b0179ba1f2f60ea88c4f14c4e7a829
SHA1

cada0b63415bfdafac480da21742d673a6f1d359
SHA256

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
SHA512

fd4f6e6eec6e565435c7fd7d6e5f79d7f59cca0e9ef068f370c65b270d5d4fa034b0990ecb8fb4427ee58ff5048b88130c2b80002e7d63a15c0b4aec2d342303
SSDEEP

49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh

Score

10^/10

lumma redline smokeloader stealc zgrat 777 livetraffic up3 backdoor discovery evasion infostealer persistence rat stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Extracted

Family

stealc

http://5.42.66.57

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect Lumma Stealer payload V4 4 IoCs

resource	yara_rule
behavioral2/memory/4400-573-0x00000000024D0000-0x000000000254C000-memory.dmp	family_lumma_v4
behavioral2/memory/4400-574-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/4400-576-0x00000000024D0000-0x000000000254C000-memory.dmp	family_lumma_v4
behavioral2/memory/4400-575-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/220-912-0x0000000000560000-0x0000000000614000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/4624-918-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral2/memory/3924-1264-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4840	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
4708	EU6Wr47.exe
1336	fo7Qf38.exe
4776	2OC4417.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5412	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5888-1288-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3380-1565-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EU6Wr47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fo7Qf38.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
88	ipinfo.io
125	api.ipify.org
87	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023211-20.dat	autoit_exe
behavioral2/files/0x0007000000023211-19.dat	autoit_exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3800	2184	WerFault.exe	100
5788	4400	WerFault.exe	139
2320	5220	WerFault.exe	156
4244	2956	WerFault.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023321-742.dat	nsis_installer_1
behavioral2/files/0x0006000000023321-742.dat	nsis_installer_2
behavioral2/files/0x0006000000023321-736.dat	nsis_installer_1
behavioral2/files/0x0006000000023321-736.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5188	schtasks.exe
5740	schtasks.exe
5956	schtasks.exe
5188	schtasks.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4776	2OC4417.exe
4776	2OC4417.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4776	2OC4417.exe
4776	2OC4417.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4708	3188	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	90
PID 3188 wrote to memory of 4708	3188	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	90
PID 3188 wrote to memory of 4708	3188	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	90
PID 4708 wrote to memory of 1336	4708	EU6Wr47.exe	92
PID 4708 wrote to memory of 1336	4708	EU6Wr47.exe	92
PID 4708 wrote to memory of 1336	4708	EU6Wr47.exe	92
PID 1336 wrote to memory of 4776	1336	fo7Qf38.exe	93
PID 1336 wrote to memory of 4776	1336	fo7Qf38.exe	93
PID 1336 wrote to memory of 4776	1336	fo7Qf38.exe	93
PID 4776 wrote to memory of 4524	4776	2OC4417.exe	94
PID 4776 wrote to memory of 4524	4776	2OC4417.exe	94

C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
"C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:4524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff4a6b46f8,0x7fff4a6b4708,0x7fff4a6b4718
        6⤵
        
        PID:924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5217338300348792886,3118869104087981070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        6⤵
        
        PID:2284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5217338300348792886,3118869104087981070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:1484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        
        PID:1696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff4a6b46f8,0x7fff4a6b4708,0x7fff4a6b4718
        6⤵
        
        PID:1640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
        6⤵
        
        PID:856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        6⤵
        
        PID:2452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
        6⤵
        
        PID:2876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        6⤵
        
        PID:3264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
        6⤵
        
        PID:3584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5448 /prefetch:8
        6⤵
        
        PID:5700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 /prefetch:8
        6⤵
        
        PID:2264
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
        6⤵
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
        6⤵
        
        PID:2464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
        6⤵
        
        PID:1060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
        6⤵
        
        PID:4180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
        6⤵
        
        PID:5380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15275405493572209053,3962381465632991887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
        6⤵
        
        PID:5376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        
        PID:3476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff4a6b46f8,0x7fff4a6b4708,0x7fff4a6b4718
        6⤵
        
        PID:1924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,13464355717114331446,10692408990184932363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:5352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:5372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 3068
        5⤵
        Program crash
        
        PID:3800
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dj5xH9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dj5xH9.exe
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 864
      4⤵
      Program crash
      PID:5788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hx9Oo55.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hx9Oo55.exe
  2⤵
  PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x484 0x4dc
1⤵
PID:5848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2184 -ip 2184
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4400 -ip 4400
1⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\7CFB.exe
C:\Users\Admin\AppData\Local\Temp\7CFB.exe
1⤵
PID:508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
      4⤵
      PID:5560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
      4⤵
      PID:5476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
      4⤵
      PID:3848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
      4⤵
      PID:5124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3971266879125174703,18399394838501596119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
      4⤵
      PID:3944

C:\Users\Admin\AppData\Local\Temp\94D9.exe
C:\Users\Admin\AppData\Local\Temp\94D9.exe
1⤵
PID:1888
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:4556
- - C:\Users\Admin\AppData\Local\Temp\nsgA13F.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\nsgA13F.tmp.exe
    3⤵
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:1336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2708
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:4124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5208
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5896
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4a6b46f8,0x7fff4a6b4708,0x7fff4a6b4718
        6⤵
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4912
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5188
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:5888
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:3708
- C:\Users\Admin\AppData\Local\Temp\tuc4.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\is-6N6U6.tmp\tuc4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6N6U6.tmp\tuc4.tmp" /SL5="$102B4,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
    3⤵
    PID:5396
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 23
      4⤵
      PID:5776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 23
        5⤵
        
        PID:4868
  - - C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
      "C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
      4⤵
      PID:1052
  - - C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
      "C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
      4⤵
      PID:2184
- C:\Users\Admin\AppData\Local\Temp\etopt.exe
  "C:\Users\Admin\AppData\Local\Temp\etopt.exe"
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:6136

C:\Users\Admin\AppData\Local\Temp\9FB8.exe
C:\Users\Admin\AppData\Local\Temp\9FB8.exe
1⤵
PID:220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:3
      4⤵
      PID:5968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:1224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
      4⤵
      PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
      4⤵
      PID:5728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
      4⤵
      PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
      4⤵
      PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
      4⤵
      PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
      4⤵
      PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,5256914284162363816,4705420527529156675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
      4⤵
      PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4292

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:5220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 332
  2⤵
  - Program crash
  PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5220 -ip 5220
1⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4a6b46f8,0x7fff4a6b4708,0x7fff4a6b4718
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47.bat" "
1⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DF.bat" "
1⤵
PID:5668
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3720

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3380

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:5800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\583D.exe
C:\Users\Admin\AppData\Local\Temp\583D.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\583D.exe
  C:\Users\Admin\AppData\Local\Temp\583D.exe
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\d646ece8-81ed-4d3f-aa72-048e6eed6a89" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5412
- - C:\Users\Admin\AppData\Local\Temp\583D.exe
    "C:\Users\Admin\AppData\Local\Temp\583D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\583D.exe
      "C:\Users\Admin\AppData\Local\Temp\583D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2956 -ip 2956
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 568
1⤵
- Program crash
PID:4244

C:\Users\Admin\AppData\Local\Temp\7480.exe
C:\Users\Admin\AppData\Local\Temp\7480.exe
1⤵
PID:5060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2392

C:\Users\Admin\AppData\Local\Temp\7FEB.exe
C:\Users\Admin\AppData\Local\Temp\7FEB.exe
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\8451.exe
C:\Users\Admin\AppData\Local\Temp\8451.exe
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bytematrix74\Bytematrix74.exe

Filesize
44KB

MD5
5e1bbdf8ea0e96c2b9d892e2a2f000c7

SHA1
3ba2179445d01ad8cb3d43ceb58b28075d78772f

SHA256
03198a7a059500d9eb4d651bd14ce398d5b41aac4de1cf13226c2371ee88ca70

SHA512
943386adccb0796106fe1ec1e0a69875838f1d2aa2cc0b4532f2aeec9ed60a432aaad551202faa93588b98cbd3185704df0d5c09cf341faf38a94e3c9aee31d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
29018118391f2380d76860b5a2a86e81

SHA1
37752128ba0fd80f73d5de77e893dd7582051d85

SHA256
f0d559b34486cef130ec0cbf58c5e8ab7337c994ba01df89f3ad1cbe17a8ca25

SHA512
941554096c8ea8c70e8d3a7014b38dcc7f6b8adb787a68479c4b6696d53674dc3485866929979924d77d3864cc92eea51bfc0ee0fc01cb51511726535c658a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8477f4e53e7ee594259a20b717b70aa0

SHA1
4d724a8b79010e4f3db751a4f6222f659591d052

SHA256
e0ae4a303455e32bede89462ef86b363158002f2df83390d6229fcd6e3424a66

SHA512
341d2903eb931fa877b7cedb8abe48813019f538189d74a3c907c0cbeb2c43217118f7b4d28a0f9686362266c19d584e434b582a19f90512204dcb11028ae07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9bc35ecc87d6de2edb2615ec18a67c23

SHA1
e5516030e49b3a4a502b8483747165fa733a99bb

SHA256
65d70a73dffe080ed84b892bda113cb5157d3054a68f4641075f112b5f183178

SHA512
6859164d770a2770c087b0a02b6806586a88614c734f5b9abf3a59d8a3cdc21564146e81f21b09c42643b7ba579d6c41fbc4941fbd9eedf186ddcdd20dc1a508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a1d28b5eda8ec0917a7e1796d3aa193

SHA1
5604a535bf3e5492b9bf3ade78ca7d463a4bfdb2

SHA256
dfaf6313fd293f6013f58fb6790fd38ca2f04931403267b7a6aef7bfa81d50bb

SHA512
51b5bec82ff9ffb45fee5c9dd1d51559c351253489ea83a66e290459975d8ca899cde4f3bb5afbaa7a3f0b169f87a7514d8df88baaeec5bd72d190fd6d3e041b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\014a2329-6300-43f1-989e-c7816e48edd9.tmp

Filesize
7KB

MD5
514bc86470adf3811aca7c17682f5296

SHA1
1cbab9a27031214acd87852944e6162e467fe6da

SHA256
6a3de9fce4f51af2ed499c1e4e7b262226930727164108fb3494e7cccbaeb48a

SHA512
49fc08fc1117f48f1dd0c0916724bf8b7a7176b52b5928da7d8efeb8602758e9af3be4059d3bb4b5e60368cd483b893b5bf4308ef16b476b34be1d2c7ba3cdb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1f214a29-43f9-49ca-8857-e88b36f80f03.tmp

Filesize
7KB

MD5
34af35b4acfa39f548ffa09916daa738

SHA1
fba9a4fec9bd064e2ad5ee58288a1863c66e5319

SHA256
cf2965a578cf3a42bc760a066162f48a30509ae5ed304fb5157c45a6fcd0cff5

SHA512
b390f84c08722d2a8c454c7d71150e82c9858c33d9285c96368b65b4928b05e2f5a2246ed551df891d08cdc6931c7b0476032b28105f5c44622585d4fb4b9aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b18c4b81bd91e9f84c18b2d6ef3a781f

SHA1
c07fa7b6794ac411a81e9c1d66eded42050f0aa4

SHA256
63e3415a31eced424cf033f9b51e5726fe0d885022380264f9d9b57f5d2c0261

SHA512
c9787530766b8ed699650e5e488ef5371252cded5ea72176893b8aa9a8fffe729752709b27056a8bf3c1e7bf63b6cf12647c8117fcc8c8d7df28e75b6b171ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
84106d215a36cb31338607615783bbec

SHA1
46174e642ce1fb78568e5ef8ae1c36fc7139e186

SHA256
d1c6984be75fc1042d8487a7de29356ed391eb329994d9392c654c803f374207

SHA512
7ce9f8ec0db0259fbf758f6b195660f4019ff64d57727cd30a62dbe1ffd2a9a212203ef988536a06312180e31f8c4af170f36afa04d41b12fcd9e8f13c53a0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
627B

MD5
78b6cfe9b47ec57c250358c55bbf3085

SHA1
adb83907ec54ea60186059231bac0d07323ef711

SHA256
d29e797c867dd8b7f8894e9dfb0443f52c04be61327284fe0c2c01265025eb94

SHA512
0f1482523d48e2399c00e5ebbff3c7de814a6980b61dbdaa3296113fa9b24299f734afb18a83cccbc030c79f4f4ce6b02722e4c009a189cc11e8a057d5a60b60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c5011d37eccd08cf56add1b4957180c1

SHA1
889655fcff2276714c0d5c286dddd8f89aa23300

SHA256
f48a738a8db2ff37145a182df71b5b6d1179126cd7e7f878ea08a67b13e26c0a

SHA512
157c42df952104a188afdb7d3a77661ac384ac8e83e1026c2acc41748a3703b49cd38477007f744dff1f17ce9a74ea89ada5994d5f6577f8f171ce6a317f46ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
069dec92b882d0302d8a52beff6b0305

SHA1
c8824d3909383adfe5b317a26ace8b1f6d5c8ebc

SHA256
18664e01c6ee78b5925686786f68719e14105d5895cfe9125eb867a2fbc8ee40

SHA512
addae9ef905277c9b7724c7bc31b14ade84d91225e8e352d30171ad0f4be5e25c3a88f37a169e39ef0bee778abf37ef0bbee87f10b43c4c580b3783aaac6e939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9bccf4ca21f3ce98c870d3668c982832

SHA1
11c5c5ef90623ce56dd4c9514e6c799f56368021

SHA256
943b21d70eab11a2919105688b0355f099e96467d613aec0e0891ba970fc81be

SHA512
239a3749f12428c38c4c1784f8476f79f5e552eb126cbd1e78b0e42c945a9dd6868f22ce035c52eb62ff54bc0065be65252e4074fc3fbf0427bb2f20a95ba9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77622f888efadab99f5259c9305720ab

SHA1
f1770de4c8e25c8c2b488f0026176695f6118cea

SHA256
95651d88c7112fee50e96466032061b053660a7a59148167fc082374925b7f99

SHA512
1463008e9ce13ba8793d81c2dd23c427a63a9dabe589910a7889d3381a20b0387a5326815de9b1bc1f3b37038db7ba37be613a7cc8392e662d058ff81f94a0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
52c3275a6f77ab29d74ea158862c8142

SHA1
e193d6590c8c5c070917f2b15747ef2f84ca4a0d

SHA256
589b65edeb99059429c4c18eee0f3343f6918d5734e945c47ea42a2aa64af41e

SHA512
08d68b2e0c1bad5d066b426be99d3f40fbaa6140d05ab373d3bce42a6d636f208a059cfbe5d02cfa8bc124b6d7b534c34846520efb0a0f02d03a94fe1872e6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec091511f6d9a2961f9a23e9b71f1b42

SHA1
b94fdd41cc52cad615fa7ec6a0dd79b9df829258

SHA256
5e432d14d15d9af5069e02cdbf52d66a3e9cb362338c61b7360d75f0cd0ae362

SHA512
8b1dfc0327a27fcbdad1b051ac47469d9b9d5150132dd91c5c8d89accb43f12b30d908d11a32979ae4f3f56b3d9016f0d539130eb94c11c02aeb36efa41f1d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4ae984ea-b948-47fd-998c-a9db98558721\index-dir\the-real-index

Filesize
2KB

MD5
6c342065eec2e0e736ca6f1d382d0fb7

SHA1
58d4a502f8b3c7acbdb58e9717aab392f0025a01

SHA256
fa5ebc0027b5bf47d8e5b890630664bce6364763612d112897914b59a8cadc98

SHA512
0f2a020bf81ae8637ce75083fd7c2c46ae7725e476269f2d3096036657774f78811d51d67dcb49002dc8716f086e90282d869d64b8af762c214446b2a3c152ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4ae984ea-b948-47fd-998c-a9db98558721\index-dir\the-real-index~RFe57a3c2.TMP

Filesize
48B

MD5
d9d65b9957909031a636278f06802ff0

SHA1
5442ec18d49d2f6e6475d8f12c292ab5603341d9

SHA256
62c9a5ad39f95106a65ee0d01c70084f7c4c2b0b0a4a06883eca3da7f12f6c33

SHA512
a2117cd86095f4db6ef7d9c2dac70061e42ec7f205f6807d6fdf3114fa76a1a5fb368c92722c0f16a56e2a829e754c34f8a049fd6cf2bb013a100a387365183e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
b268cf0bb1609c932a18c27ba57959bd

SHA1
3c787a9236c78b8bb917d9749e1aa306d101357e

SHA256
fa65ec2e9290c5694d112b457f3bd214d99d3e5bb906dadd0e57168983058c47

SHA512
c8aa0b5aed008da96539bac667b224c09eeb39c6a4849d7d9f16411039c397428d73416378043e6b89d3c180ad814b57facabfd058abbde3249ad7751a2aa357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1c9248af44e9776f4cd633c4594c9b56

SHA1
6c9781b04263e3f1f3a28bd78f558b7f3130255a

SHA256
7fa3de4ad836941bf10b3179a1d9ca7c36dbcf175ad765030bdd29d54543a829

SHA512
342e8c0356563eb34c3ab0c07e3dab620c2fba42e9d04c6d967a6335b8993ee50548c7ec4bd3c7d4f9a2743b38ec78d05d5db583ca56aad6324bf878b8ea143a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
db8e381d4c43bfd17e5d59a5fa5e484f

SHA1
0a98f73c0cf2b3bd3c16cbe77d31e121157ba4c1

SHA256
cd8012ee4cf0a8dc68cfa3d898cd6d08b65e5c26dcb4c569b088aedc9c212817

SHA512
fffaa23f058cee5d760fe61d9e44c71b8828cb88e7cafdf8b34dbd7ffb3ab146c96c48e7c6be401d549ccacadbaf83de9e3eec616a9946879c8c6aa45a67955e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
6cd74379c6c0a9d1ae1aa83186e7afd7

SHA1
e8a5dfd46df2fd09c921bc989c06158cef8c4cf2

SHA256
06d15e1ecd6e0798b279480fd0aa54df6a4be320d5349a01559cb92c97e1ae3b

SHA512
b926f3dae116d11416122433311d8374cd15412c9176ca19d2cbe18dc37ba21db11af25bc817879c990379d6e7c1cd81e20d14cfddf9d3f4f7370fb523d2a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b793694af2a13d9c00f013329454ef58

SHA1
4dd07f5f029de055d14f3972eb4de394c494db58

SHA256
fbc919c714f6652b5a4eb06015dc832e9ee26554884a2f3fa834034fdf7c3d03

SHA512
aa7c7b0d07acb4526ef1c367846e5e5d8a4297cfc455b56721e23161c915b36139ec8ee3025210f98c92de8cb4d0d0050540541f541ce57e015e43e66b142af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579fba.TMP

Filesize
48B

MD5
586866cd7a15e79a86e8b92a182019ce

SHA1
b134c6d8502901b65192aa92127832be8a322124

SHA256
ff2113c92d08eab8ee81204051b81b4a05194435b3dbcba1d01b499e7097e163

SHA512
5e74c594ff7ef5633e32e6882c5e8405eb35837780f62b4f64b11abe8c69431bcfc950f11172be7b47a6a35adf65802043b13076e4baf61fc53752a80a4bbd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ea52ec95bb090f18d43c396c5b2ecff

SHA1
7995bc6c73f88981be6c91a087634cb3616a142b

SHA256
e6815d41a489c4e7b987afbc5408131d4ca770600c113a690973e53d11413fd2

SHA512
4e9b5eb3df5bec5ee484e3bfb1108dc88eaafa09572ba5ade217fd8af48a163a3a61a382ffbacfed00f4526f48dc736eaf849afea540b6060fc3074bbbbfcddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db6785f33b883f7c2d7f439d0e2119b7

SHA1
72d6d09dbbb5287f6f5c18878cf9ceafb0a6fa57

SHA256
08fa4f4c88c749c3d6b580306b6b6d704de44b7ec6c1f3c0978c317c033a3958

SHA512
906a2f97c3c11b64a72113f53827375885092324b73ed77032aec44288e83e88f2f630c8d0a22c93efa2452df7f6dab36526dc74efd9a6e99ae52a0d3fd2fc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5793e3.TMP

Filesize
1KB

MD5
4f48eabbdded36c2f8ac6af39f663bf7

SHA1
e152c5d5f0c491b012149d31da584919d7a019cd

SHA256
10b9a8a563f3eda243aa92da749412cfd3de32ba6ad57d1e388efe23d052b0b9

SHA512
aafceb9070d91714959345ba9b94eb5428fb8a19a9c0aa1dca9bb44ab9066dde1ad6a1fb9bb6a0494ac3480d1814ec3c832aa23341581a6b1c7b98bbaf6e1810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
791d0ed9267ff7a65e81fdc6937fe475

SHA1
38cd1c86a236839bf44ad17acc77450c562e8029

SHA256
7206136b64c53441354ebdd137d84dd53956333f68b03799d1db8341c6fb4d4d

SHA512
e3bd9b412b527ca356888e171db88edb2e13d43db89c9b6a3fc33d3f2abb56fed1c9ba25139f945ea463890d982fce8bb4406304457b58172ce7888128b2ae1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
65accb09a585e5210f0a62955042c955

SHA1
69aea408854c1bbf7622bd7c5aff99883e59c303

SHA256
063a90d74b78e135a03b272e9e68940da1f007506aa9857d50e19ad295bdfd88

SHA512
cfe87e8893abb871b07be016b22f7db52cb27ce67f2f4964e3e83d9c8492f9f5358f250ce4a0be406e0f98f4486edb32afd85b21d04c94bb046eb0d9c67c935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
72612308a6509667913098e543f73f2e

SHA1
53918fbd1a77f398a4e7a116000563ca0a8fb243

SHA256
06d0e87e76a1c52f6d02501f3921e783ccdb103461c1e294fa4116a34ea41a8e

SHA512
32a73122b170336289be567b17fb3d2ed894a7613296cb34d362949fc15109cd28478debfdd356aaf8c3e2e32835f20775a6020de469135cca0bc51de31363dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DF.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
232KB

MD5
b9d3d326c18bf7c96cc5c9e190e00c0d

SHA1
e5e76e31efb51545f0d577e2742cffb2737a6c4b

SHA256
26d006cb1839c55520b28b31325dadf0e0625cd2d2b33273746d6454619163b9

SHA512
2bf338a339b75373099a1b6067714b29d2f979d69ba7b1ce2d6fb50f3c064b013f50fcced69678a1291941eb9e4be43248cca67da8fce6beb6c7076e398b0a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
236KB

MD5
6a6bee9f308166d740bfe975c26035bf

SHA1
05ae0283d160cd468b56e568f07df2622da0f93d

SHA256
89c6eedc679bdf128fce37bbfea64bba63481e1f755d1bd1c6be28c7d7fc8dc3

SHA512
26c42ece38c9ed1ad34184ad00421f19ea9da8c5357de7bf6995c0978ce8a027552f7d315a0d6b4eaeda52134b597c7e1597555a9535589a29f22a9889d4dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
208KB

MD5
d27778f7d07f9280fc0afe781261a89f

SHA1
5e073ab08f8567b520ef332ec187bcf467a979a0

SHA256
273ed3ea25cb6ff9c63947a0614ba00cc2f919656ed3b32675d7b2a1af391067

SHA512
02f6563f0d007bfcc982f4dbb2e9a80f13ac62d776393f4969c4411ae328aa8a5771f53ffd3d02f9ffe35ddf947beea20fbedbed5a5c3a786539ed7285799720

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CFB.exe

Filesize
144KB

MD5
0c6a79fa08b517d755c43c4b2dcaa5cc

SHA1
eefc97251e6dfe30a6789148d92a581104318e93

SHA256
49906fb62384b8fac0be81b613f2ca8e52b8a93d928b5138e7228214bad710f6

SHA512
553cb84ab4da0c1d46d69d94b9e2eb8a9d4cd5dc3b856f57ce98c00374e5c52abf0b4b81e2293578f65553450930e1adffab544d2cab3d4d1ce5a2adb169f4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CFB.exe

Filesize
57KB

MD5
ad8d21c0f8e79a123a75b6d3e24f432c

SHA1
e0fbd58231aab27e18d5f78eac283e3ef6307dd6

SHA256
d25707b8032d72debd2f0b0434e46b11802dc7a946916a10af47691a86ffbc34

SHA512
a9e35b4df9da9999cc6351d29ab8cdda77335079fc829f76bcf584b262b23402363f07722c9379c517c9d493eba90866f23757b4e07e09bc6743d611cc707e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D9.exe

Filesize
172KB

MD5
4f39878d3a7ff07b74e668e90a458bdd

SHA1
79abe30feaa8a5dd13021c60a84f7374477c681c

SHA256
aec5c05dc487df1d00160223a1ae1d8e9ebf43cd0fe93a89fda6252811079805

SHA512
9d5886dac5ba2d674a6c73d6e1a2dcf92a89cedd1c86428b10ff56d0cba6e75c704b6033b2f5718c1424a0f9499b826431b0015e80a41b7b4cede174dfbe2351

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D9.exe

Filesize
201KB

MD5
632b8f37e23b56130eae636f8773acc1

SHA1
dcc85b907b96c3625fa7111995b03d413294aa96

SHA256
5b57bb0d007403722ac789298e50631766e1969a54f5264eec4b70ccaf75d747

SHA512
7212693a6e9c6de8227b72ba916b161e95cd8eea592a108bf2984c4e22ae33e58b1662b5968077d683e3f12a46845d6749ec3db298392828db38add98cf13921

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
187KB

MD5
bcfeb78b2600c0859a19ddda09d65606

SHA1
2fe4d05f76aa1ca19419fd9600be585d0a7b88f2

SHA256
5601a74d7be44eb9ab8aba2291a830c13929cc6528734fe823ff8ee8f3949e92

SHA512
b35a079a47e853222d702d987c07886433fd8c6bd0c8ef61874e278a5fd5def33960df947a370765f56dd61c8df0347f615fb2914d9da8883ad2559808aaf056

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
27KB

MD5
ada5c562b633a6278d1493b5627778a2

SHA1
52bf24e326d03febdbb1133c8e392538e1e93332

SHA256
e1c27ca686d56d784f0eb257fc15917398ad107faeed26d288f0ca5fa7f09a61

SHA512
354807fe10b06fe34bf257336d22ef2fc715d41da671fb7c1706fce5ba2f8f95e3aa68892e08f7b6053da24526a6a22f2655736f9d29d2800ed708a7aa505e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hx9Oo55.exe

Filesize
38KB

MD5
c2edb555b16252249ca8d962a9b885a1

SHA1
e90cc98ec069fff5a9154dd196aacaf4222684b0

SHA256
116e3d42cb77c2c14e7c01b702a6b4e4d20b8372f9cc9ef665730fcd1262cec0

SHA512
8b899d3d19065e0a825f901bf3eae188c4c668ad80d40050014a93cfeb991bf07b0e5266ea58acf8b450846cfe326caa402ece8ca1f49eca4adb396f9f5e8314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hx9Oo55.exe

Filesize
35KB

MD5
a5db8102a9ded6f17e793909ea3c662c

SHA1
b683e199969053a6613dabca91d9b43ab5c3d363

SHA256
cdd0c23b1ab4873c5ef61632f9fa0ca94b1bcb29f661679fc4d2f0fe1052b834

SHA512
63385919582c7423d23e440cf39ebed3b68468417f35f7e3da4be609f6d50f0433c44e711b0d156127d23f39fd0b2b71426fabd0107712bae2db15fc9b81e68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe

Filesize
683KB

MD5
0903bee5fd296244de50f985fce5a125

SHA1
a92c94703babc4c63f3d609aeaf470aa7d1c0644

SHA256
8e601dd767dd12ac66d7a9af3ce4c62de677f71b62df86cc96fc954adc859417

SHA512
078eb4b72aa61c717aa14d76eb5c8e07ffb53f9ecdc9c630791a70001ee51f796334f48fc0389d8cb9d79def9378b208095a450ae27bd51533c87d5f11e6519e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe

Filesize
442KB

MD5
14c1e87d6b1e5cad58ec74ac72f05ca8

SHA1
d938488b786d5452c8dac16b6b5eb9430dacc677

SHA256
edd6b4d253c21c13c4d44e95c3d027bb5df9cba48aefdde1a3e2e0133d7edc07

SHA512
575b8505bb80735e00447a53ef849693d51b022d7a57a24f10035c1b9b70dd645b7229d90441c011e433359af5de3eb7a0e05dce96a928f5b9f5904958f65781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dj5xH9.exe

Filesize
34KB

MD5
78c11526a38f71ce5571fa41897b2116

SHA1
c657480d06bef8a3b715eff20ac60a12e848311e

SHA256
79560534f30cad8c00937c2d459ee9a8d677feecd3769c11f02022aecda39a01

SHA512
31b60ad4d6ffa27505d19dada12560ea29cec724af621d82e5b58dbd64fd20309a537bb7f8b736fd4f63c79ee8f50f4e5483e03647933928c5180e58a38ca2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dj5xH9.exe

Filesize
60KB

MD5
a8c920b3f72bfd04053c8ebf7a012bb5

SHA1
3c633d487840e0a0b55934b6e26441d628486a21

SHA256
368b78826033a4f9b01fc2b443cc0328b2a8fc74d59983f8f45b3abafd93c57b

SHA512
0dca03fda59efcee7cc783af63fef79c2c762a14647487e3992ce7ded7e82f0759c96dcd29a1b2d49dfe18abff4b5b7542904ada8f5c634dd87d8d5b9fdef550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe

Filesize
432KB

MD5
b5fa1cec57d8820175f2d0e0fd27e008

SHA1
66df0aa29078bce462d4aef1d784ab6d015373aa

SHA256
32e58f0668b2bde6d940eb238ff7397086e8d045ac07a1d15ff777b8519ee731

SHA512
d3cab7d99ffb292859b69f336d2f7539c39833ef567879ce9596cf130ec08514285415e4752997cfa7b2dc27d24644b4d73520fe1046fc849f390d45abc99a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe

Filesize
478KB

MD5
49d9decb08b4d94bf368667849e79486

SHA1
6576bdf207bfc185de31d22af2ad3e2c4f3d0c23

SHA256
0b91b020f6dde7218563780fd78b018a3b05e7d673c2c46ca65201cf4f8c5e60

SHA512
6ae13f6951515ea8ddc55b5433ac115ca49df2026ab48d525f638e11f8930f4491fe51e425609ff9933a8f79a325a70d1f694875ae9d7cc0697bdfce8b79c59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe

Filesize
400KB

MD5
5dd02e5105d71ebb76a8342012b9338e

SHA1
7548295c47542cd111d933af17f40e2e2de3bffe

SHA256
39aa2dbc642d5a46ecd06f1d4f3c5a7620b57298bd1411f29a2352f00d0bc3ff

SHA512
3c32212c705648d651a460da96e16dcf40ddce87800dcc8fd219e4df7c13e116cff8a3088c7b852af093b904a17b0f71ed3c9eb0af9119d3eeec53b8764647fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe

Filesize
472KB

MD5
d3b79fc587aa8aafea98c9867abf04f8

SHA1
24866074f705df081dd4970530fa7be28b4f5f0b

SHA256
168f16114b988d976ea54823e0db7c6ca093855626b555975db3f735839c9c02

SHA512
528f241232e0d755b8c7c1303a5155ea73fe110119f6f63d87238a731623226a819ba8d7f4c1d4ec25d796a2ae50220b9b78f5f229ba5ca2641ed990c6056210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe

Filesize
212KB

MD5
627db2efbb38caec6962dbc8fa07aa39

SHA1
2e32b42cbd5d003862bb823086956efd2c196395

SHA256
de5583f928d4eb1b0a232d80b53c574e27cce084783bde46e149f6ecd99b5e77

SHA512
4074d9ae5dc02e666e218f11dae8f84080925de044ef344a8671fd4ada94206c697a24988f952b7f46453a0ee25439726ca231e073ea5a3e2ae3c8387db9552a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe

Filesize
211KB

MD5
f460aa345d70b315c631c44bf54dc22d

SHA1
70c3e357efa8c686fea993990018ce38f91006d4

SHA256
75ce49a800b5bc52137369dbe16c268dad1b1c08c67b33674105e6c25b521f0b

SHA512
3a26b2035c5cc08f208440ba8bbbf94b22d755280e47abed17f807a57bb89bc4a0f940119eb4e03b175abb9585d0090c09be4d516931e8ccc974eb17073fffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
61KB

MD5
d6847150cfea056f7b6a64ca64629476

SHA1
778288d64a3a2609319329db45d68871ca93fd7b

SHA256
cdd0bf99facbdb8ebef8d03b84d533fe56f7aa42d78b92df62e4e26c97f34773

SHA512
694e98f9ba1c437326410ebdfeaa9ef7cc423ea067f7875fb25ac220423b65d9c9367de718df8e7e275c98b45fb028742ac8bb481e8c20534cdd08b917570584

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
324KB

MD5
9be10b73a182eb2c70f2e06e8f32d853

SHA1
435d98b0084df56baf5598d6b715868fc6d375d2

SHA256
d93d672ede3c85c9bcc65975370f9c2d7e1c33f6e8bb7176e266b1bb5e5facf5

SHA512
c8ed2fd1433aa41ef5996729b28b17a31a840a91496ca3f89518df6d46e9860891c53cfb8a3f810e312a04b6c57cda7df67cb77cf6a1c0776a6d5c348b75c166

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
57KB

MD5
5ced6732cd979a6dc6f3f9c360310f62

SHA1
ccb993f3f3a9403873c4b03d0d96bffdbeee0b6c

SHA256
4cbcabb45f71cdf625911d041dea7656e03854e4cbe38ffc5a5af5de987a112a

SHA512
4986a023358200919876d5b7f1eedef11eabf92d74fc5656096eb4e4553629c4ca1d63819ee1f19e722040a0f183a8010a92ecc74346410c32bbe50c26c2a96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bramfvmw.33x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe

Filesize
181KB

MD5
a7b1bc055b93857f7aa6b97195bbf168

SHA1
ccc99229ee8785ead27d8ec62dfc6714c731eeb7

SHA256
4f466557e34e7d366e6b27e3fbd93ea95da8bc97025a53fff3df516d7d83921d

SHA512
004beedd0bdb98a8c3adcd2c810e84394f3d2483c1b452162e9ac6d317f379815cdb7f9675a732cca555dca1e5914101dc7542b1bb71a4c1d0c9a6a085566847

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe

Filesize
91KB

MD5
2bd2860191b6f70f7fefea466c7ce3ea

SHA1
452928718b13fbbdaa23d018a360d406b980dd33

SHA256
6a0e8d92095ff54350af5f429d2480934886286d2511ea1cf1ae0a2816a2fc03

SHA512
a3617fcc12e5eb63a3cd620ccafc884c81384449614e819f8c77489a0069348e751f8d18daceb7351b3cbf7eaf45e3615b939e7c10ef1b8d495a1644afd791d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6N6U6.tmp\tuc4.tmp

Filesize
121KB

MD5
6e0a62e231ee80faab9de7902e2bd87b

SHA1
b73f6fe3cdf1ea9638dbc71269d146ce18aba65a

SHA256
dac7465f8eeb29cd303861b2cdaae9a572f020b53965c6695a5a828918c43b74

SHA512
c98ca798f291eaafa4c3941d71cbd500910a3d071cd2a91e5eb035c5804883d69ce23510a82e23c923179f676dd4edeec746440b8c19ead90e26af6ea9d57336

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6N6U6.tmp\tuc4.tmp

Filesize
148KB

MD5
100f6f71e041ce09c7a4c8b1f63b1abf

SHA1
b647a1eb304fd905e5cd331b2e18f93a77dce4c5

SHA256
394bb7ccda0fbda2fff0f4fbacca5cd0bdbc46c691ab3525f9a919909c91cd3a

SHA512
20d31fea4fdb6cb5e2dbde8c6d3f37e8944eff9022c0b04324008ff60057398536359356738adbb68d98131ca615358a432032390c95f5b51d1c43fb20a29b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9B23.tmp\Checker.dll

Filesize
27KB

MD5
2746e9327ea7e7c4cc4a89d9a5820504

SHA1
4bef32cd1f9ab19f5815a4f14f2452ee4f81b5af

SHA256
7ba10754d56402343e11ff46ecf04a592ed31e782b57bfd4ae163f8ab08ab62e

SHA512
2a1a3320223fafb3323f5a4e356ac5ce1911a783ffd12c972020dff20c8f2a0059d96e78e87a432eec851adec9b84bb94b91ea9971c3c63329e38d9bd50c59ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9B23.tmp\Zip.dll

Filesize
70KB

MD5
6080080deb265973136200a0386edc37

SHA1
00754fadf34c02873f6ee4fac216e9168822c0be

SHA256
6fad00b26527cd58ade33999de3159d1899852d2c87632a5b52c65a14223ba23

SHA512
a7cdd7a0eb8f6be96176f35fc9465c93422d86e7eeb76c81dac8bff207aa9212a9215e9cd80f3f9ddfc0b075bf893d23f1a407270b854f069d3bc68a4290e029

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn971D.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0gxnwxHJx5kg\L37FgFqoy9rLWeb Data

Filesize
116KB

MD5
59248d1e31359926875b01ed245276b7

SHA1
17fc48b1ec46bc03729e7c96b2485a190bc36cb5

SHA256
21d16dfe40672f2df4b235aa4bc88993407ff71921f7993e4b774fce6925a7b6

SHA512
344fe829118fd33a9ba3b007beca22387363ce680bc3d13fb69ffd07c50b434fd348919a32bc546569334404609fe1ef37e2614495b60f4457bac5baf9feb17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0gxnwxHJx5kg\dghE2BmOKOP4Web Data

Filesize
92KB

MD5
92be7d444b8f6922a7ab205f66109c15

SHA1
25ea6a81f508348a61b7f4f668186069b00ccb8d

SHA256
89121f65705e315dd36be848aac783b0cfc307a6848392af9346f1f288e474e9

SHA512
c8c10adcc6f1dbe3d5c9022d303f2c6cc68c458949a8997f3bfcf5ca9a3620d1e7400b46ec36727b9c6d760d108ea889aa97a0ae9d505768822b6a112793bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0gxnwxHJx5kg\sqlite3.dll

Filesize
114KB

MD5
7b906327d7b016444db78014a2d04c38

SHA1
e2920b162640cb7fb45a44d377fd6f39bf15b58b

SHA256
c924cc9818a096ab330a5e3e0bdfd088b59afae4053eb4306362bd22472ebf13

SHA512
2c64c98b5af66079891506a4911b9c6a3fdd126f5069a21bdc4d5e7c4fb9dc72cbba001c0a5b7a61fe8b57aca28f2a2bf545afe2a1768572c4099d434172c2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
59KB

MD5
9e885c528e13485c61e985406978a9dc

SHA1
1d2cd743b5f3d168fcb8d4d70833ca49fadb4aef

SHA256
69599dc87e00a365238b0f32d134943a8d1cd49e7a5a684fc484115866cac0c7

SHA512
47f1925c6ab510ada0a88f4e9d22f2ddfb658d24df7326af1a41f38c74b22f6f61432b6bf9909433dfc314ca0feca401680a8f08bba76d290d116b3a35162dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
195KB

MD5
b535aaca6e7cffaec43fd62d65198dcd

SHA1
83457876ef688b37b70d452cd44e83364cc48e3f

SHA256
d34358107066722c87ce4b7cef238c5778f5d485147f9334f4fe899097df58ce

SHA512
0733f0d865355d62d4509f21ed5030611db18a572cbe3045d491fdfa97f1f4ab06e384d0cc934049a782240bff2c4a441fb15152831da56d0c3b267424159206

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
140KB

MD5
efb961b4d90ec98fa49629c02cb376f1

SHA1
cad1abe800fb29cf3746ec62d30ccf9916d0fc96

SHA256
d44f88234c0a1b7b83563e8a83dcb78f762d57d17a939dadadc833bb86d5a310

SHA512
41d5eca006b72e2c2867335dedd145b6f5bd84f43be782a53d47bd46c5a3ea1dab6b4c65e4e095be8bd91edd6c5a2af7199dce1ae0c1f20637ff7eb265d86408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
276KB

MD5
8cb93be3ea3bacced61ea3634d5456af

SHA1
1098ebbddd217fad992041d61f5ae8db539a4dd5

SHA256
dda83fc124f6338be82cd29ab4e71df49b9764a6bf353e80c190d04f1e60e2ee

SHA512
bae1497a56a644f74db3b0e30e7fd4396ec192da3111f24005d76cdbaf87c9bddbd7c664ad6976212b8a345305b0de9c4d6cf4017b298dead858d79a20a6d344

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
112KB

MD5
372c1f5aa5ecc4ea141c10ef4db8afd9

SHA1
f6ca470da7da705d42a9d05e8132b440ec4a3513

SHA256
b0e352bd60cdc3ef133a0e96f1fe29e10b2dbb846dc156f1efefdcd461340223

SHA512
fd0e12b7751b19038fb527baefdfb7ec57faca930a79a461b86d91e7817c4ffe3fc209ad12afc1b40a5e87e3bb2eeb5f36d3ce77d3792d1fbf1042493b7b6a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
211KB

MD5
47492281ff7b4a70106b05fd6bf89989

SHA1
3804e1285b2ded0bf3bfd8854ea7721f4587a5cc

SHA256
07467daa7ec9dd4665230dbefdd7fa0c4f2b97ad781f3a284ed9aae1b4539b7f

SHA512
dbaf83b6e66eaf738bd3937d65d77cc4373282e41099d28efefbdc54f5e3fd1a982fa27819976beb2dcb34bec31522b76c9c4c0a686ce8f450b5a310996d71ee

Download Submit
memory/220-913-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/220-917-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/220-912-0x0000000000560000-0x0000000000614000-memory.dmp

Filesize
720KB

Download
memory/220-915-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/220-919-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/220-921-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/220-914-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/508-813-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/508-668-0x0000000005A40000-0x0000000005ADC000-memory.dmp

Filesize
624KB

Download
memory/508-667-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/508-666-0x0000000000D40000-0x0000000001106000-memory.dmp

Filesize
3.8MB

Download
memory/916-728-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1052-983-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1052-986-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1336-1180-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1888-673-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1888-674-0x0000000000FA0000-0x000000000227E000-memory.dmp

Filesize
18.9MB

Download
memory/1888-746-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2184-480-0x000000000A640000-0x000000000A994000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1279-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-467-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-56-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-70-0x00000000085E0000-0x0000000008656000-memory.dmp

Filesize
472KB

Download
memory/2184-479-0x00000000096B0000-0x00000000096CE000-memory.dmp

Filesize
120KB

Download
memory/2184-39-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-567-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-565-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-542-0x0000000000C70000-0x00000000010CE000-memory.dmp

Filesize
4.4MB

Download
memory/2184-1552-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2184-1177-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3144-609-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3144-580-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3380-1565-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3484-608-0x0000000002B50000-0x0000000002B66000-memory.dmp

Filesize
88KB

Download
memory/3484-960-0x0000000007B30000-0x0000000007B46000-memory.dmp

Filesize
88KB

Download
memory/3924-1264-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4124-1317-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4124-1269-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4400-573-0x00000000024D0000-0x000000000254C000-memory.dmp

Filesize
496KB

Download
memory/4400-575-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/4400-576-0x00000000024D0000-0x000000000254C000-memory.dmp

Filesize
496KB

Download
memory/4400-572-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/4400-574-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/4484-820-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/4484-770-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4484-845-0x00000000042A0000-0x0000000004EC8000-memory.dmp

Filesize
12.2MB

Download
memory/4484-893-0x0000000002F90000-0x0000000002FCA000-memory.dmp

Filesize
232KB

Download
memory/4556-916-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4556-720-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4556-1029-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4624-922-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4624-923-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4624-918-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4936-1316-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/5220-725-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5220-964-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5220-731-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5244-739-0x0000000002AC0000-0x0000000002EC3000-memory.dmp

Filesize
4.0MB

Download
memory/5244-769-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5244-1031-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5244-747-0x0000000002ED0000-0x00000000037BB000-memory.dmp

Filesize
8.9MB

Download
memory/5352-190-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/5352-112-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/5352-322-0x0000000007780000-0x0000000007788000-memory.dmp

Filesize
32KB

Download
memory/5352-313-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/5352-96-0x0000000002860000-0x0000000002896000-memory.dmp

Filesize
216KB

Download
memory/5352-288-0x00000000076A0000-0x00000000076B4000-memory.dmp

Filesize
80KB

Download
memory/5352-263-0x0000000007690000-0x000000000769E000-memory.dmp

Filesize
56KB

Download
memory/5352-239-0x0000000007660000-0x0000000007671000-memory.dmp

Filesize
68KB

Download
memory/5352-236-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/5352-98-0x00000000054D0000-0x0000000005AF8000-memory.dmp

Filesize
6.2MB

Download
memory/5352-100-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/5352-193-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/5352-99-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/5352-191-0x0000000007460000-0x000000000747A000-memory.dmp

Filesize
104KB

Download
memory/5352-162-0x0000000006740000-0x0000000006772000-memory.dmp

Filesize
200KB

Download
memory/5352-164-0x00000000701E0000-0x000000007022C000-memory.dmp

Filesize
304KB

Download
memory/5352-176-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/5352-177-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/5352-175-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/5352-174-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/5352-163-0x000000007F1A0000-0x000000007F1B0000-memory.dmp

Filesize
64KB

Download
memory/5352-130-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/5352-97-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/5352-129-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/5352-124-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/5352-357-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/5352-107-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/5352-101-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/5396-1033-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5396-797-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5888-1288-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/6136-722-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/6136-724-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads